GPRS billing scam revealed

Spreading like wildfire is an item from Guy Kewney's NewsWireless.net about a vulnerability in the General Packet Radio Service (GPRS) which enables an unauthorized service provider to "borrow" your IP address and then bill you for their service: "...a company obtains IP addresses that the GPRS operators own, in the 'cellular pool' and start pinging those addresses. When one of them responds, the scam operator knows that a user has been assigned the address. And, unbelievably, there was nothing to stop them simply providing services direct to that IP address - and taking the money out of the GPRS billing system to pay for it... Getting the IP address list costs the crook no more than it takes to log onto the GPRS network with a data call, and getting assigned an address by a perfectly standard DHCP server inside the operator's network... The problem isn't limited to GPRS. Any mobile network that is internally trusted - and that includes next-level technology like UMTS 3G networks - will face similar threats when linking its internal, trusting network to the free-for-all that is the Internet..."

Database protection bill's "seismic impact"

A "seismic impact on the Internet" could be caused by Congressional approval of the Database and Collections of Information Misappropriation Act of 2003, according to Sebastian Rupley, writing in PC Magazine. Still at an early stage of discussion, this draft law was the subject of a joint hearing before the US House Judiciary and Commerce Committees on 23 September: "...The proposed legislation 'would fundamentally alter the current structure of the Internet by providing a new perpetual property protection for facts, and holding conduits such as ISPs liable for facilitating the transmission of illegal databases,' according to an advisory from NetCoalition. 'In addition,' the advisory continues, 'it would create a new subpoena provision modeled after [the] Digital Millennium Copyright Act, which would allow anyone—not only database producers—to seek personal information about a user alleged to have illegally distributed a database.' ...One of the key charges made by those who oppose the Database and Collections of Information Misappropriation Act is that companies who disseminate information on the Internet would have to put in place costly and difficult processes to make sure they weren't releasing protected information. 'In the online world, think of search engines or other online companies who are in the business of making information available to people,' says Markham Erickson, Director of Federal Policy and Associate General Counsel at NetCoalition. 'They respond in an automated way, millions of times a day, to requests for information. The proposed legislation would force Internet companies to monitor the requests going across their systems to avoid liability.'"

That last point was contested by the bill's supporters at last week's hearing. They claim that ISPs would not be liable for violations of database protection that they did not profit from or "actively induce." However, NetCoalition disagrees and unfortunately, the bill has not been assigned an "H.R." number yet, so its text is still not online.

P2P group proposes royalties, code of conduct

Reuters reported yesterday that a voluntary code of practice has been adopted by an association of companies that facilitate peer-to-peer file-sharing. "P2P United members -- Lime Wire, Grokster, Blubster, BearShare, Morpheus and eDonkey 2000 -- said they would help law enforcers track down child pornographers, would make it easier for users to protect sensitive material on their hard drives, and would not secretly install spyware on users' computers. The group also said it would encourage users to learn about copyright laws but would not install filters or otherwise limit users' ability to trade copyrighted material... Kazaa, the music file-sharing service that is the most widely used peer-to-peer network, is not a member of the group. P2P United invited the recording companies to sit down and negotiate a method so they could be paid for the copies users make of their materials..."

ICANN: regional mutiny brewing?

A posting on ICANN Watch by Milton Meuller draws attention to a move by regional DNS registries to develop a framework for cooperation that could become an alternative to ICANN. The registries involved are the Asia Pacific Network Information Centre, the American Registry for Internet Numbers, the Latin American and Caribbean Internet Addresses Registry, and Réseaux IP Européens. While presented as a precaution, to ensure that the regional services are not adversely affected by a shutdown of ICANN, it looks an awful alot like an attempt by the regionals to create a stronger bargaining position, or even to make ICANN more disposable. Here's how Professor Meuller puts it:

"Already reeling from widespread accusations of impotence in regard to VeriSign's reviled Sitefinder service and from attacks on its legitimacy by governments at WSIS, ICANN now finds that the Regional Internet Address Registries (RIRs) are proposing to set up an alternative structure to coordinate address space assignments in the event that ICANN 'fails.' The Draft 'Open Letter to ICANN from the Regional Address Registries' notifies ICANN of RIR plans to create a new 'Number Resource Organization' that would contract with all of the RIRs and replace the Address Supporting Organization (ASO)..."

Hack geography

mi2g, a firm specializing in "digital risk assessment," just published their September country report on the origins and targets of hack attacks. Cyberatlas posted these table-summaries of the mi2g data:

Origin of Digital Attacks, 2003
Brazil	95,544
Turkey	14,795
USA	2,955
Indonesia	2,360
Egypt	2,365
UK	1,707
Morocco	1,650
Pakistan	1,398
Mexico	1,317
Malaysia	1,215
Source: mi2g

Most Attacked Countries Since September 2002
USA	71,868
Germany	17,529
Brazil	14,785
UK	13,417
Source: mi2g

India: new rules for cyber cafes

"The Asian School of Cyber Laws (ASCL) is working with the Information Technology (IT) ministry [to frame] a code of conduct and practices for cyber cafes/chat room centres around the country," according to India's Financial Express. ASCL is very much oriented toward security issues, so their rules for cafes will probably be designed to help police gather evidence of cybercrimes.