Topics

101

Living Room / Tech News Weekly: Edition 44

« on: October 30, 2008, 06:38 PM »

The Weekly Tech News

Hi all. No meta-news this week, enjoy As usual, you can find last week's news here.

1. NIST Competition To Replace SHA Complete

Spoiler

http://csrc.nist.gov/groups/ST/hash/sha-3/index.html
Via: http://www.schneier.com/blog/archives/2008/10/the_skein_hash.html
The NIST competition for a replacement for the SHA-2 hash family closes today. Unfortunately it doesn't seem that the list of candidates is available yet. Please post a reply if you happen to come by it. Keep your eyes peeled for info.

NIST has opened a public competition to develop a new cryptographic hash algorithm, which converts a variable length message into a short “message digest” that can be used for digital signatures, message authentication and other applications.  The competition is NIST’s response to recent advances in the cryptanalysis of hash functions. The new hash algorithm will be called “SHA-3” and will augment the hash algorithms currently specified in FIPS 180-2, Secure Hash Standard. Entries for the competition must be received by October 31, 2008.

2. Security Flaw Is Revealed in T-Mobile’s Google Phone

Spoiler

http://www.nytimes.com/2008/10/25/technology/internet/25phone.html
The first flaw has been uncovered in Google's Android platform.

Just days after the T-Mobile G1 smartphone went on the market, a group of security researchers have found what they call a serious flaw in the Android software from Google that runs it.

One of the researchers, Charles A. Miller, notified Google of the flaw this week and said he was publicizing it now because he believed that cellphone users were not generally aware that increasingly sophisticated smartphones faced the same threats that plague Internet-connected personal computers.

3. E-mail Attachment Malware Soars 800 Per Cent in 3 Months

Spoiler

http://www.itbusiness.ca/it/client/en/home/News.asp?id=50510
According to Sophos, E-mail malware has made a substantial comback in the previous quarter of this year.

The volume of malware attacks conducted via e-mail attachments increased about 800 per cent over the past three months as this low-grade hacking method was brought back from the grave, according to a U.K.-based security vendor.

This reverses an earlier trend. Previously, malware trends indicated hackers were moving away from sending infected attachments. Most attacks were carried out by embedding links to viruses or Trojans right into the e-mail.

4. Koobface Returns

Spoiler

http://www.computerworld.com.au/index.php/id%3b509001956%3bfp%3b4194304%3bfpid%3b1
http://news.cnet.com/8301-1009_3-10078353-83.html
The infamous Koobface Facebook threat is back, and is using Google's website to bypass Facebook protection (blacklisting is to 1990's).

Hackers initially unleashed Koobface in late July, but Facebook's security team soon slowed its spread by blocking the Web sites that were hosting the malicious Trojan software.

That has prompted the criminals to change tactics, according to Guillaume Lovet, a senior research manager with Fortinet. In this latest attack they have hosted files that appear to be YouTube videos on Picasa and Google Reader and used Facebook to send them to victims.

The links appear safe because they go to Google.com Web sites, but once the victim arrives on the Google Reader or Picasa page, he is invited to click on a video or a Web link. The victim is then told he needs to download special codec decompression software to view the video. That software is actually a malicious Trojan Horse program, which is blocked by most antivirus programs, according to Facebook.

5. 'Security-on-a-Stick' to Protect Consumers and Banks

Spoiler

http://www.physorg.com/news144519988.html
IBM have developed a USB-sized device that can be used to thwart attempted online banking fraud.

The "security-on-a-stick" solution — a handy USB-sized device with a display, a smart card reader and buttons — protects a user's e-banking transactions from even the most malicious attacks. With the new device, developed by an expert team at IBM's Zurich Research Lab, a user sees exactly what transaction data the banking server receives. Moreover, he or she can approve or cancel each transaction directly with the banking server using the buttons on the device.

6. New Address Spoofing Flaw Smudges Google's Chrome

Spoiler

http://www.theregister.co.uk/2008/10/26/google_chrome_address_spoofing/
Chrome is subject to yet another major vulnerability allowing websites to impersonate other websites.

Google's Chrome browser has been marred by yet another vulnerability, this one allowing attackers to impersonate websites of groups like the Better Business Bureau, PayPal or, well, Google.

Researcher Liu Die Yu of the TopsecTianRongXin research lab in Beijing says the spoofing vulnerability is the result of faulty code inserted by programmers from the Mountain View, California search behemoth.

7. Opera Scrambles to Quash Zero-day Bug in Freshly-patched Browser

Spoiler

http://www.theregister.co.uk/2008/10/27/zero_day_opera_bug/
In similar news, Opera's most recent browser patch has led to an easily-exploited RCE vulnerability.

Just a few days after Opera Software patched critical vulnerabilities in its browser, researchers have identified another serious bug that allows attackers to remotely execute malicious code on the machines of people running the most recent version of the software. Opera has vowed to fix the flaw soon.

Among the bugs squashed in Opera 9.61 was a stored cross site scripting (XSS) vulnerability that allowed attackers to view victims' browsing history. That attack is no longer possible, but now researchers have discovered an even more serious exploit that's based on the same weakness.

8. ATO Loses CD With Private Details

Spoiler

http://news.cnet.com/8301-1009_3-10078353-83.html
The Australian Taxation Office has misplaced a disk containing the unencrypted tax details of 3122 trustees, and has failed to notify them of the breach until 3 weeks later. Interestingly enough, Australia still has no laws governing the handling or reporting of corporate data breaches. Yay for incompetent government!

The ATO admitted that the CD was not encrypted and victims were only notified three weeks later.

The disk contained the name, address and super fund tax file numbers for 3122 trustees and was being couriered to the ATO, but failed to reach the department.

The Tax Office was notified about the missing CD on October 3 but only sent out letters to the victims on October 24, offering to re-issue the tax file numbers for their super funds.

9. Court Rules Hash Analysis is a Fourth Amendment "search"

Spoiler

http://arstechnica.com/news.ars/post/20081029-court-rules-hash-analysis-is-a-fourth-amendment-search.html
The long-contested idea that using hashes to determine the content of computer files is classified under the Fourth Constitutional Amendment as a "search" has been upheld in court for the first time, though appeal is likely.

A good coder has as many uses for hash functions as George Washington Carver did for peanuts—but law enforcement is fond of these digital fingerprinting techniques as well, because they allow reams of data to be rapidly sifted and identified. Legal scholars, however, have spent a decade puzzling over whether the use of hash value analysis in a criminal investigation counts as a Fourth Amendment "search." A federal court in Pennsylvania last week became the first to rule that it does—but one legal expert says an appeal is very likely.

10. Windows 7's Streamlined UAC

Spoiler

http://arstechnica.com/journals/microsoft.ars/2008/10/30/arspdc-windows-7s-streamlined-uac
Although they're keeping that fugly UI, it seems Microsoft will be overhauling UAC in Windows 7.

One feature of Vista that came under more criticism than most was User Access Control. The feature, designed to make Windows more secure by both limiting the rights of Administrators and making it easier for regular Users to gain Administrator rights only when necessary, was deemed to be annoying and intrusive. As a result, some 10-15% of Vista users turn it off.

Vista SP1 smoothed a few of the more annoying UAC wrinkles, but retained the same fundamental mechanics. The two main problems with UAC:the screen going black momentarily whenever a confirmation prompt was displayed, and the need to reaffirm explicit user actions.

With Windows 7, Microsoft has tried to tone down UAC to make it less invasive while still affording the same protection.

11. Ubuntu 8.10 Intrepid Ibex Released

Spoiler

http://www.downloadsquad.com/2008/10/30/ubuntu-8-10-intrepid-ibex-released/
Bang-on-target Intrepid Ibex has gone final today, with many impressive new features.

Ubuntu 8.10 is available for download today. And because Ubuntu Linux is open source software and we've been following its development for the last 6 months, there aren't a ton of surprises. But that doesn't mean you shouldn't download it if you're running Ubuntu 8.04 or if you're looking for a new Linux distro to try. Because it does include a number of tweaks, bug fixes, and improvements. Here are just a few:

    * Improved support for connecting to 3G wireless networks
    * A utility for loading a fully working Ubuntu installation on a USB disk
    * There's a new System Cleaner utility that will help identify abandoned software packages (which could address one of my biggest pet peeves about most Linux distributions)
    * The Nautilus file manager now supports tabs

12. Tivo Set to Stream Netflix Movies by Christmas

Spoiler

http://blog.wired.com/business/2008/10/tivo-set-to-str.html
It appears TiVo and Netflix have finally pulled their fingers out and are testing their system for streaming Netflix movies directly to TiVo subscribers.

Four years in the making, the Tivo/Netflix streaming partnership is finally ready for prime time. Tivo began testing software Thursday and expects to have the entire Netflix streaming collection available to subscribers of both services by early December.

The companies originally announced plans to serve Netflix movies-on-demand to Tivo boxes in 2004 but shelved plans due to a lack of available content.

Ehtyar.

