We're perilously close to regulated Internet here in Canada. In my opinion, this would be nothing short of disasterous.

As always, Michael Geist has excellent coverage of this and any legal and regulatory matters as far as the Internet, privacy, and copyright are concerned.

Attacking client software for ubiquitous file types is nothing new. Web browsers have long been a ripe attack target. Plugins such as NoScript for Firefox help manage risk from malicious JavaScript, and NoScript in particular tends to be touted as the must-have security measure for any Firefox user. I stopped counting the number of exploits that could be easily defeated with NoScript installed with a sensible default blocking policy.

I know at least one person in information security who hates it when people use a car analogy to explain an IT or security issue. Sometimes those analogies can actually be pretty apt, but they are a bit overused.

Interestingly, the city of Calgary's "Speed on Green" initiative presents an opportunity to use an information security analogy to describe something about cars. You see, Calgary has essentially deployed an IDS system at several intersections around the city. The initial deployment is arguable a tuning phase designed to test the system, issue warnings rather than drive mitigation, response activities, or declare an incident. Hopefully it is also an opportunity to discover how prone the system is to false positives. Starting in April, the system will start to drive response in the form of automatic speeding tickets for people caught (by camera) speeding through yellow and green lights.

MS09-002 exploit in the wild, (Tue, Feb 17th) - Several AV vendors reported about MS09-002 exploits in the wild. We can confirm this the exp ...(more)... [SANS Internet Storm Center]

TrustedSource.org has some details as well.

Well, that didn't take long.

Dreamhost has been having a really bad day.

As a result, Security :: Cluebat has been having a really bad day. The intermittent errors the site has coughed up suggesting that a page could not be found were, in fact, erroneous. I suspect that access to the backend database was timing out due to network issues, potentially the same issues that have made this and other sites painfully slow at times (if not all times).

Things seem to be working now, however I don't think we're out of the woods yet.

Tim Callan: MD5 Hack Interesting, But Not Threatening - MD5 Hack Interesting, But Not ThreateningA few days ago at the Chaos Communication Congress in Berlin, researchers presented a paper in which they had used an MD5 collision attack and substantial computing firepower to create a false SSL certificate using the RapidSSL brand of SSL certificate. In the intervening time we have seen a great deal of confusion and misinformation in the press and blogosphere about the specifics of this attack and what it means to the online ecosystem. [SecurityFocus - News]

It is a bad time of the year for the "next bad thing" to be announced, but it happened anyways at the Chaos Communications Congress in Berlin today. Danke shoen.

MD5 considered harmful today

We have identified a vulnerability in the Internet Public Key Infrastructure (PKI) used to issue digital certificates for secure websites. As a proof of concept we executed a practical attack scenario and successfully created a rogue Certification Authority (CA) certificate trusted by all common web browsers. This certificate allows us to impersonate any website on the Internet, including banking and e-commerce sites secured using the HTTPS protocol.

The Canadian equivalent of the RIAA, CRIA, hasn't been able to go down the road of extortionlawsuits against account holders of P2P-using Internet access accounts. They tried back in 2004, a case I am intimately familiar with as one of the techies behind the scenes who helped prepare an ISP's argument against CRIA's submission.

Killing Robot Being Tested by Lockheed Martin - Wow: The frightening, but fascinatingly cool hovering robot - MKV (Multiple Kill Vehicle), is designed to shoot down enemy ballistic missiles. A video released by the Missile Defense Agency (MDA) shows the MKV being tested at the National Hover Test Facility at Edwards Air Force Base, in California. Inside a large steel cage, Lockheed's MKV lifts off the ground, moves...

[Schneier on Security]

Firefox extension used as password stealer?, (Fri, Dec 12th) - A reader sent us a suspicious e-mail, which included a link to an .xpi file (a Firefox extension) as ...(more)... [SANS Internet Storm Center]

Gee, you mean Firefox isn't immune to attack?!

My whole world view has been shattered. Heh.