Das mit Spannung erwartete Urteil des deutschen Bundeverfassungsgerichts zur Umsetzung der Richtlinie über die Vorratsspeicherung von Daten durch das deutsche "Gesetz zur Neuregelung der Telekommunikationsüberwachung" wurde heute verkündet; hier ist die detaillierte Pressemitteilung verfügbar.

Das Ergebnis: das BVerfG beurteilt die konkrete Ausgestaltung der Vorratsdatenspeicherung im dTKG und in der dStPO als unvereinbar mit Art 10 Abs 1 GG. Pressemitteilung: "Zwar ist eine Speicherungspflicht in dem vorgesehenen Umfang nicht von vornherein schlechthin verfassungswidrig. Es fehlt aber an einer dem Verhältnismäßigkeitsgrundsatz entsprechenden Ausgestaltung. Die angegriffenen Vorschriften gewährleisten weder eine hinreichende Datensicherheit, noch eine hinreichende Begrenzung der Verwendungszwecke der Daten. Auch genügen sie nicht in jeder Hinsicht den verfassungsrechtlichen Transparenz und Rechtsschutzanforderungen."

Die Richtlinie selbst begegnet ausdrücklich keinen Bedenken des BVerfG: "Die Wirksamkeit der Richtlinie 2006/24/EG und ein sich hieraus möglicherweise ergebender Vorrang des Gemeinschaftsrechts vor deutschen Grundrechten sind nicht entscheidungserheblich. Der Inhalt der Richtlinie belässt der Bundesrepublik Deutschland einen weiten Entscheidungsspielraum. Ihre Regelungen sind im Wesentlichen auf die Speicherungspflicht und deren Umfang beschränkt und regeln nicht den Zugang zu den Daten oder deren Verwendung durch die Behörden der Mitgliedstaaten. Mit diesem Inhalt kann die Richtlinie ohne Verstoß gegen die Grundrechte des Grundgesetzes umgesetzt werden. Das Grundgesetz verbietet eine solche Speicherung nicht unter allen Umständen." (Hervorhebung hinzugefügt)

In Österreich hat sich das zuständige BMVIT bei der Erstellung des Ministerialentwurfs durch das Ludwig Boltzmann-Instituts für Menschenrechte unterstützen lassen. Die Begutachtungsfrist für diesen Entwurf ist seit 15.1.2010 abgelaufen (hier zum Entwurf und den Stellungnahmen); eine Regierungsvorlage wurde dem Parlament noch nicht vorgelegt, die Verurteilung durch den EuGH wegen der nicht erfolgten Umsetzung ist demnächst zu erwarten (C-189/09 Kommission / Österreich). Nach Medienberichten will Neo-Justiz-Kommissarin Reding die Richtlinie übrigens grundlegend überprüfen.

PS: Der frühere deutsche Verfassungsrichter Hoffmann-Riem hat vor wenigen Tagen einen Beitrag in der Zeit (online) unter dem Titel "Wider die Geistespolizei" geschrieben: "Sollte es im Augenblick unvermeidlich sein, vermehrt Daten von Bürgern zu sammeln, wird es umso wichtiger, diese Datenverarbeitung streng zu kontrollieren." Seine ehemaligen Kollegen haben das offenbar genauso gesehen.

Architecture under CCTV (image from the BMW Welt Munich).

Researchers scanning the internet for vulnerable embedded devices have found nearly 21,000 routers, webcams and VoIP products open to remote attack. Their administrative interfaces are viewable from anywhere on the internet and their owners have failed to change the manufacturer's default password.

Linksys routers had the highest percent of vulnerable devices found in the United States -- 45 percent of 2,729 routers that were publicly accessible still had a default password in place. Polycom VoIP units came in second, with default passwords lingering on about 29 percent of 585 devices accessible over the internet.

"You can reflash the firmware or install any software you wish on vulnerable devices," said Salvatore Stolfo, a Columbia University computer science professor who is overseeing the research project aimed at uncovering vulnerable appliances on the internet. "These devices will be owned and used by bot herders and other miscreants."

Hackers can use vulnerable routers to conduct click fraud or DNS cache poisoning attacks or to launch attacks on other systems. (See our recent Threat Level story about vulnerable routers used by Time Warner customers.) Someone with remote access to the administrative interface of a VoIP system would also be able to install firmware to record conversations.

The research project, devised by Columbia University grad student Ang Cui at the university's Intrusion Detection Systems Laboratory, involves scanning networks belonging to the largest internet service providers in North America, Europe and Asia. The lab is sponsored by the Defense Advance Research Projects Agency (Darpa), the Department of Homeland Security and other federal agencies.

"Vulnerable devices can be found in significant numbers in all parts of the world covered by our scan," (.pdf) the researchers wrote in a summary of their initial findings presented at a symposium in June. "The double digit vulnerability rates suggest that a large botnet can be created by constituting only embedded network devices."

Since initiating the project last December, the Intrusion Detection researchers have scanned 130 million IP addresses and found nearly 300,000 devices whose administrative interfaces were remotely accessible from anywhere on the internet. The 21,000 devices with default passwords are the most vulnerable, but the rest are theoretically vulnerable to brute-force password-cracking attacks, Stolfo said. Extrapolating from the numbers they've gathered, the researchers estimate that 6 million vulnerable devices are likely connected to the internet.

The group has so far focused on residential routers and devices but is now looking at scanning more sensitive networks to search for vulnerable devices inside large corporations and government networks.

"People tend to buy stuff and bring them to work and just plug them in," Stolfo said. "So we think we'll be able to find vulnerable devices in highly sensitive places."

The researchers didn't attempt to explore the administrative interfaces or tamper with the devices they found, so they believe their work isn't illegal.