102

Living Room / High Capacity Portable MP3 Player

« on: October 28, 2008, 04:28 PM »

Hi all.
For the past hour or so I've been looking on the net for a high capacity MP3 player, and I've yet to find something that matches my needs (hard to believe right?). My criterion are below:

• Capacity >= 100GB
• NOT by Apple
• NOT by Sony
• Not priced for the huge screen

That's pretty much it really, I'd like batter life to be >10 hours on unprotected audio playback, but I'm willing to overlook poor battery life if necessary. If Sony and Apple are my only choices, then I'll go without, though I almost can't comprehend that no decent company is competing against the horrendous tech sold by these companies.
Please leave a reply if you know of something that might match what I'm after 

Thanks, Ehtyar.

103

Living Room / Tech News Weekly: Edition 43

« on: October 24, 2008, 05:42 PM »

The Weekly Tech News

Hi all. Not much in the way of meta-news this week (haha, I'm hilarious), and not a whole lot in the way of real news, sorry guys Oh, and I've fixed my macros to operate entirely on the new layout, so......yay for me? No Word Man, there is no CISCO news OK?    As usual, you can find last week's news here.

1. LOLcats R in Ur Gallery, Pimpin 4 Adult Literacy
http://blog.wired.com/underwire/2008/10/lolcats-pounce.html
Gallery: http://www.wired.com/culture/art/multimedia/2008/10/gallery_LOLarts
Apparently art doesn't understand the LOLCat concept...they're taking them seriously!! Fortunately, it's for a good cause, so they're forgiven.

The grammatically challenged felines known as LOLcats are clawing their way off computer screens and into the mainstream art world.

Works by nearly 30 artists influenced by the pidgin-speaking-cat meme will be auctioned off Thursday during a sold-out art show in San Francisco -- with proceeds going to benefit an adult-literacy program.

2. Passports Will Be Needed to Buy Mobile Phones
http://www.timesonline.co.uk/tol/news/politics/article4969312.ece
Britons will soon be required to present their passports and be registered in a national database when purchasing a mobile phone under plans to overhaul state surveillance powers.

Everyone who buys a mobile telephone will be forced to register their identity on a national database under government plans to extend massively the powers of state surveillance.

Phone buyers would have to present a passport or other official form of identification at the point of purchase. Privacy campaigners fear it marks the latest government move to create a surveillance society.

3. Keyboard "eavesdropping" just got way easier, thanks to electromagnetic emanations
http://www.engadget.com/2008/10/20/keyboard-eavesdropping-just-got-way-easier-thanks-to-electrom/
http://www.theregister.co.uk/2008/10/20/keyboard_sniffing_attack/
Not really news, keyboards have been insecure almost from day 1, particularly since the advent of wireless once, but one has to admit, this is just cool.

We always knew those electromagnetic emanations would amount to no good, and now here they go ruining any shred of privacy we once thought to possess. Some folks from the Security and Cryptography Lab at Switzerland's EPFL have managed to eavesdrop on the electromagnetic radiation shot off by shoddy wired keyboards with every keystroke. They've found four different ways to listen in, including one previously-published general vulnerability, on eleven keyboard models ranging from 2001 to 2008, with PS/2, USB and laptop keyboards all falling to at least one of the four attacks. The attack works through walls, as far as 65 feet away, and analyzes a wide swath of electromagnetic spectrum to get its results. With wireless keyboards already feeling the sting of hackers, it's probably fair to say that no one is safe, and that cave bunkers far, far away from civilization are pretty much our only hope now. Videos of the attacks are after the break.

4. Microsoft Issue Out-Of-Band Security Patch
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=211600270
Technical Info: http://blog.threatexpert.com/2008/10/gimmiva-exploits-zero-day-vulnerability.html
Discussion thread started by Lash Man: https://www.donationcoder.com/forum/index.php?topic=15460
It's not often Microsoft choose to release a security patch outside of the regular monthly cycle, but this one's important. Bulletin MS08-067 describes a vulnerability in Windows' Server Service (can anyone say "redundancy"?) that if exploited will permit remote code execution on any version of Windows.

Microsoft has released an out-of-band security update to address a critical flaw that could allow a remote attacker to take over Windows computers without any user interaction.

"This security update resolves a vulnerability in the Server service that affects all currently supported versions of Windows," said Christopher Budd, a MSRC security program manager, in a blog post. "Windows XP and older versions are rated as 'Critical' while Windows Vista and newer versions are rated as 'Important.' Because the vulnerability is potentially wormable on those older versions of Windows, we're encouraging customers to test and deploy the update as soon as possible."

5. Microsoft MASSIVELY Improves JavaScript Performance in IE8
http://zephyrxero.blogspot.com/2008/10/current-browser-javascript-benchmarks.html
Discussion started by Lash Man: https://www.donationcoder.com/forum/index.php?topic=15461
I probably would have phrased it something more like "IE JavaScript still the worst performer among Firefox and Chrome.", or "New Firefox blows Chrome's JavaScript out of the water, which blows IE into outer space!"...but whatever.

I've seen lots of people recently saying that Firefox's TraceMonkey JavaScript engine blows Google's V8 out of the water...but was a little skeptical so I decided to do some benchmarks of my own. Now with any benchmark, everything here needs to be taken with a grain of salt as performance will certainly vary upon which sites you are viewing. For this test I have used WebKit's SunSpider. Also, since Chrome and Safari do not have native ports available on Linux right now, I had to do the test under Windows XP. The test machine is dual-core so multi-process/threaded apps should show a benefit, but I feel it's totally fair as single-core machines are quickly going the way of the dinosaur and do not accurately represent the future, which is what we're talking about here. Also as Chrome does not have a stable/final release yet, I've compared with many other browsers' development builds.

6. Silverlight 2 Released
http://www.cgisecurity.org/2008/10/silverlight-2-r.html
Apparently Microsoft isn't put off by the fact that they're the only ones using Silverlight, so they decided to release version 2...*cough*

Silverlight 2 is a cross-platform browser plugin that enables rich media experiences and .NET RIAs (Rich Internet Applications) within the browser.

Silverlight 2 is small in size (4.6MB) and takes only 4-10 seconds to install on a machine that doesn't already have it.  It does not require the .NET Framework to be installed on a computer to run - the Silverlight setup download includes everything necessary to play video or run applications.

7. Your Privacy is an Illusion: UK Attacks Civil Liberties
http://arstechnica.com/news.ars/post/20081020-your-privacy-is-an-illusion-uk-attacks-civil-liberties.html
It seems the right to silence no longer applies in the UK when the authorities want your encryption keys.

Last year one of the more troubling provisions of the UK's Regulation of Investigatory Powers Act (RIPA) finally came into effect. This piece of legislation made it a criminal offense to refuse to decrypt almost any encrypted data residing within the UK if demanded by authorities as part of a criminal investigation. The penalty for failure to decrypt is up to two years imprisonment for "normal" crime, and up to five years for "terrorism."

As two men accused of "terrorism" discovered last week, the long-standing right to silence does not trump the RIPA powers. The UK's Court of Appeal judged last week that the pair, named only as "S" and "A," could not depend on their right of silence to refuse to provide decryption keys. In the decision, the Court stated that although there was a right to not self-incriminate, this was not absolute, and that the "public interest" can supersede this right in some circumstances.

8. Aussie Govt: Don't Criticize Our (terrible) 'Net Filters
http://arstechnica.com/news.ars/post/20081024-aussie-govt-dont-criticize-our-terrible-net-filters.html
In followup from this story last week, here is some further info. on the upcoming Australian internet filters.

Australia's plan to subject every Internet user in the country to mandatory content filtering just keeps getting stranger. Although the current government says it simply inherited the program from its predecessor and that the filtering will be voluntary, it seems intent on continuing the rollout plans even as it has become apparent that some level of filtering will be mandatory. Now, an Australian newspaper has uncovered documents showing that the government minister responsible for the program has ignored performance and accuracy problems with the filters, then tried to suppress criticism of the plan by private citizens.

The filtering plan as it now appears consists of two tiers. One would apply to all Australian Internet access and would block access to content deemed illegal (though how that term will be defined hasn't yet been disclosed). A second tier would be switched on by default, but users would be allowed to opt-out; this tier would target content inappropriate for children.

9. Google's Open-source Android Now Actually Open
http://news.cnet.com/8301-1001_3-10071093-92.html
Google has released the source of Android for all to see.

Less than a year after announcing Android, the open-source phone operating system intended to jump-start the mobile Internet, Google began sharing the project's underlying source code.

The Android Open Source Project site includes a project list, a feature description, guides to the roles people can have in the project and how to contribute, and of course the Android source code itself.

10.  First Look: Firefox 3.1 Beta Offers Speed, Better Searching and More
http://www.webmonkey.com/blog/First_Look%3A_Firefox_3DOT1_Beta_Offers_Speed__Better_Searching_and_More
Monkey_Bites reviews the new Firefox 3.1 BETA, a little more comprehensively than I did

As we mentioned Tuesday, the first beta release of the new Firefox 3.1 browser has arrived. Firefox 3.1, which will land in final form near the beginning of 2009, promises speed improvements, a more refined search bar and support for new and emerging web standards. The browser will also contain a slew of small features that didn’t make the cut in Firefox 3.0.

