January 21, 2013, 12:58 PM —
Source: Nigel Marple / Reuters
Every reporter likes a good show and a colorful character to write about. That's why you should expect to see lots of ink spilled this week on the world's most famous and audacious Internet tycoon: Mr. Kim Dotcom.
Dotcom (nee Schmitz in West Germany) is a 6'7” 200 lb entrepreneur who has spent much of the last year battling the authorities in New Zealand, where he resides, as they try to extradite him to the U.S. following his arrest in January, 2012 on charges that his website, Megaupload, was a criminal haven with 180 million users that was responsible for $500 million worth of illegal downloads of copyrighted material. Dotcom has battled the charges relentlessly, and raised serious questions about the government's case for extradicting him to the U.S., illegal spying on Dotcom by New Zealand security forces and faulty warrants used for the raid on his property. The string of mishaps even got Dotcom a public apology from New Zealand Prime Minister John Key in September.
Now Dotcom has launched Mega, a cloud based hosting service that promises to encrypt stored to to protect customers from the prying eyes of governments. The new service, launched a year to the day after the raid on Dotcom's mansion in Auckland, New Zealand, was unveiled in a lavish ceremony that featured musical acts and even a re-enactment of the raid on his compound with helecopters and dancing girls in military style dress. The site posted impressive numbers: 1 million new users on its first day. And Dotcom - who is still fighting his extradition - is talking up his site with the media. Mega, he says, is both lawyer-proof and hacker proof, sidestepping legal prohibitions on copyright abuse and using entirely new extensions for HTML 5 that aren't even supported by web browsers outside of Google's Chrome. Of course, challenging lawyers to sue you and hackers to hack you - in the same breath, no less - might not be considered a smart business decision. But Dotcom clearly feels like Mega is ready for the test. The days and weeks ahead will tell us if he's right - or not. Stay tuned.
When stuff attacks
One of the big trends in 2013 will be security stories that stem from non-traditional computing devices. After all: as The Internet of Things replaces the Internet of Machines, security concerns aren't limited to your laptop, desktop or server. They affect your phone, your automobile, home appliances - maybe even your clothes, eventually.
The latest news on this front came last week as security researchers at the S4 Conference in Miami revealed that X-Ray equipment manufactured by Philips was found to run software that contained serious and remotely exploitable security holes. Then, this week, there's word that photo enthusiasts should be on alert, after software shipped with a copy of a computer virus. The firm Hama warned customers that a 35mm photographic film scanner sold to German consumers over Christmas came with a software disk infected with the Conficker worm.
Finally, the ongoing saga of Oracle's effort to plug critical and remotely exploitable holes in the ubiquitous Java technology will continue to demand headlines in the next week. This, after security researchers verified that the latest Java patch, Standard Edition 7 Update 11, leaves a critical and remotely exploitable hole unpatched. Those vulnerabilities have been widely used to compromise vulnerable systems running Java and install malicious software, including banking trojans.
According to the Polish firm Security Explorations, hackers with knowledge of the unpatched hole could still bypass the browser's code execution sandbox on systems running the latest verison of Java: Java SE 7 Update 11 and run malicious code. The polish firm Security Explorations, which first reported the holes to Oracle, said it has found more holes in the latest release, which it is analyzing and will report to Oracle.
Crime and Punishment
The case against technology wunderkind Aaron Swartz has put the spotlight on the U.S.'s Computer Fraud and Abuse Act. Another case this week - this time in Canada - may keep the discussion alive about whether and how to prosecute high minded hackers.
Swartz fell afoul of authorities after he broke into MIT's network and downloaded millions of pages of copyrighted content from JSTOR, a database of scholarly articles. His goal was to liberate the articles, making them available for free over the Internet. Aggressively pursued by the U.S. Attorney in Massachusetts, Carmen Ortiz, Swartz tragically took his own life. That, in turn, led to an outpouring of grief and anger from legal and technology luminaries, who said that Ortiz's hardball tactics lacked proportionality, while MIT failed to live up to its own ideals by hanging Swartz out to dry. The pressure of the case pushed the fragile Swartz over the edge. But the U.S. isn't the only place where the legal profession and academia collide. According to a report in the National Post, a 20 year-old student has been expelled from Montreal's Dawson College after discovering and publicizing a critical vulnerability in the computer system used by many “General and Vocational Colleges” (or CEGEPs) in the province of Quebec.
Ahmed Al-Khabaz, a computer science student at Dawson discovered the flaw in the Omnivox software by the firm Skytech. The flaw would allow “anyone with a basic knowledge of computers to gain access to the personal information of any student in the system,” Al-Khabaz told a reporter. But, after disclosing the hole to the university and to Skytech, Al-Khabaz found himself threatened with legal action by Skytech and in a disciplinary hearing with the Dean administration which, he said, seemed interested in covering up the incident. Al-Khabaz was summarily expelled from his computer science program. The case highlights the still grey legal area that surrounds both acts of cyber civil disobedience (Swartz) and straight-up vulnerability research - topics that are bound to get more attention in the year ahead.