"The scan script sends the public password for the product, and if the device responds with the 'command prompt' for that product interface, then the machine is obviously open," Stolfo said. "We do not access the machine. We break the connection at that point and move on."

ISPs can easily detect the scanning, and the researchers embedded a URL in their probes for a webpage explaining the project that gives network providers a chance to opt out. Stolfo says a couple of universities, a security company and government agency have so far asked to be exempt from the scan.

The researchers have provided ISPs with their findings in the hope that they will do something to protect vulnerable customers.

"It's not clear how an ISP is going to do a general announcement, but we hope there will be some way to communicate to the home user in particular about what they have to do to reconfigure their device," Stolfo said.

But Stolfo says product makers are the real culprits and need to hide their administrative interfaces by default and provide clear instructions for users who want to alter that configuration. Vendors should also be more forceful in communicating to users that default passwords need to be changed to robust alphanumeric passwords that include special characters to thwart brute force attacks.

"This is not a password you're going to need every day, so setting a very hard password and recording it at home on a piece of paper is probably a safe thing to do," Stolfo says.

The group plans to run the scan for a few more months, then wait before re-running it to see if the number of vulnerable devices has fallen after they've notified ISPs about the vulnerabilities.

See also:

• Time Warner Cable Exposes 65,000 Customer Routers to Remote Hacks

In a previous article, we discussed the Web of data, which is about inter-linking open data sets and, thus, turning them into machine-accessible structured data. In this post, we'll draw a picture of how the emerging social Web could serve as a Web of identities, which is essentially a people-data version of the Web of data.

Sponsor

W3C's Linking Open Data (LOD) project has gotten quite a bit of attention for the good job it does with the Web of data. Currently, all participating data sets are accessible free of charge and can be used without constraints. The project focuses on growth for now. In an email, Chris Bizer hinted that a payment model to charge for particular content may come in future.

The LOD approach is very good for static and encyclopedic knowledge, but what about accessing our personal data? Technically, modeling our identity, profile data, social graph, groups, activity stream, assets, and other kinds of personal data is straightforward. But empowering machines to access this data could present challenges to the LOD approach, because it comes with all sorts of constraints and peculiarities, such as privacy and data volatility. People want control over who has access to their data or parts of their data and want to be able to block access for any reason. And issues such as rapidly changing and outdated data remain unaddressed.

This is where the social Web can help.

The Emerging Social Web

There was a time when we had to create a new digital identity for each social application we wanted to use. A social application provides features based on social attributes. Every application provider implemented its own proprietary ID management to authorize users to log on and implemented its own proprietary user profile system to manage information about its users. Application providers were judged by the size of their user and content base and so erected endless walled gardens to protect their properties.

The most significant issues people had were:

1. Low conversion rate for user registration,
2. Users had to register for many accounts,
3. Users had to re-enter and synchronize profile data,
4. Privacy, data ownership, and inability to export.

Not much has changed, unfortunately. Most remarkable, perhaps, is the growing number of single sign-on (SSO) solutions that address the first issue for application providers and the second issue for users. New application providers can now outsource this functionality to a third-party SSO provider. Some of the biggest application providers became ID providers themselves to allow their users to log on to third-party applications with the same ID, and this has gained traction beyond these few providers. This has led us to an era of identity wars between the big providers.

Many ID providers, such as Google, Yahoo!, MySpace, and Facebook, have added the OpenID SSO to their own proprietary mechanisms over time. Because of the open nature of OpenID, many third-party providers have found it easy to integrate with the bigger providers, giving them more traction because users are able to access their services so easily using their OpenID credentials. Now, these ID providers can offer read-only access to fragments of profile data that users can look up or copy to third-party applications. Like SSO and OpenID, this began with proprietary solutions, but now exchange formats and protocols are emerging whose open language allows applications to easily exchange and synchronize data. These include:

• API access authorization protocol OAuth,
• Social graph exchange format FOAF ("friend of a friend"),
• Updates exchange format activity streams,
• Address book exchange format Portable Contacts.

In the future, ID providers will loosen their connection to social applications and start taking over management of users' social attributes. Users will be able to log in to applications using credentials hosted by their ID providers of choice and grant permissions to these applications to read or even sync selected fragments of their profile data. The borders of these walled gardens will thus blur, and the social Web will become more of a weave than a patchwork quilt.

The Web of Identities

The Web of data is a distributed web of interconnected sets of semantically annotated data. A connection is achieved as a result of data pointing to data contained in another set through a URI, just as websites point to each other with URIs. This way, machines can crawl the sets to read the data. ID providers will most likely refer to their users via URIs in the future as well. A social connection will consist of one user's URI pointing to another user's URI or ID provider. If permitted by users, a machine may very well accomplish its tasks by jumping through the Web of identities from user to user, the way it does through the Web of data.

Why is this needed? The Web of identities is actually a super-social graph that spans multiple ID providers. If we come across walled gardens, this infrastructure would be needed for all of the social-related search functions we perform. The following examples are thus far provided only (if at all) within individual applications:

• "What is the best book read by friends in my circle?"
  This query might retrieve book purchases and book-related status updates that your friends have made accessible through their privacy settings and then rank the books in a set.
• "Notify me if a close friend visits Berlin."
  This permanent task repeatedly looks up your friends' geo-locations. You may also have granted your close friends access to this data, too. This task could even be combined with the Web of data to look up the meaning and location of Berlin.
• "Sync my address book."
  This permanent task continually synchronizes my friends' addresses and numbers with my personal address book.

Now it's your turn. In what ways do you think the social Web and Web of identities are evolving?

(Diagrams by alexkorth)

Discuss