While not all of the improvements are in beta 1, there’s enough to whet your appetite for the final release.

11.  Channel 9 To Offer All PDC08 Sessions
http://windows7news.com/2008/10/20/channel-9-to-offer-all-pdc08-sessions/
Post/Discussion thread by 40hz: https://www.donationcoder.com/forum/index.php?topic=15107.msg135404#msg135404
Channel 9 will be offering videos of all the speeches from the Microsoft Professional Developer Conference on their website within 24 hours of the speech taking place.

The PDC08 (Professional Developer Conference) will start in six days from now and will be packed with Windows 7 related sessions that promise to provide news about the upcoming Microsoft operating system. Not anyone can attend the conference which is held in the Los Angeles Conference Center from October 26 kicking off with a pre-conference session on that day. The registration fee for the full event is $2395 USD which might be a bit much for someone who just wants to find out more about the upcoming Microsoft operating system.

Channel9 announced recently that they will post recordings of all PDC08 sessions on their website for everyone to view. Each session should not take more than 24 hours after taking place to find its way on the Channel 9 homepage which is an excellent opportunity for anyone not attending to view the sessions and discover all the exciting news about Windows 7. The PDC08 is not only about Windows 7 and there surely will be some other interesting sessions that might be interesting to users. This is also an excellent way of watching a session that you missed while attending another session at the PDC08 in case you are one of the attendees.

Ehtyar.

104

Find And Run Robot / FARR In APC

« on: October 24, 2008, 07:18 AM »

Hi all. Good news; APC (Australian Personal Computer), arguably Australia's most popular PC magazine (shutup Word Man, CISCO don't have a magazine OK? ), made mention of FARR in their October issue. Take a look below. Unfortunately it's only a passing reference, though perhaps one day I'll be editor and we can be blazoned across the front page Congratulations Mouse Man 

Ehtyar.

105

Developer's Corner / C# as a Script

« on: October 20, 2008, 03:05 AM »

Hi all.
I'm posting this in relation to this thread. It's intended to be just a quick intro to using C# as a scripting language instead of a compiled language.
Due to the fact that CLR compiled applications must be accompanied by a compiler, .net languages provide a unique opportunity to compile code on-the-fly. In this case, we're using a compiled executable to call the compiler to compile code we provide at the moment we wish to execute it via Microsoft.CSharp.CSharpCodeProvider(), thus simulating the behavior of a scripting language. There are two engines I've found to accomplish this task:

• C# Script for .NET 2.0 is the engine I eventually chose. It is extremely small and relatively simple, therefore is also a cinch to modify.
• CS_Script is the bulkier, yet more feature full of the two, this one provides for caching of the compiled script, and for embedding the "interpreter" itself into any .net application.

I chose the former both because it was far easier to modify, and because it runs happier on Mono than the alternative. Attached is a console and GUI build of my slightly modified version (scripts written for the console misbehave if run from the GUI interpreter). The changes include:

• The System, System.IO, System.Text, System.Collections.Generic, and System.Windows.Forms namespaces are included by default, and the necessary assemblies are referenced.
• The full path of the executing script will be provided as the first argument on the command line.
• The code generated from the scripts will be optimized and will not contain any debug information.
• The interpreter will compile code that does not contain a Main(). However, if you provide a Main(), you must also provide an enclosing class { } , and optionally, a namespace { }. This provides for multiple classes or namespaces in a single script.

I hope this info will be of use to somebody. As always, feedback is much appreciated

Ehtyar.

106

General Software Discussion / Firefox 3.5 [FINAL]

« on: October 18, 2008, 05:42 PM »

Now don't get your knickers all bunched up just yet folks, this post is about BETA 1 only. I thought it best to consolidate all 3.1-related posts in one thread, save filling the forum with it. As anyone who reads the Tech News Weekly (and I imagine many who don't) will know, Firefox BETA 1 was released this week. As it hasn't been dole already, I thought I might take the opportunity to plug my favorite browser a little. Firefox 3.1 includes many new features that should excite almost every user group, though the most excitement will be felt by developers, particularly those keeping abreast with HTML 5 developments.
As yet there doesn't seem to be a consolidated list for features, but I'll link to more detailed information where I can. OK, here are the new features in the most awesome browser ever....bias? what? who? *cough*:

For Everyone

• The obligatory JavaScript performance improvement, looks like a big one this time guys.
• The slightly-rough-around-the-edges-but-still-awesome tab switcher .

• Filter results in the Smart Location Bar (Awesome Bar) with keywords.
• The long-overdue ability to drag tabs from one window to another.
• The too-little-too-late new tab button. Really, if we wanted to go all the way to the right hand corner to open a new tab we'd just double click that micro-thin layer of blank tab bar above all our open tabs. All hail Tab Mix Plus.

For Web Developers

• Support for the HTML 5 <video> and <audio> tags. Yeah baby!!!
• Support for downloadable fonts in CSS
• Support for CSS word-wrap and text-shadow properties in addition to a host of other CSS properties and selectors.
• Support for ICC Color Correction (only for tagged images atm)
• Support for Geolocation.
• Support for Drag & Drop in HTML 5 pages.
• Several other DOM Changes.
• Full support for the HTML 5 <canvas> element and API.
• Some improvements and additions to SVG support.

For Extension Developers

• A search attribute for the XUL textbox, which fires the command function on content modification, much like the Firefox inbuilt find does.
• A level attribute for the XUL panel, used to determine which panel should be atop another.
• Support for cross-site XMLHttpRequests.
• Support for progress events in XMLHttpRequest.
• Support for removing <keyset>s.
• Native JSON support.
• Various theme changes

Well I hope that sums it up well. Please let me know if I missed anything. I'd like to put together a demo HTML 5 page so people can try out the new HTML 5 elements if they'd like, so keep an eye out .
For those of you who'd like to run the BETA alongside their existing installation, download Portable Firefox here. Once installed, copy the FirefoxPortable.ini from Other\Source into the root directory, and change 'AllowMultipleInstances' to 'true'.

Ehtyar.

[edit]
Here's the demo peoples, be sure to read the warnings before clicking the links. Enjoy
[/edit]

107

Living Room / Tech News Weekly: Edition 42

« on: October 17, 2008, 06:34 PM »

The Weekly Tech News

Hi all. Not much to say this week. I still haven't worked out how I will do a table of contents. If anyone would like to recommend some regex, it will need to match every instance of [anchor=*] it finds in the given string. Also, there are three articles this week that have been discussed elsewhere, please be sure to contribute to the original threads if you have any thoughts on the topic. As usual, you may find last week's news here.

1. DHS to Fund Open Source Next Generation IDS/IPS
http://taosecurity.blogspot.com/2008/10/dhs-to-fund-open-source-next-generation.html
The US Department of Homeland Security will be bankrolling the next open source Intrusion Detection/Prevention System.

The Open Information Security Foundation (OISF, www.openinfosecfoundation.org) is proud to announce its formation, made possible by a grant from the U.S. Department of Homeland Security (DHS). The OISF has been chartered and funded by DHS to build a next-generation intrusion detection and prevention engine. This project will consider every new and existing technology, concept and idea to build a completely open source licensed engine. Development will be funded by DHS, and the end product will be made available to any user or organization.

2. Intellectual Property Bill Becomes Law: Critics Say It Goes Too Far
http://www.darkreading.com/document.asp?doc_id=165924&f_src=darkreading_section_296
Another Link: http://www.reuters.com/article/technologyNews/idUSTRE49C7EI20081013
Discussion started by Deozaan: PRO-IP Act signed into Law
US President George Bush has signed a bill which dramatically increases penalties for copyright infringement.

President Bush yesterday signed a bill that toughens current laws on the theft of intellectual property and establishes a new White House cabinet position to oversee the IP infringement effort.

The Prioritizing Resources and Organization for Intellectual Property Act (Pro-IP), which was passed by the House and Senate earlier this month, establishes the position of intellectual property enforcement coordinator ("IP czar"). It also steepens penalties for IP infringement and increases resources for the Department of Justice to coordinate for federal and state efforts against counterfeiting and piracy.

3. Russian Researchers Achieve 100-fold Increase in WPA2 Cracking Speed
http://securityandthe.net/2008/10/12/russian-researchers-achieve-100-fold-increase-in-wpa2-cracking-speed/
Another link: http://www.theregister.co.uk/2008/10/10/graphics_card_wireless_hacking/
Discussion started by f0dder: 100-fold WPA/WPA2 bruteforce speed increase
Researchers have used off-the-shelf GPUs to increase the speed of bruteforce attacks against wireless access points.

Russian security company Elcomsoft just posted a press release (original PDF) detailing a new method to crack WPA and WPA2 keys:

    With the latest version of Elcomsoft Distributed Password Recovery, it is now possible to crack WPA and WPA2 protection on Wi-Fi networks up to 100 times quicker with the use of massively parallel computational power of the newest NVIDIA chips. Elcomsoft Distributed Password Recovery only needs a few packets intercepted in order to perform the attack.

