downloads ilegais e lei francesa

do Público de hoje:

Fazer downloads ilegais merece cortar acesso à Internet?
27.04.2009 - 08h49 Isabel Gorjão Santos

"O debate sobre downloads ilegais é tão antigo quanto a Internet, pelo menos desde que há largura de banda suficiente para deixar passar música e filmes. Mas nenhuma proposta tinha ido tão longe como a que será discutida quarta-feira no Parlamento francês. Propõe-se que, depois de dois avisos, os cibernautas que descarregam música sem pagar fiquem impedidos de aceder à Internet. Entre os acérrimos defensores e os que deploram a lei, todos procuram responder à pergunta: há ou não violação da liberdade de expressão?

A lei Criação e Internet já foi reprovada, mas apenas por 21 votos contra 15. As abstenções foram torrenciais, pois o Parlamento francês tem 577 deputados. Mas, apesar dessa reprovação, voltará a ser debatida na quarta-feira. É apoiada pelo Presidente Nicolas Sarkozy e é também conhecida por Lei Hadopi, o acrónimo em francês de Alta Autoridade para a Difusão de Obras e Protecção dos Direitos na Internet - a organização que, caso a lei seja aprovada, ficará responsável pela aplicação de sanções.

Esse é, aliás, um dos aspectos mais polémicos da lei: ficar nas mãos de uma entidade não judicial a decisão de impedir um cidadão de aceder à Internet. Mas o principal argumento de quem contesta a proposta é o facto de se poder estar a restringir direitos fundamentais como a liberdade de expressão e o acesso à informação."

artigo completo

XSS no Twitter

O Twitter foi atingido por uma série de ataques cross site scripting (XSS) interessantes:

Twitter hit by multiple variants of XSS worm
Fonte: Zero Day

Rede eléctrica americana penetrada por espiões

Um aspecto sui generis da investigação em protecção de infaestruturas críticas é o cepticismo de muitos em relação à possibilidade destas serem atacadas informaticamente com efeitos devastadores. Saiu hoje um artigo na capa do Wall Street Journal que penso ser capaz de convencer os mais cépticos (ou os muito cépticos; os mesmo mais cépticos só quando ficarem às escuras ou sem água por uma temporada). Um excerto:

Electricity Grid in U.S. Penetrated By Spies
By SIOBHAN GORMAN

WASHINGTON -- Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials.

The spies came from China, Russia and other countries, these officials said, and were believed to be on a mission to navigate the U.S. electrical system and its controls. The intruders haven't sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war.

"The Chinese have attempted to map our infrastructure, such as the electrical grid," said a senior intelligence official. "So have the Russians."

The espionage appeared pervasive across the U.S. and doesn't target a particular company or region, said a former Department of Homeland Security official. "There are intrusions, and they are growing," the former official said, referring to electrical systems. "There were a lot last year."

Many of the intrusions were detected not by the companies in charge of the infrastructure but by U.S. intelligence agencies, officials said. Intelligence officials worry about cyber attackers taking control of electrical facilities, a nuclear power plant or financial networks via the Internet.

Authorities investigating the intrusions
have found software tools left behind that could be used to destroy infrastructure components, the senior intelligence official said. He added, "If we go to war with them, they will try to turn them on."

Officials said water, sewage and other infrastructure systems also were at risk.

"Over the past several years, we have seen cyberattacks against critical infrastructures abroad, and many of our own infrastructures are as vulnerable as their foreign counterparts," Director of National Intelligence Dennis Blair recently told lawmakers. "A number of nations, including Russia and China, can disrupt elements of the U.S. information infrastructure."


A versão online do WSN inclui também uma ligação para uma carta muito interessante:
"The North American Electric Reliability Corporation on Tuesday warned its members that not all of them appear to be adhering to cybersecuirty requirements."
http://online.wsj.com/public/resources/documents/CIP-002-Identification-Letter-040609.pdf

Um excerto:

Most of us who have spent any amount of time in the industry understand that the bulk power system is designed and operated in such a way to withstand the most severe single contingency, and in some cases multiple contingencies, without incurring significant loss of customer load or risking system instability. This engineering construct works extremely well in the operation and planning of the system to deal with expected and random unexpected events. It also works, although to a lesser extent, in a physical security world. In this traditional paradigm, fewer assets may be considered “critical” to the reliability of the bulk electric system.

But as we consider cyber security, a host of new considerations arise. Rather than considering the unexpected failure of a digital protection and control device within a substation, for example, system planners and operators will need to consider the potential for the simultaneous manipulation of all devices in the substation or, worse yet, across multiple substations. I have intentionally used the word “manipulate” here, as it is very important to consider the misuse, not just loss or denial, of a cyber asset and the resulting consequences, to accurately identify CAs under this new “cyber security” paradigm. A number of system disturbances, including those referenced in NERC’s March 30 advisory on protection system single points of failure, have resulted from similar, non-cyber-related events in the past five years, clearly showing that this type of failure can significantly “affect the reliability (and) operability of the bulk electric system,” sometimes over wide geographic areas.

Taking this one step further, we, as an industry, must also consider the effect that the loss of that substation, or an attack resulting in the concurrent loss of multiple facilities, or its malicious operation, could have on the generation connected to it.

(com agradecimentos ao Luis Marques)

bye bye privacidade

Por agora ainda são só os britânicos a dizer bye bye à privacidade do cabeçalho dos emails (endereço do emissor, endereço do destinatário, hora, etc) que enviam e recebem. O Governo inglês também já fala em guardar todo o conteúdo dos emails ... e aqui por terras tugas existe o hábito de se imitar estas decisões sábias, nem que seja para citar pela milésima vez o plano tecnológico, ou para justificar a aquisição de uma infra-estrutura TI milionária.

Toda a estória em:
http://news.zdnet.co.uk/security/0,1000000189,39629479,00.htm