Mid-day news reports that Mumbai Internet access is under heavy surveillance and supervision:

Vijay Mukhi, President of the Foundation for Information Security and Technology says, “The terrorists know that if they use machines at home, they can be caught. Cybercafes therefore give them anonymity.”

“The police needs to install programs that will capture every key stroke at regular interval screen shots, which will be sent back to a server that will log all the data.

The police can then keep track of all communication between terrorists no matter, which part of the world they operate from.This is the only way to patrol the net and this is how the police informer is going to look in the e-age,” added Mukhi.

Seems like a good theory, but as we all know the “no matter which part of the world” and “every key stroke” phrases are absolutes. Absolutes and security rarely go well together.

All cyber cafes in the city will now need a police license to keep their business going. All cafes need to register at the police headquarters and provide details on the number of computers installed, type of computers and technical details like the IP address of each machine.

They will have some trouble when they realize how IP addresses are increasingly dynamic and spoofed.

I wonder how much of this type of cafe clampdown, if successful, will push anonymous network seekers onto the weaker wireless signals in residential neighborhoods.

Will police require home users to use a grade of security to prevent intrusion, and/or to report the number of computers, type, etc. when they run wireless networks? Will home users be held liable for weak security like WEP, or the providers, or even the manufacturers? The new Snoop law in England, if it survives public concern, may help provide answers.

Firefox 2.0.0.8

MFSA 2007-36 URIs with invalid %-encoding mishandled by Windows
MFSA 2007-35 XPCNativeWrapper pollution using Script object
MFSA 2007-34 Possible file stealing through sftp protocol
MFSA 2007-33 XUL pages can hide the window titlebar
MFSA 2007-32 File input focus stealing vulnerability
MFSA 2007-31 Browser digest authentication request splitting
MFSA 2007-30 onUnload Tailgating
MFSA 2007-29 Crashes with evidence of memory corruption (rv:1.8.1.8)

I would jump to 2.0.0.8 ASAP if I were you, where ASAP means no more than a month or two. I mention this because of what comes next…

In other news, Apple’s phone apparently failed to patch the ages-old libtiff vulnerability.

“I started Safari on my iPhone, browsed to a Website, and a few seconds later, HD was able to get root on my phone, without a wireless connection. Being able to run your own machine code pretty much opens the gates,” Finisterre said.

“I think it’s pretty serious — and even more so, ironic — that a year-old bug would get rolled into a semi-recent product,” added Finisterre.

It is definitely ironic. Where is the quality, Apple? Where is the quality?

In an interview with CMP Channel at Black Hat, Miller said Apple regularly uses outdated versions of open source code in the OS X platform, much of which contains known security flaws.

Outdated because of a pokey release cycle? Shame they do not develop release candidates in parallel to security fixes so the product is safe to use the day it reaches the public, or at least not prone to failure when a new product is tested for known bugs over a year old.

Disclaimer: I’m not a fan of the iPhone. While I have liked and owned Apple products that were different in meaningful ways from the competition (e.g. the original laptop keyboard pushed back to the screen with palm-wrests up front — genius) the iPhone strikes me as a lot of flash with not much practicality.