Article 43

 

Tuesday, April 22, 2008

US-Columbia Free Trade Agreement

nafta.gif

United States-Colombia Trade Promotion Agreement Implementation Act

HR 5724
April 8, 2008

THIS LEGISLATION ratifies a trade deal negotiated by the United States and Colombia. 

The agreement is MODELED on the 1994 NORTH AMERICAN FREE TRADE AGREEMENT (NAFTA) and the 2005 CENTRAL AMERICAN FREE TRADE AGREEMENT (CAFTA) and, like those agreements, removes most export tariffs between the signatory nations while providing new rights for investors and increasing protection for pharmaceutical patents and other intellectual property.

Increased international trade can contribute to economic growth, but the way trade rules are formulated in agreements like this means that the benefits of trade are distributed unevenly, ultimately undermining the middle class and aspiring middle class in both the U.S. and the nations it trades with. The trade deal with Colombia is particularly troubling because of Colombias abysmal record on human and labor rights: not only is Colombian labor law inadequate and poorly enforced, but workers who try to organize unions or call for higher wages regularly face violent reprisals and even murder.

According to the AFL-CIO, 39 Colombian trade unionists were killed in 2007, and another 12 were murdered in the first weeks of 2008. Most killers are never brought to justice. In effect, this pact would increase opportunities to outsource U.S. jobs to a nation where wages are kept low because working people literally fear for their lives if they stand up for their internationally-recognized rights on the job.

Trade deals may at the top of corporate America’s agenda, but at a time when Americas soaring trade deficit contributes to the nation’s economic weakness, another trade deal is far from the agenda of the American MIDDLE CLASS.

SOURCE

Posted by Elvis on 04/22/08 •
Section Dying America
View (0) comment(s) or add a new one
Printable viewLink to this article
Home

Net Transparency Hearings

Save

FCC Hearings at Stanford: Towards a Consensus on ISP Transparency?

By Peter Eckersley
Electronic Frontier Foundation
April 18, 2008

Yesterday, the FCC held a SECOND HEARING in its investigation of Comcast’s use of FORGED RST PACKETS to interfere with BitTorrent and other P2P applications. Free Press has a page LINKING to written testimony, statements, and audio and video recordings from the Stanford hearing.

At the previous hearing at Harvard Law School, Comcast attracted criticism for FILLING THE AUDITORIUM WITH PAID ATTENDEES. This time around, the telcos declined to participate at all. They sent proxies in their place: a conservative think tank called the Phoenix Center, freelance tech pundit George Ou, and one ISP: Lariat.net of Wyoming. It’s a pity that ISPs aren’t willing to participate in public debate about their own practices.

EFF HAS ARGUED that the FCC should use its position of leadership to clarify that ISPs should, at the very least, provide adequate disclosure of any discriminatory network management practices that they deploy (we are also trying to get similar information by promoting independent testing of ISP networks with our TEST YOUR ISP project). This kind of transparency is essential for a properly functioning marketplace: the public must be able to know when their software doesn’t work because it’s buggy, and when it doesn’t work because of interference by an ISP. Without this information, users don’t know which tech support line to raise hell with, whether they need to switch to new software, or whether they need to switch to a new ISP.

Transparency and responsiveness is also essential for application developers to understand the way that their applications will have to fit into ISPs’ networks.

We were very pleased to see that requirements for disclosure and transparency seemed to command a near-consensus amongst the Commissioners and those testifying. The devil will be in the details, of course: will disclosures be informative enough for programmers to work with and for consumers to make good decisions?

One prevailing point of confusion in the discussion was the relationship between the lack of information about network traffic in general (eg, how much of Internet traffic is P2P? What kind of P2P?), the lack of information about Comcast’s discriminatory network management practices (what percentage of BitTorrent seeds has Comcast been reseting? How has that varied at different times, and in different locations across the country?), and the lack of information about discrimination by other ISPs (Cox Communications, for instance, discloses that it uses “traffic prioritization” and “protocol filtering”, but we don’t know if its techniques are precisely the same as Comcast’s, or whether it is planning to phase them out). These are all separate known unknowns and we know the FCC should look in different places if it wants to resolve them.