4. Apple Patents OS X Dock
http://www.theregister.co.uk/2008/10/08/apple_patents_osx_dock/
Discussion started by VideoInPicture: Apple Patents the OS X Dock!!!
Apple has patented their OS X Dock. Makers of imitation products could be caught up in lawsuits should Apple choose to enforce the patent.

Apple has patented the OS X Dock, nearly a decade after the operating system made its public debut with a new slant on the taskbar.

The late arrival isn't due to a lack of initiative, however. Apple applied for the patent December 20, 1999, and it was approved by the US Patent Office only yesterday.

Apple summarizes the Dock as a "user interface for providing consolidation and access." The patent (available here) puts a particular focus on the Dock's ability to magnify icons to a predetermined size when the cursor is near, the user's ability to rearrange icons, and the way it overlaps the desktop and active windows. Other touches such as indicating which applications are running, label tiles appearing on mouse-over, and the ability to drag and drop files into applications on the Dock are also described.

5. World Bank Denies Key Systems Hacked
http://www.theregister.co.uk/2008/10/13/world_bank_hack_attack/
Another link: http://www.darkreading.com/document.asp?doc_id=165712
The World Bank denies that it's servers have repeatedly been compromised in recent times.

The World Bank has denied reports that hackers penetrated its network on multiple occasions over the last year.

Fox News reports the financial institution has suffered at least six attacks since the middle of 2007. The assault emerged in the course of a separate FBI investigation, prompting the bank to issue a memo (pdf) to warn workers.

6. CastleCops Nemesis Gets Two Year Sentence
http://www.theregister.co.uk/2008/10/13/castlecops_attacker_sentenced/
A man has been convicted and sentenced to two years federal prison time for using botnets to launch Distributed Denial of Service Attacks against the volunteer CastleCops forum.

An American hacker has been sentenced to two years in federal prison for waging potent attacks that took down two volunteer websites for days at a time.

Gregory C. King of Fairfield, California, was also ordered to pay more than $69,000 in restitution for distributed denial of service (DDoS) attacks on CastleCops and KillaNet Technologies. In June, King admitted he used a bot army to wage a relentless campaign of destruction on the sites in a scheme to punish the operators for behavior he thought was unfair. The attacks were so fierce that his victims sustained as much as $70,000 in damage, according to court documents.

7. DarkMarket Carder Forum Revealed As FBI Sting
http://www.theregister.co.uk/2008/10/14/darkmarket_sting/
Followup: Arrests made and here.
It has been revealed that a well known forum for credit card thieves was actually an FBI sting.

Leaked documents have confirmed that carder forum DarkMarket was actually an FBI sting operation.

For the last two years until its shutdown earlier this month DarkMarket.ws posed as a forum where identity thieves, credit card fraudsters, crackers and other ne'er do wells could hang out and exchange tips as well as trading hacker tools and stolen data. In reality, the site was run by Federal agents based in Pittsburgh.

8. Storm Botnet Blows Itself Out
http://www.theregister.co.uk/2008/10/14/storm_worm_botnet_rip/
It would appear that the infamous Storm botnet has finally ceased to exist, for now.

Security watchers Marshal claim the infamous Storm botnet is no more, after waning spam emails finally dried up altogether last month.

Other security researchers have noted a similar decline, but warn that while the botnet is currently inactive it may yet return, possibly in a more potent form.

9. Warezov Botnet Rises from the Grave
http://www.theregister.co.uk/2008/10/16/warezovs_second_coming/
As the perfect companion story to Storm Botnet Blows Itself Out, the long-since-forgotten Warezov botnet appears to be up and running again.

After laying low for the better part of a year, the Warezov botnet is back - with some new tricks up its sleeve.

In the past week, trojan horse programs that install the Warezov bot have been spotted on websites offering free MP3 downloads, according to Joe Stewart, director of malware research at security provider SecureWorks. The attacks are a big change for Warezov, which burst on the scene in 2006 with malware attacks spread in email attachments. The new methodology is an acknowledgment of the futility of email attacks given the difficulty of sneaking malicious payloads past today's email filters.

10. Adobe Patch Thwarts Clickjacking Attack
http://www.theregister.co.uk/2008/10/16/adobe_update_thwarts_clickjacking/
Another link: http://news.cnet.com/8301-1009_3-10067544-83.html
Original stories here and here.
Adobe has finally patched the infamous clickjacking flaw in Adobe Flash Player.

Adobe has published an update to its popular Flash Player software, addressing a much-publicised clickjacking flaw.

Clickjacking affects multiple applications (including browsers and media players) and creates a means for hackers to trick prospective marks into unknowingly clicking on a link or dialogue. Adobe Flash Player - specifically the microphone and camera access dialogue - was among the products affected.

11. Net Filters "Required" for All Australians, No Opt-out
http://arstechnica.com/news.ars/post/20081016-net-filters-required-for-all-australians-no-opt-out.html
The internet filtering currently being tested in Tasmania may soon be mandatory for the entire country, with no complete opt-out option as promised.

Australians may not be able to opt out of the government's Internet filtering initiative like they were originally led to believe. Details have begun to come out about Australia's Cyber-Safety Plan, which aims to block "illegal" content from being accessed within the country, as well as pornographic material inappropriate for children. Right now, the system is in the testing stages, but network engineers are now saying that there's no way to opt out entirely from content filtering.

12. City-owned Fiber Network a Go As Judge Tosses Telco Lawsuit
http://arstechnica.com/news.ars/post/20081009-city-owned-fiber-network-a-go-as-judge-tosses-telco-lawsuit.html
A small US city has resolved to build their own fiber-to-the-home network when the local ISP failed to listen to their requests.

When the 12,000 person city of Monticello, Minnesota voted overwhelmingly to put in a city-owned and -operated fiber-optic network that would link up all homes and business to a fast Internet pipe, the local telco sued to stop them. Wednesday, District Court Judge Jonathan Jasper dismissed the suit with prejudice after finding that the city was well within its rights to build the network by issuing municipal bonds. In this case, however, a total loss for the telco might actually turn out to be a perverse sort of victory.

13. The Android Fine Print: Kill Switch and Other Tidbits
http://computerworld.com/action/article.do?command=viewArticleBasic&articleId=9117279
Google's Android mobile OS contains a kill-switch, much like that found in Apple's iPhone in August.

An uproar erupted when iPhone users discovered a so-called remote kill switch on their phones -- will it spur the same reaction in users of the G1, the first Android phone?

In the Android Market terms of service, Google expressly says that it might remotely remove an application from a user's phone. "Google may discover a product that violates the developer distribution agreement ... in such an instance, Google retains the right to remotely remove those applications from your device at its sole discretion," the terms, linked to from the phone, read.

14. Firefox 3.1 Beta Available For Download
http://blogs.pcmag.com/securitywatch/2008/10/firefox_31_beta_available_for.php
Firefox 3.1 BETA 1 is now avilable for developers and web designers to test. It includes improved CSS 3 and HTML 5 support, and faster rendering speeds in addition to various minor improvements.

Version 3.1 doesn't seem to have any major improvements, but a large number of potentially noteworthy ones. There is a new version of the Gecko rendering engine that claims improvements in web compatibility, standards compliance, ease of use and performance. There is more support for CSS 2.1 and 3.0 properties.

The Smart Location Bar has support for new characters to restrict searches.

Developers get a lot of new features to use: There are new video and audio elements from HTML 5. There are many additions to the DOM and Canvas and SVG (Scalable Vector Graphics) support.

15. OpenOffice 3: Why Buy Microsoft Office?
http://blogs.computerworld.com/review_of_final_openoffice_3_why_buy_microsoft_office
Open Office 3.0 has been released, then officially announced to server-crippling demand. This article is a review of the new features available because I thought that would be more useful.

The final version of OpenOffice 3 is out today, and if you're looking to save yourself plenty of money, download it instead of buying Microsoft Office --- you could save yourself hundreds of dollars, and not lose out on many features.

I put the Windows version through its paces, and am about to download the Linux version as well. The suite has six full-blown applications: the Writer word processor, Calc spreadsheet, Impress presentations program, Base database program, Math equation editor, and Draw graphics program.

16. Mobile Firefox Reaches ALPHA 1
http://www.webmonkey.com/blog/Mobile_Firefox_Reaches_Alpha_1__Offers_Desktop_Version_for_Testing
Mozilla's mobile Firefox has reached the ALPHA 1 testing phase.

Mozilla’s mobile version of Firefox, code-named Fennec, has reached the alpha 1 milestone. As with the previous, pre-alpha releases, Fennec alpha 1 will only work with the Nokia N800/N810 internet tablet. While Mozilla says that it has made great progress on the Windows Mobile version, there’s still no release available. There also won’t be an iPhone version anytime soon; as Mozilla execs have previously stated, Apple’s software requirements for the device are too restrictive.

