SOPA, PIPA, Online Piracy Lead Week's Security News
Despite weeks of intense lobbying by technology companies and consumer advocates, the controversial anti-piracy bills seemed on track to pass in Congress. Then Wikipedia took a stand this week, declaring a 24-hour blackout on Jan. 18 during which its English language edition that only displayed a statement saying the site had gone dark to protest the draconian measures in the bills.
Google covered its familiar home page doodle with a black band and directed users to an online petition to protest the bills. Several thousand Websites took part in the protest, after which several members of Congress publicly withdrew their support for the bill.
Even with the most dangerous provision, the Domain Name System filtering, removed, SOPA and PIPA still went too far and gave content owners too much power, critics said. Rep. Lamar Smith finally backed down at the end of the week and agreed to not resume markup on SOPA next month. Now lawmakers are trying to figure out what an alternative approach to fighting online piracy should look like.
In the midst of online applause about lawmakers' change of direction on the SOPA, PIPA legislation, came the news that the Federal Bureau of Investigation, acting on indictments obtained by the U.S Department of Justice, had shut down the Megaupload file sharing site. The timing of the indictment was a coincidence, but highly ironic.
Megaupload was "exactly" the type of Website SOPA and PIPA advocates had in mind when the bills were drafted, according to Neil Roiter, research director at Corero Network Security. The FBI shutdown was a good example of "how the legal system should be dealing with these types of players, through police work and criminal prosecution," Roiter said. If SOPA and PIPA had been law, the shutdown would have happened without FBI involvement.
Users who had used Megaupload for legitimate purposes, such as hosting their own files, work documents and their own media files, were distraught by the shutdown. They took to Twitter to demand their files back, highlighting the fact that when data is stored on a third-party's servers, they don't have control over it.
Hacktivist collective Anonymous was furious with the news and almost immediately coordinated and launched massive distributed denial of service attacks against a number of sites, including Universal Music, Department of Justice and the Federal Bureau of Investigation. Sites remained inaccessible for most of Thursday and parts of Friday. Anonymous at one point claimed more than 5,000 people were taking part in the attacks.
Not everything was about piracy, although it seemed like it. Two large Web companies reported significant data breaches this week.
Zappos.com reported a data breach where unknown adversaries made off with user data and password hashes earlier this week. While the company was commended for its quick disclosure and clear communication, it was criticized for shutting down its telephone lines, which forced users to get in touch via Twitter or email. The company was also very cagey about how it had protected user passwords, prompting security experts to worry anew about sites not forcing users to select strong passwords.
Symantec's on-going saga over whether a hacking group had acquired current source code to several of its products took a strange twist. Previously, the company had claimed the hackers had the source code to enterprise versions of its security products and that it had been stolen from a third-party server. This week, the company acknowledged unknown adversaries had breached its network in 2006 and stolen source code to its Norton line of security products.
Security experts expressed concern at the fact that the company had been unaware of the breach for so long.
"How could Symantec have gotten hacked? Don't they use AV?" Apple hacker Charlie Miller joked on Twitter.
In this week's software maintenance news, Oracle said it fixed 78 bugs in its quarterly update but came under fire for not patching enough issues in its flagship database software.