Another interesting question raised by Commissioner Tate was how an FCC disclosure obligation or principle would fit together with new software tools to test ISPs. We think the answer is that both are required: disclosures by ISPs and independent tests by the public are complimentary; neither of them will tell us everything we’d like to know about the network, and each of them will act as a cross-check for the other.

In the mean time, the threat of intervention by the FCC has caused Comcast to eat a great deal of humble pie. They’re promising to work with BitTorrent Inc we hope they’ll also work with the wider Internet community - to find less discriminatory ways to manage their network.

In closing, we doubt that RST forgery will be the last “network management” practice to spark consternation and controversy. But we hope that in future, it won’t take the best part of a year of wrangling and an FCC proceeding before transparency and common sense start to prevail.

SOURCE

Posted by Elvis on 04/22/08 •
Section Privacy And Rights • Section Broadband Privacy
View (0) comment(s) or add a new one
Printable viewLink to this article
Home

DNS Abuse Just Got Worse

Save

ISPs like EMBARQ and their SANDVINE BASED solution using Sandvine’s DNS REDIRECTION SERVICE to make a buck, is putting us all in jeopardy.

---

ISPs’ Error Page Ads Let Hackers Hijack Entire Web, Researcher Discloses

By Ryan Singel
Wired
April 19, 2008

Seeking to make money from mistyped website names, some of the United States’ largest ISPs instead created a massive SECURITY HOLE that allowed hackers to use web addresses owned by eBay, PayPal, Google and Yahoo, and virtually any other large site.

The vulnerability was a dream scenario for phishers and cyber attackers looking for convincing platforms to distribute fake websites or malicious code.

The hole was quickly and quietly patched Friday after IOACTIVE security researcher Dan Kaminsky reported the issue to Earthlink and its technology partner, a British ad company called BAREFRUIT

Earthlink users, and some Comcast subscribers, were at risk.

Kaminsky warns that the UNDERLYING DANGER LINGERS ON.

“The entire security of the internet is now dependent on some random-ass server run by some British company,” [or SANDVINE - ed.] Kaminsky said.

At issue is a growing trend in which ISPs subvert the Domain Name System, or DNS, which translates website names into numeric addresses.

When users visit a website like Wired.com, the DNS system maps the domain name into an IP address such as 72.246.49.48. But if a particular site does not exist, the DNS server tells the browser that there’s no such listing and a simple error message should be displayed.

But starting in August 2006, Earthlink instead intercepts that Non-Existent Domain (NXDOMAIN) response and sends the IP address of ad-partner Barefruit’s server as the answer. When the browser visits that page, the user sees a list of suggestions for what site the user might have actually wanted, along with a search box and Yahoo ads.

The rub comes when a user is asking for a nonexistent subdomain of a real website, such as webmale.google.com where the subdomain webmale doesn’t exist (unlike, say, mail in mail.google.com). In this case, the Earthlink/Barefruit ads appear in the browser, while the title bar suggests that it’s the official Google site.

As a result, all those subdomains are only as secure as Barefruit’s servers, which turned out to be not very secure at all. Barefruit neglected basic web programming techniques, making its servers vulnerable to a malicious Javascriptattack.  That meant hackers could have crafted special links to unused subdomains of legitimate websites that, when visited, would serve any content the attacker wanted.

The hacker could, for example, send spam e-mails to Earthlink subscribers with a link to a webpage on money.paypal.com. Visiting that link would take the victim to the hacker’s site, and it would look as though they were on a real PayPal page.

Kaminsky demonstrated the vulnerability by finding a way to insert a YouTube video from 80s pop star Rick Astley into Facebook and PayPal domains. But a black hat hacker could instead embed a password-stealing Trojan. The attack might also allow hackers to pretend to be a logged-in user, or to send e-mails and add friends to a Facebook account.