Ehtyar.

108

Living Room / Tech News Weekly: Edition 41 [NEW]

« on: October 10, 2008, 06:18 PM »

The Weekly Tech News

Hi all. I apologize for the name of this post, but no this is not a repeat of last week's news. It seems the script I use to create the post templates (or as Mouse Man refers to it, the "time space continuum template") had me predicting the news for the coming week as opposed to reporting it for the week past. From now on this will be fixed. See last week's news here. Next, I'd like to thank 40hz for his excellent banner, which I will be using from now on.  Finally, it has been apparent that not being able to link to a specific article makes referencing and replying to the weekly news rather difficult, so I've taken the liberty of adding anchors to the title of each article. From now on, the title of each article will be a hyperlink to that specific article. Try it out by clicking here. Well that's about it, hope you like this week's news

1. Clickjacking FAQ
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9115818&source=NLT_SEC&nlid=38
Another link: http://ha.ckers.org/blog/20081007/clickjacking-details/
And another: http://www.darkreading.com/document.asp?doc_id=165073
Aaand again: http://www.darkreading.com/document.asp?doc_id=165431
Index finger getting tired yet? http://www.webmonkey.com/blog/Hackers_are_Watching_You%3A_Flash_Clickjacking_Vulnerability_Exposes_Webcams_and_Mics
A very educational FAQ from ComputerWorld regarding the increasingly common "clickjacking" attack vector. Like we needed another reason to disable flash.

Last week, a pair of security researchers spread the news that a new class of vulnerabilities, called "clickjacking," puts users of every major browser at risk from possible attack.

Robert Hansen, founder and chief executive of SecTheory LLC, and Jeremiah Grossman, chief technology officer at WhiteHat Security Inc., spilled some beans last week after they gave a semi-closed presentation at OWASP AppSec 2008 in New York.

2. New Hack Trashes London's Oyster Card
http://www.techworld.com/security/news/index.cfm?newsID=105337&pagtype=all
Another link: http://arstechnica.com/news.ars/post/20081008-charlie-and-the-broken-rfid-mass-transit-authentication-system.html
Researchers have published source code that will allow tech-savvy people to duplicate smart cards used by Boston's rail network and the London Oyster, among others.

Researchers have published a cryptographic algorithm and source code that could be used to duplicate smart cards used by several major transit systems, including Boston's Charlie Card and the London Oyster card.

Scientists from the Dutch Radboud University Nijmegen presented their findings during the Esorics security conference on Monday in Malaga, Spain. They also published an article with cryptographic details.

3. Symantec Buys Message Labs
http://www.securitypronews.com/insiderreports/insider/spn-49-20081008SymantecBuysMessageLabs.html
Security firm Symantec has agreed to buy online messaging security firm MessageLabs for $US695 million, thereby securing its position in the SOftware-as-a-Service market..

Symantec, the largest maker of computer security and data backup software, said it will pay 310 million pounds sterling and $154 million in US dollars.

The company says its purchase of MessageLabs will give it a stronger position in the rapidly growing Software-as-a-Service (Saas) market and strengthen its lead in the messaging security industry.

MessageLabs is the top provider of online messaging security globally with more than eight million end users at more than 19,000 clients ranging from small business to Fortune 500.

4. Cyberscammers Taking Advantage Of Poor Economy
http://www.wubbfm.com/cc-common/news/sections/lifestylearticle.html?article=4379223
Another link: http://www.darkreading.com/document.asp?doc_id=165537
As one might expect, it appears the online nasties are already using people suffering from the economic downturn to benefit themselves. The attacks appear to be focusing on SPAM and phishing tactics.

Fear surrounding the growing economic calamity is feeding online criminals' efforts to steal consumers' personal information, computer-security experts say.

The number of fake Web sites, spam e-mail and phishing attacks has mushroomed as cybercrooks seek to take advantage of the sudden widespread alarm, the experts say.

Most scams center on spam and phishing against the backdrop of bank failures, mergers and takeovers, the experts tell USA Today.

5. U.S. Gov't Proposes Digital Signing of DNS Root Zone File
http://www.itworld.com/networking/55952/us-govt-proposes-digital-signing-dns-root-zone-file
The United States is finally accepting advice on how to protect the DNS root zone file from attacks. Naturally VeriSign is playing a mine-is-bigger-than-yours game with ICANN over who should hold the keys.

The U.S. government is soliciting input on a way to make the Internet's addressing system less susceptible to tampering by hackers.

Under the idea, records in the DNS (Domain Name System) root zone would be cryptographically signed using DNSSEC (Domain Name and Addressing System Security Extensions), a set of protocols that allows DNS records to carry a digital signature.

6. UCSniff - VoIP Eavesdropping Made Easy
http://www.theregister.co.uk/2008/09/30/voip_eavesdropping_tool/
A new tool has been released to demonstrate just how easy it is to eavesdrop on VoIP conversations.

A security consultant with expertise in protecting phone conversations as they travel over the internet has unveiled a new tool that demonstrates just how vulnerable voice over internet protocol, or VoIP, calls are to interception.

UCSniff bundles a hodgepodge of previously available open-source applications into a single software package that helps penetration testers assess the security of VoIP calls carried over a client's network. It also introduces several new features that make eavesdropping on specific targets a point-and-click undertaking.

UCSniff runs on a laptop that can be plugged in to the ethernet port of the organization being probed. From there, a VLAN hopper automatically traverses the virtual local area network until it accesses the part that carries VoIP calls. Once the tool has gained unauthorized access, UCSniff automatically injects spoofed ARP, or address resolution protocol, packets into the network, allowing all voice traffic to be routed to the laptop.

7. Elvis Has Left the Country
http://freeworld.thc.org/thc-epassport/
As a followup to story number 2 in last week's news, Hacker's Choice have released a video of an e-Passport self-scanner at Amsterdam airport accepting a modified passport purporting to belong to Elvis Presley.

The government plans to use ePassports at Immigration and Border
Control. The information is electronically read from the Passport
and displayed to a Border Control Officer or used by an automated
setup. THC has discovered weaknesses in the system to (by)pass the
security checks. The detection of fake passport chips does not
work. Test setups do not raise alerts when a modified chip
is used. This enables an attacker to create a Passport with an
altered Picture, Name, DoB, Nationality and other credentials.

8. Ransomware Author Tracked Down, But Not Nicked
http://www.theregister.co.uk/2008/10/01/gpcode_author_hunt/
A Russian national, allegedly the creator to the infamous Gpcode Trojan has been identified, but is unlikely to be charged due to Russia's lack of action against cybercrime.

The Russian VXer who created the infamous Gpcode ransomware Trojan has been identified - but an early arrest isn't likely.

With cybercrime way down the priority list in Russia, the malware author - known to the police after security firm Kaspersky Labs winkled out a likely IP number for him - is liable to remain at large for some time.

9. Hackers Penetrate South Korean Missile Manufacturer
http://www.theregister.co.uk/2008/10/01/missile_manufacturer_hacked/
Hackers have broken into a South Korean arms manufacturer's computer system, and may have stolen blueprints.

Black hat hackers were able to steal information from a South Korean missile manufacturer after planting malicious code on the company's computer system, according to news reports.

According to the country's National Security Research Institute, the code was installed on the computer network of LIGNex1 Hyundai Heavy Industries, a manufacturer of guided missiles, ground-to-air weapons, war ships, and submarines.

10. Ecommerce Standard Tightens Up Wireless Security
http://www.theregister.co.uk/2008/10/02/pci_dss_update/
In this latest revision, the Payment Card Industry Data Security Standard will disallow use of WEP from mid-2010 and will ban it in new establishments from April 2009. What a joke.

A revised version of an important security standard for ecommerce merchants was published on Wednesday.

Version 1.2 of the Payment Card Industry Data Security Standard (PCI DSS) mostly tweaks and clarifies the existing framework for the secure processing of credit card data. The 12 existing requirements - covering areas such as the need to used a firewall, store cardholder data securely and encrypt transmission of cardholder data - remain unchanged.

11. RealNetworks Sued Over DVD Copying Software
http://seattletimes.nwsource.com/html/businesstechnology/2008217705_realnetworks010.html
Another link: http://arstechnica.com/news.ars/post/20081005-judge-temporarily-halts-sale-of-realdvd-in-wake-of-lawsuit.html
Half of corporate Hollywood is suing RealNetworks to prevent them from selling their RealDVD DVD copying software.

Hollywood's six major movie studios Tuesday sued Seattle-based RealNetworks to prevent it from distributing DVD-copying software they said would allow consumers to "rent, rip and return" movies or even copy friends' DVD collections outright.

The studios stand to lose key revenue from DVD sales, estimated by Adams Media Research at $14 billion this year, if consumers stop buying DVDs and copy rental discs from outlets like Netflix and Blockbuster instead.

12. T-Mobile Confirm Theft of Personal Data On 17M Customers
http://www.darkreading.com/document.asp?doc_id=165280
T-Mobile, and its parent company Deutsche Telekom have admitted that a USB storage device was misplaced in 2006, and the incident not revealed to customers. Reports indicate the data may be in use by cyber-criminals.

