Coding Monkey Martin Pittenauer asked german Bands why their music isn't available in the iTunes music store.

I checked for "Die Ärzte". [...] I sent them a mail and asked about this. I immediately got an answer, that basically stated that "they already have enough money" and pointed me to a site where you can download bootlegs of them for free.

Fascinating attitude.

At Defcon 12 in Las Vegas I will present on the topic of unwanted data:

Far More Than You Ever Wanted To Tell - Hidden Data In Document Formats

Applications usually put all kinds of information besides the ones which you intend to into saved documents. This can lead to embarrassing revelations. We will take a look into different types of application data and what can be hidden in there. This allows us to "scrub" our own documents to avoid unwanted information in there but also to look for information in documents which the authors didn't want to hand out. Go grasp the scope of the problem we will present a large scale study of hidden information in Documents on the Internet.

Last week there was the Aachen Meeting on Trusted Computing organized by the Laboratory for Dependable Distributed Systems. About two dozen German researchers attended the two days meeting and it was monst of the time a very productive exchange of ideas.

On primary outcome was the fact that we really don't now of what use a TPM is. It is very hard to find a business case which needs TMP. And it seems the TC designers didn't really have any speciffic applications in mind, when designing their scheme. There seems to be a urgent need that we academics experiment with building applications using the TPM.

At IPTAblog there is coverage of Susan Crawford's coverage of the Yale Information Society Project conference on cybercrime, Digital Cops in a Virtual Environment.

The Information Security Breaches Survey 2004, managed by PricewaterhouseCoopers on behalf of the UK Department of Trade and Industry is availabla online. Surveys form 2002 and 2000 are also available.

The last two days Stefan Köpsell was visiting the RWTH-Aachen Security AG. Köpsell is the lead developer of JAP a Web-Anonymity solution which uses the MIX concept known from the mixmaster remailers to anonymize Web access. (But beware of Law enforcement features in JAP).

The JAP MIXes running nowadays at TU-Dresden are capped to 10MBit/s and produce about 3 TB traffic per month. The only known case of substantial abuse is a person running (? or using) child pornography forums and advising people how to use anon services like JAP or freenet. This lead to Law Enforcement involvement. Interestingly the Police asked for the sensitive data to be mailed to them. The JAP team refused to send such data via clear text email and the Police claimed they where not allowed to use encryption (like PGP) in their offices (so they are also forbidden to use GSM phones ?). It ended up with an PGP encrypted mail to an freemail provider.

Most other complains are about defamation an credit card fraud.

There where a single DoS attack on JAP: Somebody was opening thousand connections to the MIX-servers. Since the servers are designed to be non-blocking they could handle the load well but after 8000 connections the Operating System got into trouble. There was also the problem that some clients ("Download-Tools"?) opened dozends of connections at once. Both problems where attacked by introducing IP and connection limits.

In the JAP project it turned out that persons running the MIX-servers are much more unsophisticated Unix users than expected. This lead to a graphical server configuration tool being created. Still there is the need for more auto-configuration and hands-free operation.

The AN.ON-Project which is (to my understanding) running JAP is looking for ways to test payment systems to create anonymity-service business models.

We discussed the idea of observing traffic on the whole German Internet or at least a substantial part of it - let's say 80% - and came to the conclusion that tis would be doable with relatively little resources.

At the Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2004) Conference we will present a German language paper Ermittlung von Verwundbarkeiten mit elektronischen Ködern describing the Honeynet-Setup at the RWTH-Aachen University.

At the Black Hat USA 2004 Briefings we will turn our theoretical research into practical application and demonstrate how we break into a Honeynet and obtain root privileges without any useful information being logged on the Honeynet's data gathering servers ("Honeywall" etc.).

We will be also stand-by speakers at the Black Hat Europe 2004 Briefings.

I will be presenting our recent research on detecting and circumventing honeynets at the 5th Annual IEEE Information Assurance Workshop.