Earthlink isn’t alone in substituting ad pages for error messages, according to Kaminsky, who has seen similar behavior from other major ISPs including Verizon, Time Warner, Comcast and Qwest. Earlier this month, Network Solutions, one of the net’s largest domain name registrars, was caught creating link farms on nonexistent subdomains of websites owned by its own customers.

DNS expert Paul Vixie, who is the president of the nonprofit Internet Systems Consortium, says the problem Kaminisky found isn’t with the core internet protocols, which he could fix, but instead is a “problem EXACERBATED BY INAPPROPRIATE MONETIZATION OF CERTAIN DNS FEATURES.”

Vixie compared this ISP behavior to VERISIGN’S 2003 SITEFINDER project, which it unilaterally launched in September 2003 and then SHUT DOWN a month later.

In that case, VeriSign, which controls the sales of .com and .net top-level domains through a contract with the U.S. government, began directing users who mistyped domains names to its own servers, where it presented paid search results.

The move outraged the technical community and eventually led to an ICANN COMMISSION REPORT (.pdf) condemning the practice and an unsuccessful VeriSign lawsuit against ICANN.

“Sitefinder showed that [Non-Existent] domain re-mapping is bad for the community,” Vixie said. “This would be an example of why it is bad.”

While Barefruit fixed the immediate Javascripthole, the underlying problem—that large ISPs are ignoring a core internet practice to make money and pretending to be sites that don’t exist—means every site on the net remains vulnerable in ways they have no control over, according to Kaminsky.

Kaminsky said he’d talked this week to many internet companies who were pissed, though not at him.

“I can’t secure the web as long as ISPs are injecting other content into web pages,” he said.

The hole shows the risks of allowing ISPs to violate NET NEUTRALITY principles that seek to keep the internet a series of dumb pipes, according to Kaminsky.

“We offer DNS error functionality for our customers through Barefruit to enhance our users’ experience, and we work closely with Barefruit to provide a safe and convenient way for them to find the destination they’re looking for online,” Earthlink spokesman Chris Marshall said via e-mail. “We believe that the service provides a positive experience for our Internet users.”

Barefruit echoes the sentiment.

“Barefruit endeavors to ensure online security while providing an improved internet user interface by replacing unhelpful and confusing error messages with alternatives relevant to what the user was seeking,” Barefruit’s Dave Roberts said via e-mail.

For Vixie, however, the issue is simple.

“I really feel if someone goes to a website that does not exist, they ought to see an error message,” Vixie said.

Earthlink customers who do not wish to use the service can instead use different Earthlink DNS servers. Anyone can also use OpenDNS, a start-up that also provides ad pages on domains that don’t resolve, but does so without pretending to be the other site.

The news of the massive security breach by compromising net nuetrality for profit comes just two days after the Federal Communication Commission held a HAND-WRINGING PUBLIC FORUM at Stanford University over whether it should punish Comcast for its violation of standard internet practices. The broadband provider was caught sending fake packets to its users in order to reduce the bandwidth consumed by peer-to-peer applications.

Kaminsky is demoing the hole publicly on Saturday at the TOORCON SECURITY CONFERENCE in Seattle.

Kaminsky, a well-respected security expert, is perhaps best known for cleverly proving that a spyware rootkit Sony included on music CDs infected computers in more than half a million computer networks in 2005.

“There’s no contractual obligation for ISPs not to change content and inject ads,” Kaminsky notes.

For its part, Earthlink says the Barefruit ad pages are useful to users.