Deutsche Telekom, owner of the T-Mobile wireless network, admitted this weekend that the mobile service suffered a data theft in 2006 that may have exposed the personal information of some 17 million customers.

Deutsche Telekom made a statement about the T-Mobile data theft on Saturday, anticipating the release of a story about the breach by the German magazine Der Spiegel on Sunday.

13. Free Tool Hacks Banking, Webmail, and Social Networking Sessions
http://www.darkreading.com/document.asp?doc_id=165303
A new tool will allow an attacker to hijack online sessions that use secure login.

A researcher will demonstrate a free, plug-and-play hacking tool this week that automatically generates man-in-the middle attacks on online banking, Gmail, Facebook , LiveJournal, and LinkedIn sessions -- even though they secure the login process.

Jay Beale, who recently released the so-called “Middler” open-source tool, will show it off at the SecTor conference in Toronto. Aside from the unnerving capability of hacking into sites that perform secure logins and then use clear-text HTTP, Middler is also designed for use by an attacker with no Web-hacking skills or experience. “The Middler allows an attacker with no Web application-hacking experience to launch attacks that previously required substantial time and skill,” according to Beale.

14. Metasploit Hacking Tool Now Open for Licensing
http://www.darkreading.com/document.asp?doc_id=165636
Metaspoit is now completely open source and openly licensed.

The wildly popular Metasploit hacking tool for the first time is now officially open source, open-license technology that can be incorporated into commercial tools.

The free research and penetration testing tool historically has had restricted, non-commercial licensing so that it could only be used by researchers or in-house penetration testers -- not repackaged, redistributed, or sold. But in the new version 3.2 -- due later this month in its final version -- Metasploit project lead HD Moore and his team have transformed Metasploit into an official open source project, complete with a BSD 3-Clause license arrangement that allows others to sell, rename, or “fork” the code in another direction.

15. Asus Install DVD Woes Continue With Worm On Eee Box
http://arstechnica.com/journals/hardware.ars/2008/10/09/asus-install-dvd-woes-continue-with-worm-on-eee-box
Discussion by Carol Haynes here: https://www.donationcoder.com/forum/index.php?topic=15272.0

This post should probably be cross-posted over at jobs.ars, because Asus may soon be looking for a new preloaded software department. For a second time this year, preloaded software on Asus's popular Eee line of PCs has show itself to have some unintended content. This time, the Windows versions of Asus' Eee box nettop have been loaded with an infectious computer worm.

Last month, recovery DVDs shipped with Eee netbooks were found to contain a software crack for WinRAR, along with secret Microsoft documents meant to be read only by PC OEMs. The DVD also contained MS software with application keys, and source code for a number of Asus applications. The scandal spread, with users finding the same files on recovery DVDs of other Asus computers, and even more bizarre files, including resumes and personal files of Asus employees. At the time, Asus told PCPro "We will be investigating this at quite a high level. Once the investigation is complete, we will ensure it doesn't happen again."

16. Antitrust Suit Against Apple and AT&T Will Proceed
http://arstechnica.com/journals/apple.ars/2008/10/07/judge-antitrust-suit-against-apple-and-att-can-proceed
A class action lawsuit against Apple and AT&T for bricking unlocked iPhones has been allowed to continue.

A federal judge has denied Apple's and AT&T's motions to dismiss a class-action lawsuit filed last year alleging various violations of antitrust and consumer protections laws. The judge agreed to Apple's motion, however, to limit the claims to laws of New York, California, and Washington, where the plaintiffs in the case reside.

The original lawsuit was filed last year after Apple released a contentious 1.1.1 update to iPhone's OS, which "bricked," or rendered inoperable, iPhones that had been modified to work on other carriers and/or run third-party software. When the phones became inoperable, Apple refused to honor the warranty on the grounds that the phones had unauthorized modifications.

17. Mono 2.0 Spreads .Net to Linux and Mac
http://www.linuxinsider.com/story/64746.html
Mono 2.0 is released. Not sure if .NET on Linux and Mac is a good thing or a bad thing myself :S

For developers who have fallen in love with .Net/C#, but aren't married to running their applications on Windows, the Mono Project aims to let Microsoft .Net-based apps run on Linux and Mac OS X, among several other platforms. Sponsored by Novell, the Mono Project has released Mono 2.0 of its cross-platform, open source .Net development framework.

Basically, Mono 2.0 lets users run both client and server applications on Linux, and helps developers figure out which changes they may need to make to their applications for .Net-to-Linux migrations.

18. Sony, Microsoft Virtual Communities to Start
http://news.wired.com/dynamic/stories/A/AS_TEC_JAPAN_SONY_MICROSOFT?SITE=WIRE&SECTION=HOME&TEMPLATE=DEFAULT&CTIME=2008-10-09-08-34-28
Just to tick off the Playstation/X-Box zealots, I thought I better post this article about the two companies blatantly ripping off Nintendo's Mii

Video game rivals Sony and Microsoft are going head-to-head in virtual worlds for their home consoles later this year.

Both companies announced their services, which use graphic images that represent players called "avatars," Thursday at the Tokyo Game Show.

Sony Corp.'s twice delayed online "Home" virtual world for the PlayStation 3 console will be available sometime later this year, while U.S. software maker Microsoft Corp., which competes with its Xbox 360, is starting "New Xbox Experience" worldwide Nov. 19.

19.  Apple Hears Developers, Nixes IPhone NDA
http://www.webmonkey.com/blog/Apple_Hears_Developers__Nixes_iPhone_NDA
Apple has removed the non-disclosure agreement associated with the iPhone's Software Development Kit.

iPhone developers are free at last to talk about their applications. Apple has officially dropped the nondisclosure agreement that prohibited developers from discussing the iPhone’s operating system, application code and development kit, according to an announcement made on Apple’s website Wednesday morning.

Meanwhile, across the internet, Ewoks pound drums and sing songs. Or, rather, developers are finally venting their frustration and enjoying the freedom to talk about all their hard work over the last few months without fear of Apple’s retribution.

20.  Gmail Helps Stop Your Drunken E-mail Rants
http://www.webmonkey.com/blog/Gmail_Helps_Stop_Your_Drunken_E-mail_Rants
*cough*

Is your Saturday morning inbox filled with regret and self-loathing for the drunken e-mails you fired off the night before? If so, Gmail might have a solution for you. Google’s Gmail Labs has a new experimental featured dubbed “Mail Goggles” which will attempt to prevent you from sending out those ill-advised late night e-mails.

Gmail developer Jon Perlow created Mail Goggles as a kind of e-mail sobriety test. It works by stopping your message when you hit send and then presents a series of simple math problems you need to solve before you really send the e-mail.

Ehtyar.

109

Site/Forum Features / Using Anchors Within Posts

« on: October 08, 2008, 06:43 AM »

This may end up making me look like a complete dumba$$, but Mouse Man asked me to post this here. So anyway, for those who want to be able to link to a specific section of their post (I will be using this from now on in the Weekly Tech News), you can use the [anchor] and [iurl][/iurl] bbc tags which I've only recently discovered, hence this post.
To add an anchor to your post you place the [anchor] tag somewhere in your document with a unique name e.g.

[Select]

[anchor=my_unique_name]

Then, when you wish to link to this anchor, you use the [iurl][/iurl] (internal URL) tags to link to the anchor like so:

[Select]

[iurl=#my_unique_name]go to my anchor[/iurl]

You can try this out by clicking here.

Ehtyar.













This has been a test of the emergency broadcast..er..anchor system.

110

Living Room / Tech News Weekly: 40

« on: October 03, 2008, 07:37 PM »

The Weekly Tech News

Hi all. Just a few quick messages:
First, this is the new layout in response to feedback from last week's news. As always, any constructive feedback is appreciated.
Second, two of the articles in this week's news were submitted by forum members. If anyone would like to contribute a story that I may have missed in a previous week, or simply would like to ensure that I do include a story for a following week, please leave me a PM on the forum or on irc.
Thanks, Ehtyar.
1. TCP Flaws Put Websites At Risk
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1332898,00.html
http://news.cnet.com/8301-1009_3-10056759-83.html
Researches have found several fundamental flaws in TCP that, if exploited, may be capable of bringing down internet heavyweights like Google or Microsoft.

A pair of security experts are now discussing several fundamental issues with the TCP protocol that can be exploited to cause denials of service and resource consumption on virtually any remote machine that has a TCP service listening for remote connections.

The problems, which were identified as far back as 2005, are not simply vulnerabilities in products from one or two vendors, but are issues with the ways in which routers, PCs and other machines handle TCP connection requests from unknown, remote machines. The attacks can be carried out with very little bandwidth, such as that available on a cable modem, and there don't appear to be any workarounds or fixes for the problems at this point.

2. How To Clone and Modify E-Passports
http://www.schneier.com/blog/archives/2008/09/how_to_clone_an.html
A group of hackers have released a tool allowing people to clone and modify electronic passports by exploiting a weakness that is apparently the result of using self-signed certificates...but who do you make the CA of the entire globes' passports?

