Supreme Court Ruling Will Chill Technology Innovation

From the EFF:

Copyright Liability Standard in Grokster Decision Endangers P2P and Other New Technologies

Washington, DC – Today the Supreme Court issued a ruling
that could impede makers of all kinds of technologies with expensive
lawsuits. The long-awaited decision in MGM v. Grokster states that P2P
software manufacturers can be held liable for the infringing activities
of people who use their software. This decision relies on a new theory
of copyright liability that measures whether manufacturers created
their wares with the “intent” of inducing consumers to infringe. It
means that inventors and entrepreneurs will not only bear the costs of
bringing new products to market, but also the costs of lawsuits if
consumers start using their products for illegal purposes.

“Today the Supreme Court has unleashed a new era of legal
uncertainty on America's innovators,” said Fred von Lohmann, EFF's
senior intellectual property attorney. “The newly announced inducement
theory of copyright liability will fuel a new generation of
entertainment industry lawsuits against technology companies. Perhaps
more important, the threat of legal costs may lead technology companies
to modify their products to please Hollywood instead of consumers.”

The Supreme Court has also ordered the lower court to consider
whether peer-to-peer companies Grokster and StreamCast can be held
liable under the new standard. StreamCast is confident that it will
pass muster under the new, multi-pronged test.

MGM v. Grokster was
brought by 28 of the world's largest entertainment companies against
the makers of the Morpheus, Grokster, and KaZaA filesharing software
products in 2001. The entertainment companies hoped to obtain a legal
precedent that would hold all technology makers responsible for the
infringements committed by the users of their products. The Electronic
Frontier Foundation (EFF), along with StreamCast counsel Matt Neco and
Charles Baker of Porter and Hedges, defended StreamCast Networks, the
company behind the Morpheus filesharing software.

The entertainment companies lost their case in District Court, then
lost again on appeal to the Ninth Circuit Court of Appeals. The lower
court rulings were based on the Supreme Court's landmark decision in
the 1984 Sony Betamax case, which determined that Sony was not liable
for copyright violations by users of the Betamax VCR.

» PDF of the
Supreme Court decision

» Press Release: Supreme Court Ruling Will Chill Technology Innovation
» Audio from today's press conference coming
soon
» Statement from
Public Knowledge about Grokster Decision

Advertisements

Banks: Beware of your own staff

Employees have overtaken hackers as the greatest threat to the world's largest financial institutions, a new survey says.

The study, conducted by Deloitte Touche Tohmatsu in its 2005 Global
Security Survey, blames the rise in attacks on human weakness.

More than a third (35 per cent) of the financial services industry
surveyed confirmed encountering attacks from inside their organization
within the past year, an increase of 14 per cent over the previous
year. Attacks from external sources came in at 26 per cent, up from 23
per cent the year before.

Read the full article at Global Security.

The Administrator Accounts Security Planning Guide

Because of their inherent permissions and power, the
administrator accounts on computers that run the Microsoft® Windows
Server™ 2003 operating system are both the most useful and potentially
the most dangerous accounts on your computer. Any other accounts to
which you grant the equivalent of administrator privileges present the
same high risks.

This guide will be an
indispensable resource when you plan strategies to secure
administrator-level accounts in Microsoft Windows NT®–based operating
systems such as Windows Server 2003 and Windows® XP. It addresses the
problem of intruders who acquire administrator account credentials and
then use them to compromise the network. The main goal of this guide is
to provide prescriptive guidance in terms of the steps you can take to
secure your local and domain-based administrator-level accounts and
groups. This guidance is based on Microsoft Security Center of
Excellence (SCoE) experience in customer environments and represents
Microsoft best practices.

Microsoft's 10 Immutable Laws of Security

Here at the Microsoft Security Response Center, we
investigate thousands of security reports every year. In some cases, we
find that a report describes a bona fide security vulnerability
resulting from a flaw in one of our products; when this happens, we
develop a patch as quickly as possible to correct the error. (See “A
Tour of the Microsoft Security Response Center”). In other cases, the
reported problems simply result from a mistake someone made in using
the product. But many fall in between. They discuss real security
problems, but the problems don't result from product flaws. Over the
years, we've developed a list of issues like these, that we call the 10
Immutable Laws of Security.