SOURCE

---

Money-Hungry ISPs Sacrifice Customer Safety To Make A Buck

By Joel Hruska
ARS Technica
April 21, 2008

ISP’s have long sought to monetize their consumer’s “Internet experience"there’s a reason why Bellsouth/AT&T will offer to set your homepage to http://www.bellsouth.net when you install the company’s software instead of, say, CNN - but certain internet service providers have apparently gone too far in their search for additional revenue streams. ACCORDING TO DAN KAMINSKY and Jason Larsen and as REPORTED by the Washington Post, certain ISPs have turned the responsibility of ad streaming over to a third-party vendor, Barefruit, who managed to bungle the job.

A number of ISP’s have adopted the now-common practice of injecting ads into the browser when a user reaches a page that doesn’t exist. One of the trends Kaminsky and Larsen identified, however, is that this practice has been extended to the subdomain level. For example, http://www.gamingwebsite.com might be a valid URL (it isn’t in real life), but http://games.gamingwebsite.com could be an an unassigned sub-domain that the ISP has converted into an advertising platform without the knowledge of the site owner.

The ads, moreover, aren’t always being handled by the ISP itself. Qwest, Verizon, and Earthlink have all contracted with a company named Barefruit to handle their advertising interests. This, in and of itself, has caused some problems. While investigating the subdomain advertising issue, Kaminsky and Larsen discovered that Barefruit’s ads were vulnerable to cross-scripting exploits that allowed the two men to force the ads to load content from other locations. In this case, clicking a link at http://games.gamingwebsite.com might take you to a legitimate web sitebut with a bug attached. Once activated, a cross-scripting exploit can accomplish a wide range of tasks, and might be used to display different ads on a web site, sniff cookies off the system, or download other spyware/malware.

This, surprisingly, is not the major issue. The Kaminsky-Larsen team may not have been thrilled to discover a vulnerability in Barefruit’s advertising service, but they commended the company for fixing the problem in less than half an hour after being made aware of it. The greater problem with this type of advertising contract is that the ISP in question has effectively turned the security of its customers over to a third party. In this case, a vulnerability in Barefruit’s ad-serving system had placed customers of Earthlink, Qwest, and Verizon in danger of being compromised, and neither the ISPs nor their customers were aware of it.

This isn’t the first time we’ve seen evidence of site-altering behavior. A collaborative STUDY between the University of Washington and the International Computer Science Institute found that approximately 1.3 percent of the data flowing across the ‘Net at any given time is altered in-flight between its source and its destination. Many of these alterations are not malicious, but ad injection is one factor responsible for changes that occurred as the requested information flowed down the Internet tubes.

The best way to avoid these problems is to handle such online advertising in-house. If that’s not an option, ISPs should, at a minimum, create better lines of communication between themselves and their advertising companies. Malware authors have already done a fine job seeding the Internet with traps set to snare the unwary; the last thing consumers need is to have their online security further jeopardized by a company that’s supposedly one of the good guys.

SOURCE

DNS INVENTOR WARNS OF NEXT BIG THREAT
EMBARQ’S DNS ABUSE

READ MORE...
Posted by Elvis on 04/22/08 •
Section Privacy And Rights • Section Broadband Privacy
View (0) comment(s) or add a new one
Printable viewLink to this article
Home
Page 1 of 1 pages

Statistics

Total page hits 9707280
Page rendered in 1.1366 seconds
40 queries executed
Debug mode is off
Total Entries: 3222
Total Comments: 337
Most Recent Entry: 05/04/2020 08:41 am
Most Recent Comment on: 01/02/2016 09:13 pm
Total Logged in members: 0
Total guests: 15
Total anonymous users: 0
The most visitors ever was 172 on 12/25/2019 07:40 am


Email Us

Home

Members:
Login | Register
Resumes | Members

In memory of the layed off workers of AT&T

Today's Diversion

Change is inevitable, except from vending machines. - anonymous

Search


Advanced Search

Sections

Calendar

April 2008
S M T W T F S
   1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30      

Must Read

Most recent entries

RSS Feeds

Today's News

ARS Technica

External Links

Elvis Picks

BLS Pages

Favorites

All Posts

Archives

RSS


Creative Commons License


Support Bloggers' Rights