So what's the solution? We know that humans are good at Border Control. In the end they protected us well for the last 120 years. We also know that humans are good at pattern matching and image recognition. Humans also do an excellent job 'assessing' the person and not just the passport. Take the human part away and passport security falls apart.

3. Top Secret MI6 Camera Sold On e-Bay
http://www.techcrunch.com/2008/09/30/top-secret-mi6-camera-sold-to-the-highest-bidder-on-ebay/
A camera containing top secret information, including credentials for logging into their network, was sold by an MI6 agent on e-Bay.

A 28-year-old delivery man from the UK who bought a Nikon Coolpix camera for about $31 on eBay got more than he bargained for when the camera arrived with top secret information from the UK’s MI6 organization.

Allegedly sold by one of the clandestine organization’s agents, the camera contained named al-Qaeda cells, names, images of suspected terrorists and weapons, fingerprint information, and log-in details for the Secret Service’s computer network, containing a “Top Secret” marking.

4. Microsoft, Washington State Sue Scareware Purveyors
http://voices.washingtonpost.com/securityfix/2008/09/microsoft_washington_state_tar.html
Microsoft and the state of Washington gave stepped up to take on groups that use false and/or misleading security alerts to trick concerned customers into purchasing software.

Microsoft Corp. and the state of Washington this week filed lawsuits against a slew of "scareware" purveyors, scam artists who use fake security alerts to frighten consumers into paying for worthless computer security software.

The case filed by the Washington attorney general's office names Texas-based Branch Software and its owner James Reed McCreary IV, alleging that McCreary's company caused targeted PCs to pop up misleading security alerts about security threats on the victims' computers. The alerts warned users that their systems were "damaged and corrupted" and instructed them to visit a Web site to purchase a copy of Registry Cleaner XP for $39.95.

5. Nasty web bug descends on world's most popular sites
http://www.theregister.co.uk/2008/09/30/web_bug_bites_sites/
http://news.cnet.com/8301-1009_3-10056854-83.html

Princeton University researchers have uncovered a series of cross-site request forgeries in some of the worlds most popular websites, one of which would have permitted fund transferal from a victims bank account. Internet Explorer and Firefox users are known to have been vulnerable.

Underscoring the severity of of an exotic form of website bug, security researchers from Princeton University have cataloged four cross-site request forgeries in some of the world's most popular sites.

The most serious vulnerability by far was in the website of global financial services company ING Direct. The flaw could have allowed an attacker to transfer funds out of a user's account, or to create additional accounts of behalf of a victim, according to this post from Freedom to Tinker blogger Bill Zeller.

6. Cybersecurity holes exposed in Los Alamos nuke lab
http://www.theregister.co.uk/2008/09/29/los_alamos_cyber_insecurity/
The Los Alamos National Laboratory has been found to be severely under-secured by a US Government Accountability Office audit.

The Los Alamos National Laboratory - easily the world's most sensitive and sophisticated research institution - is marred by cybersecurity weaknesses that compromise the way information on its unclassified network is protected.

According to an audit by the US Government Accountability Office (GAO), the New Mexico-based LANL recently began implementing measures to shore up information security. But vulnerabilities remain on its unclassified network, which contains sensitive information involving controlled nukes, export control, and personal details of lab employees. Physical security was also found to be lacking at the facility, one of only three US National Nuclear Security Administration (NNSA) labs.

7. Time To Look For A Skype Alternative (Thanks 40hz)
http://www.ghacks.net/2008/10/02/time-to-look-for-a-skype-alternative/
http://news.cnet.com/8301-1009_3-10056127-83.html
http://news.cnet.com/8301-1009_3-10057580-83.html

The voice over IP client Skype never got off the radar of privacy activists. There were always rumors about backdoors in the voice communication software and that several organizations were able to record calls made by Skype users although Skype claimed otherwise.

Skype messages were in the focus of privacy groups since first news about text filtering messages in China became known to the public. Back then Skype released an official statement that the text filter applied by the Chinese Skype partner Tom Online would not affect security and encryption mechanisms of Skype, that people’s privacy would not be compromised and calls, chats and other forms of communication on Skype would continue to be encrypted and secure.

Researchers and privacy activists of the University of Toronto discovered files on unprotected Chinese computers that contained filtered Skype messages that were recorded in China.

8. Adware supplies one third of all malware
http://news.cnet.com/8301-1009_3-10056912-83.html
A report released by Panda security has alleged that one third of all new malware is generated by adware, particularly fake antivirus products.

On Thursday, Panda Security released its report for the third quarter stating that adware is responsible for one third of all new malicious software. In particular, the security company cited increased use of fake antivirus scanners.

The fake scanners typically report a computer infection and suggest downloading an application to remove the malware. Once downloaded, the scanners then ask computer users to purchase the application before it can remove an infection that never really exists. The goal of these attacks is financial gain.

9. New phishing attempt targets bank customers
http://news.cnet.com/8301-1009_3-10057180-83.html
A bracket of the acquisitions (Thanks housetier)
Phishers appear to be capitalising on the downfall of the global economy.

Many people are wondering what to do now that their bank has been acquired in the wake of the lending crisis. Well, whatever you do, don't click on links in e-mails purportedly sent by your bank.

Security firm SonicWall said Thursday that it has been seeing e-mails that attempt to lure people to fake bank Web sites, where they are asked to re-verify their personal and bank information as part of a merger.

10. Verizon gets industry-specific in breach report
http://news.cnet.com/8301-1009_3-10056490-83.html
An interesting report from Verizon detailing industry-specific vulnerability rends.

Risks factors for data breaches vary industry to industry and defy a "cookie cutter" approach to security, according to a report released Thursday by Verizon Communications.

The new report (PDF) builds on data released in June. The initial report spanned four years and included more than 500 forensic investigations involving 230 million compromised records.

11. Plant Tweak Could Let Toxic Soil Feed Millions
http://blog.wired.com/wiredscience/2008/10/plant-tweak-cou.html
A single genetic switch could allow crops to grow in aluminum-poisoned soil.

Thanks to a genetic breakthrough, a large portion of Earth's now-inhospitable soil could be used to grow crops -- potentially alleviating one of the most pressing problems facing the planet's rapidly growing population.

Scientists at the University of California, Riverside made plants tolerant of poisonous aluminum by tweaking a single gene. This may allow crops to thrive in the 40 to 50 percent of Earth's soils currently rendered toxic by the metal.

12. Google, Hotmail CAPTCHA Cracked
http://arstechnica.com/news.ars/post/20081002-right-back-at-ya-captcha-bad-guys-crack-gmail-hotmail.html
http://www.itsecurity.com/blog/20081003/xrumer-spambot-cracks-captchas/
A previously well-known software XRumer has received a substantial upgrade, allowing it to break almost every form of CAPTCHA currently in use.

The decline in CAPTCHA efficacy has been an ongoing story in 2008, as hackers and malware authors have steadily found ways to chip away at the protection these security practices were once thought to offer. Now, new findings indicate that both Gmail and Windows Live Hotmail have been compromised again, this time via a more-streamlined attack process. With two of the largest webmail providers once again vulnerable, CAPTCHAs clearly aren't meeting the security needs of either company, and it may be time to reevaluate the use of them altogether.

13. RapidShare must remove infringing content proactively
http://arstechnica.com/news.ars/post/20081001-german-court-says-rapidshare-must-get-proactive-on-copyrighted-content.html
If a German court ruling is upheld, Rapidshare may no longer be able to plead ignorance of infringing content hosted on their servers.

File sharing service RapidShare may find itself without a viable business model if a German court ruling stands. After getting sued by a German copyright holder, the company argued that it was doing all it could to screen out copyrighted material. The court, however, has ruled that its efforts were insufficient, raising questions about whether doing anything that was legally sufficient could be done without incurring enough costs to sink the company.

RapidShare is one of a large number of companies that will host large files for users who need to exchange them with friends and family. Like many of these companies, it offers a free service with limited features in the hopes of enticing users to spring for the cost of a premium service, which offers some significant perks, such as hosting larger files, unlimited download speeds, and permanent storage. All of this occurs through a simple web interface, and doesn't involve the P2P transfers that have attracted the ire of ISPs and the copyright industry. As a result, their popularity is growing rapidly; RapidShare accounts for five percent of all IP traffic in some regions.

14. Blizzard awarded $6 million in damages from WoW bot maker
http://arstechnica.com/news.ars/post/20081001-blizzard-awarded-6-million-in-damages-from-wow-bot-maker.html
World of Warcraft creator Blizzard have been awarded $6 million in a court case against Glider, a company that produced software to automate gameplay, thse of which was against Blizzard's Terms of Service.

The case Blizzard brought against bot-maker MDY Industries has been going on since 2006, and while a judge ruled in July that MMOGlider infringed on Blizzard's copyrights, the question of whether the bot violates the DMCA is still open. That has not stopped the judge from awarding $6 million in damages in the case.

