Don’t forget to register for Wednesday’s web chat about automatic update mechanisms and their effect on end user security and control. More information about the topic and how to register can be found in the original blog post.

In the past couple of years, auto-update mechanisms that allow software applications to check for and install patches or new versions have become far more prevalent. Some software vendors have looked to push auto-updaters beyond the traditional “an update is available, do you want to install it?” format. Last year, Apple began using its updater to push additional software applications. Google’s Chrome browser silently installs updates, including new major versions, with no user interaction or notice. A new updater for Adobe Reader appears to be a hybrid of Chrome’s silent installer and more tradiitonal updaters.

On Wednesday, Feburary, 10, at 1pm EST, we will be hosting a public web chat to discuss auto-update mechanisms from the standpoint of balancing their security benefits with questions about appropriate disclosure and user control. Brad Arkin of Adobe will be participating, and the Google Chrome team has been invited to join, as well. The chat will incorporate VoIP audio (requires headset or microphone/speaker on your computer) as well as text, using dimdim’s Flash-based web conference system. Pre-registration is free and recommended. Just enter your e-mail address in the widget below. Feel free, as well, to help publicize this chat by clicking the “Share Widget” link.

There’s still time to register for the Anti-Spyware Coalition public workshop next week in Washington, DC. And, best of all, press, government, ASC members, educational and nonprofit attendees attend free! (Corporate attendees pay only $250 for a great all-day workshop.)

Complete details and registration links can be found here.

Register now for the Anti-Spyware Coalition public workshop on May 19 in Washington, DC. The workshop should be excellent, with keynotes from U.S. cybersecurity chief Melissa Hathaway, Consumer’s Union security specialist Jeff Fox, and Washington Post security columnist Brian Krebs. It will also feature several interesting panels, including one that I’ll be facilitating on the topic "Who owns the problem?" That panel will feature:

• Jeffrey Troy, Chief of the Cyber Criminal Section, Federal Bureau of Investigation
• Sam Fleitman, Chief Operations Officer, SoftLayer Technologies, Inc
• Bob Bruen, KnujOn
• Kevin Haley, Director of Product Management, Symantec Security Response
• Alissa Cooper, Center for Democracy and Technology
• Andy Steingrubel, Manager of Secure Development, PayPal Information Risk Management

 I hope to see you there!

The Anti-Spyware Coalition, of which StopBadware.org is a member, will host its 5th public workshop on May 19 in Washington, DC. The workshop will be focused around creating a chain of trust online, and how good actors can cooperate in order to protect users. I will be facilitating one of the panels, focused on the question "Who owns the problem?"

The agenda and registration for this event are now online at http://antispywarecoalition.org/events/may2009.php. Press, government, educational and nonprofit attendees register for free.

Computerworld has a nice interview with Jonathan Zittrain, a StopBadware co-director and professor at Oxford and Harvard. Zittrain has just published a new book, The Future of the Internet and How to Stop It, looking at the consequences decreasing openness can have for the capacity for innovation, which he calls “generativity.”

Zittrain explains how badware and other online ills can threaten the future of innovation online:

[T]he qualities that make generative systems good make them susceptible to abuse when they become successful. Then, the natural reaction of many people is to retreat. So there is a migration to “locked down” information appliances, like the iPod, that are not programmable by third parties. And you are increasingly seeing the PC itself locked down in places like offices and schools.

If you’re in the Boston or New York City areas, consider joining us to celebrate the release of Professor Zittrain’s new book. For information, see the Berkman Center’s events page.

StopBadware.org’s parent organization, the Berkman Center for Internet & Society at Harvard Law School, is turning 10 years old this year and is celebrating by giving away $50,000 at its fund raising gala following the Future of the Internet conference:

The Berkman Center for Internet & Society at Harvard Law School is accepting nominations for the first Berkman Awards. The awards will be presented to people or institutions that have made a significant contribution to the Internet and its impact on society over the past decade.

The primary awardee will receive $50,000, and five smaller awards will be given in specific categories such as: human rights/global advocacy; academic and intellectual leadership; pro bono work; infrastructure/communications tools; arts/culture/media; and news/information/journalism.

There are no conditions placed on how the award money must be spent. Nominations for the award will be accepted from the public until April 11, 2008.

April 11 is this Friday, so if you have an idea for a person or organization to nominate, you’d better do so now.

The Anti-Spyware Coalition, of which StopBadware is a member, will hold its next public workshop on January 31 in Washington, DC. The theme for the day will be “Spyware: What’s Worked, What’s Left, and What’s Coming.”

The ASC’s last conference was held here at Harvard, and proved to be an excellent opportunity for a meeting of minds in the anti-spyware space. You can read StopBadware staffers’ notes from that event here.

For more info about the January event, including planned panels and registration, head to the ASC website at antispywarecoalition.org.

Recordings of sessions at the Anti-Spyware Coalition conference, which took place this past Wednesday at Harvard Law School, are now available:

Part 1
Part 2
Part 3

You will need Real 10 Player to play the recordings (free download available here).

We have one more panel’s worth of notes from our blogging of yesterday’s Anti-Spyware Coalition conference. Here, StopBadware researcher Oliver Day shares his notes on the Trends panel, which closed out the day at the conference:

Google:

• The interstitial page. Creates a way to warn users of the search engine when a website is possibly infected.
• The Ghost in the Browser paper by Niels Provos et al. Technical paper on the methodologies used by Google to determine “badness”
• Safe browsing API overview. Opening up more information to the end users
• Online security blog. Tech oriented blog that is a day to day journal of the group.

Truste:

• Program whitelists
• Affiliate networks offloading responsibility

StopBadware:

• Educating consumers
• Guideline creation and security tips for site owners
• Community building via discussion groups, etc.

Site Advisor:

• Built for consumers by MIT engineers
• Bots testing for annoying behaviors

Questions:

How do all these pieces fit together in the security ecosystem?
Orgs like Truste try to fill in particular niches like deep product reviews. Google is trying to make searching safer. Stopbadware is in a unique position as a non-profit to act as a watch dog against corporations (see AOL report).

Are we acting as arbiters of the Internet? What happens when we get something wrong? Versions change often (think updates) so how valid are product certifications?

Google claims near zero False Positives based on vetting through partners. No one should surf securely feeling that they are protected from all things. How does one “look both ways” when you are browsing web pages?

False positives can be dealt with on a programmatic level. Creating decays on bans, white lists, etc.

Will/do consumers want their computers to be like appliances?

Porn is a vehicle for a badware codec.

How do we compensate for human stupidity?

How do we evade the bad guys when they know where we are (IP address)?

Community helps develop reputation systems.

What is the opinion of these groups for certifications by other groups? Things marked bad by different orgs are likely to be bad. Things marked good should still be viewed with skepticism.