President Obama has just signed the America COMPETES Reauthorization Act of 2010 (H.R.5116). It funds and reorganizes NIST as well as orders them to collaborate with industry on standards; I noticed a directive related to cloud security, found in Section 524: Cloud Computing Research Enhancement

(b) Establishment-

(1) IN GENERAL- Not later than 60 days after the date of enactment of this Act, the Director shall initiate a review and assessment of cloud computing research opportunities and challenges, including research areas listed in subsection (a), as well as related issues such as–

(A) the management and assurance of data that are the subject of Federal laws and regulations in cloud computing environments, which laws and regulations exist on the date of enactment of this Act;

(B) misappropriation of cloud services, piracy through cloud technologies, and other threats to the integrity of cloud services;

(C) areas of advanced technology needed to enable trusted communications, processing, and storage; and

(D) other areas of focus determined appropriate by the Director.

The Fail 0verflow teams (formerly known as WiiPhonies) announced at the Chaos Communication Congress in Berlin that they have hacked the PS3 and exposed Sony’s private key. Now any game or software can be signed by the public private key and it will run on the PS3.

They first broke the loader’s Chain of Trust.

memcpy(rvk_isolated, rvk_shared,*((int*)(rvk_shared + 0xlc)))

Then they found a flaw in Sony’s signing software, as satirized in the presentation with an xkcd comic; a constant number instead of a random value was used for each signature…

int getRandomNumber()
{
	return 4; 	//chosen by fair dice roll
			//guaranteed to be random
}

I wrote about SB 1411 last summer and wondered if the Governor would sign it into law. He did, and it went into effect January 1st, 2011.

Malicious digital impersonation is now a misdemeanor with fines up to $1000 and a year in jail.

I now wonder if this law will be used to prosecute cases like Michael Largent’s, who in 2008 opened 58,000 brokerage accounts under fake identities. He ran afoul of the USA PATRIOT Act identity verification requirement for financial firms and was charged with computer fraud, wire fraud and mail fraud. He impersonated cartoon characters, so presumably it would not apply, although I am certain he still could be accused of malicious digital impersonation (pretending to be Daffy Duck for financial gain).

LARGENT used false names, addresses, driver’s license numbers, and social security numbers, including the names of known cartoon and comic book characters to open the accounts. When the deposits occurred, he would transfer the funds into his own bank accounts or onto prepaid debit cards, without the authorization or knowledge of his victims. As a result, LARGENT fraudulently obtained or attempted to obtain tens of thousands of dollars, which he used for personal expenses.

SB 1411, according to the bill’s author, seems to be targeted only at stopping harassment and defamation.

I explained last month in LOIC Exposes Attackers that the Anonymous attack tool of choice was not anonymous — it does not hide the IP address of attackers.

Now an affidavit on the Smoking Gun shows how the FBI and German Federal Criminal Police (BKA) are using logs to track down the IRC servers that initiated the attack on PayPal.

Log files showed that the commands to execute the DDoS on PayPal actually came from IP address 72.9.153.42. Below are the log entries from the server as provided by the BKA…Based on my experience and training, I know that companies providing co-location facilities do not always label or externally identify the computer servers at their facilities with their IP address. Therefore, as part of the process of identifying the computer system that I seek to search, I may be forced to check each system belonging to the target customer until I have determined that it is the computer to be searched.

I find it hard to believe that the agent would rely on an external label even if one existed on the equipment. It is even stranger to hear the absence of labels used as a reason to widen the scope of a search. The affidavit copy ends with an ominous half-sentence:

This check may involve a check of the network traffic emanating from each system or, in the worst case scenario, the

…network traffic emanating from every system in the company? Is that like a warrant to install surveillance on an apartment that includes the caveat that the entire city might have to be tapped? Where is page 6?