Don't hold your
breath waiting for a patch that will protect you from the issues we'll
discuss below. It isn't possible for Microsoft—or any software
vendor—to “fix” them, because they result from the way computers work.
But don't abandon all hope yet—sound judgment is the key to protecting
yourself against these issues, and if you keep them in mind, you can
significantly improve the security of your systems.

If a bad guy can persuade you to run his program on your computer, it's not your computer anymore Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore
If a bad guy can alter the operating system on your computer, it's not your computer anymore Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore
If a bad guy has unrestricted physical access to your computer, it's not your computer anymore Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore
If you allow a bad guy to upload programs to your website, it's not your website any more Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more
Weak passwords trump strong security Law #5: Weak passwords trump strong security
A computer is only as secure as the administrator is trustworthy Law #6: A computer is only as secure as the administrator is trustworthy
Encrypted data is only as secure as the decryption key Law #7: Encrypted data is only as secure as the decryption key
An out of date virus scanner is only marginally better than no virus scanner at all Law #8: An out of date virus scanner is only marginally better than no virus scanner at all
Absolute anonymity isn't practical, in real life or on the Web Law #9: Absolute anonymity isn't practical, in real life or on the Web
Technology is not a panacea Law #10: Technology is not a panacea

Are you PCI Compliant?

Only a few days left until the PCI
Data Security Compliance deadline!  By June 30th of this year, you
must have your first network scan completed.  The Payment Card Industry (PCI),
including MasterCard, Visa, Discover, American Express, JBC Credit, and Diner’s
Card, require merchants and service providers to protect cardholder information
by adhering to a set of security standards. The PCI security standard includes
MasterCard's Site Data Protection (SDP) program and Visa's Cardholder
Information Security Program (CISP).

Who is required
to meet PCI standards?

  • Merchants processing
    over $125,000 credit card transactions per month or more than 20,000 credit card
    transactions per year.
     

What do I need to
do to meet PCI standards?

  • If you have more than 6
    million credit card transactions per year or suffered a hack or an attack that
    resulted in an account data compromise, you must complete an on-site security
    audit annually and complete and pass quarterly network
    scans.
  • All other merchants
    between 6 millions and 20,000 transaction must complete and pass quarterly
    network scans and complete a network security self
    assessment.

What network
scanner can I use?

  • Only those approved by
    PCI.  The Qualys
    Security Scanner
    is not only on that list, but is MasterCard’s
    preferred network scanner.
     

What do I have to
do to “Pass” a network scan?

  • You must not have any
    vulnerabilities that are classified as Level 3, 4, or 5.  The difference in
    Qualys and other network scanners is that Qualys will give you step-by-step
    instructions on how to fix the problems.  Other scanners force you to do this research.  Qualys provides
    instant Pass/Fail results in a format ready to be sent to the various credit
    card companies.

What must be
scanned?

  • All external facing IP
    addresses, any website that you host at a 3rd party hosting company
    (including shared virtual hosts), and all wireless access
    points.
     

What can I do to
meet PCI standards?

  • If you are a Qualys
    subscriber, then you just need a small upgrade to enable your account for PCI
    scanning.  Call Microtek today to meet the June 30th
    deadline!
  • If not, then call
    Microtek today to set up your first Qualys Scan.  You can buy one scan to see
    the power of Qualys (and meet the June 30th deadline), or you can buy
    a subscription, which allows you scan as often as you would like.  Free demo
    scans are available by clicking
    here
    .

Can I just ignore
this and it will go away?

  • According to Visa, “If
    a merchant or service provider does not comply with the security requirements or
    fails to rectify a security issue, Visa may:

    • Fine the acquiring
      member
    • Impose restrictions on
      the merchant or its agent, or
    • Permanently prohibit
      the merchant or its agent from participating in Visa programs

Members receive protection from
fines for merchants or service providers that have been compromised but found to
be CISP-compliant at the time of the security breach. Members are subject to
fines, up to $500,000 per incident, for any merchant or service provider that is
compromised and not CISP-compliant at the time of the
incident.“