It's unknown how much money MDY Industries has made from its product MMOGlider, which allows users to automate the boring parts of World of WarCraft and essentially grind forever with no user involvement, but the $25 program had sold around 100,000 copies as of last year. In other words, the product was big business. Unfortunately, it also violated the game's terms of service.

Ehtyar.

111

Developer's Corner / Best Language For Binary Parsing?

« on: October 02, 2008, 04:31 PM »

Hi all.
If you needed to parse some binary data (for examples, PE headers), what scripting language would you use and why? I've seen a few in Python (though they've all been too complex what I require), though I would probably be more comfortable in Perl. Anyway, I just wanted to see if anyone had any opinions before I start investing too much time in it. Any suggestions are welcome.

Thanks for any replies, Ehtyar.

112

Living Room / The Weeklies: 39

« on: September 30, 2008, 05:45 AM »

Weekly News

Hi all. This is the new way news posts will be done, please leave any constructive feedback you like.

The malware challenge begins tomorrow.

Starting from October 1, 2008 and ending October 26, 2008 we will be running a malware analysis challenge at http://www.malwarechallenge.info. In the challenge participants will download a malware sample to analyze. The site will have a list of questions for participants to answer and send in. We will judge the answers and those scoring the highest will win prizes.

We have some great prizes donated by some very cool companies. To only name some, Hex-Rays is donating a copy of IDA Pro and No Starch Press is donating a copy of Chris Eagle's IDA Pro book. Addison-Wesley and KoreLogic Security are also donating prizes (yet to be announced).

Full Story

PCMag's top 10 most mysterious cyber-crimes.

The most nefarious and crafty criminals are the ones who operate completely under the radar. In the computing world security breaches happen all the time, and in the best cases the offenders get tracked down by the FBI or some other law enforcement agency.

But it's the ones who go uncaught and unidentified. Attempting to cover your tracks is Law-Breaking 101; being able to effectively do so, that's another story altogether.

Full Story

Nevada to require all email containing personally identifiable information to be encrypted from October 1.

On Oct. 1, the state of Nevada will be requiring the encryption of all transmissions, such as e-mail, for all businesses that send personal, identifiable information over the Internet. The statute was signed into law in 2005 and is about to kick in as an enforceable law next month. Three years flies when you're raking in chips at casinos and enjoying the rising popularity of poker.

The Nevada law is stated as such:

    NRS 597.970 Restrictions on transfer of personal information through electronic transmission. [Effective October 1, 2008.]

    1. A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.

Full Story

The seven deadliest social networking hacks according to Dark Reading, as though we needed another reason to stay away from it.

It started with a stolen Facebook photo attached to an inflammatory profile. It led to online harassment, death threats, and emails to the victim’s boss questioning the victim’s character. But an online personal attack against Graham Cluley earlier this year is one example of how easy it is to use a social network to damage the identity of an individual -- or an entire company.

Cluley’s case shows just how rapidly social networks can spread a smear campaign or personal attack -- and how it can quickly spread to the victim’s professional life. Cluley, who is a senior technology consultant with Sophos, recently met another victim who experienced a similar attack on Facebook, Kerry Harvey. He says it was apparently an acquaintance of Harvey’s who built a phony Kerry Harvey Facebook profile that branded her occupation as a “prostitute,” complete with her cellphone number. (See ID Theft Victim Branded a 'Prostitute' .)

Full Story

New York offers "enhanced" drivers license containing RFID chip, permitting travel to Canada, Mexico, and the Caribbean without a passport.

You can now get an enhanced New York State driver license that will allow you to travel by land and sea to Canada, Mexico, and the Caribbean without a passport.

The only obvious differences on the new Enhanced Driver License (EDL) are the word "enhanced," an American flag, and a heart for organ donors.

Inside the new license is a radio frequency identification (or RFID) chip.

Full Story

The DHS is in the testing phase of a system to detect "hostile thoughts" at border security checkpoints. Yet another reason to avoid US travel it would seem.

Project Hostile Intent as it was called aimed to help security staff choose who to pull over for a gently probing interview - or more.

Commentators slated the idea that sensors could spot people up to no good from their pulse rate, breathing, skin temperature, or fleeting facial expressions. One likened it to the "pre-crime" units that predict criminal behaviour in the movie Minority Report.

Full Story

Yahoo's Zimbra email client is sending passwords in plaintext.

Passwords used to access Yahoo mail through the Zimbra client are sent over the Internet in clear text, a Canadian programmer says.

Holden Karau stumbled upon this problem while participating in the Yahoo University Hack Day at the University of Waterloo last week.

"The Yahoo imap server's used by the Yahoo Desktop don't support SSL and the password was being transmitted in plain text," Karau wrote in a blog post on Friday.

Full Story

A UCLA group has found the 46th Mersenne prime comprised of 13 million digits.

Mathematicians at UCLA have discovered a 13 million-digit prime number, a long-sought milestone that makes them eligible for a $100,000 prize.

The group found the 46th known Mersenne prime last month on a network of 75 computers running Windows XP. The number was verified by a different computer system running a different algorithm.

Full Story

Microsoft and Nokia will be including jQuery in the next version of their development environments.

Could Microsoft be learning the way things work on the web? That big software company in Redmond will include JavaScript framework jQuery in its development environment. At the same time, Nokia announced that it will use jQuery for its mobile-browser development. That’s two more big companies to join Google, Amazon and thousands of other sites using jQuery.

Microsoft has long struggled to keep up with advances in JavaScript. In July the company announced an Ajax roadmap, which looked like Microsoft was going to eventually re-create all the features already in popular frameworks. Instead, Microsoft is going to incorporate someone else’s code, and it’s open source code at that.

Full Story

Ehtyar.

113

Living Room / News Article: Japan Unveils Green Train Faster Than Shinkansen

« on: September 24, 2008, 07:35 PM »

A Japanese Corporation has unveiled designs for a new greener express train that is capable of speeds up to 217 mph.

Here in the land of the Metroliner and the Coach Coast Starlight, it's easy to be jealous of all the national rail systems that leave Amtrak in the dust. Now Japan, already home to one of the world's most sophisticated networks, has given us something new to envy -- a greener train that does 217 mph.

Kawasaki Heavy Industries is developing the "Environmentally Friendly Super Express Train" and says it will be Japan's fastest passenger train ever. It features an extremely light and aerodynamic profile and uses regenerative braking to capture kinetic energy that would otherwise be lost as heat. As a result, Kawasaki says, the efSET will be smoother, quieter and more energy efficient than many current trains.

Full Story

Ehtyar.

114

Living Room / News Article: Two Arrested For ATM Fraud

« on: September 24, 2008, 07:30 PM »

In a spectacular display of the incompetence of financial institutions, and their reliance on security by obscurity, two bright-looking Nebraskan gentleman have been arrested for using the default administrative password to fool an ATM into dispensing large sums of money.

It took a high-speed chase and some gunplay, but two men in Lincoln, Nebraska, are the first to face felony charges for using default passcodes to reprogram retail cash machines to dispense free money.

Jordan Eske and Nicolas Foster, both 21, are in Lancaster County Jail pending an October 1st arraignment. They're each charged with four counts of theft by deception, and one count of computer fraud, for allegedly pulling cash from privately owned ATMs at four stores in the area. The pair allegedly reprogrammed the machines to believe they were loaded with one-dollar bills instead of tens and twenties. A withdrawal of $20 would thus net $380.

Full Story

Ehtyar.

115

Living Room / News Article: Google Unveils The G1

« on: September 24, 2008, 07:23 PM »

Google has unveiled their much awaited G1 iPhone competitor.

The long-awaited, breathlessly-rumored, Google-powered (and still unavailable until next month) G1 phone was unveiled today with a list price that undercuts Apple's iPhone by $20 but with few design or software elements that had not been anticipated.

The handset is made by HTC and the service is provided by T-Mobile -- but the buzz is all about the completely open source Android platform developed by Google, which allows third-party developers to create applications.

Full Story

Ehtyar.

116

Living Room / News Article: Aussie Speed Cameras To Become Surveillance Devices

« on: September 24, 2008, 07:20 PM »

As if speed cameras in this country weren't already a spectacular indicator of our government's disregard for the rights of its citizens, the state and federal government want all fixed a mobile speed cameras to take photos of all passing vehicles clear enough for positive ID of the occupants. Can anyone say "surveillance society"?

State and federal police forces want full-frontal images of vehicles, including the driver and front passenger, that are clear enough for identification purposes and usable as evidence in court.

"All vehicles passing through a fixed or mobile ANPR camera will have the data recorded and available for interrogation," CrimTrac told the Queensland TravelSafe inquiry into the use of ANPR for road safety.

Full Story

Ehtyar.

117

Living Room / News Article: Firefox Update Fixes Several Flaws

« on: September 24, 2008, 07:12 PM »

Firefox 2.0.017 and 3.0.2 have been released, which fixes several bugs and security vulnerabilities.

Mozilla released Firefox 2.0.017 and Firefox 3.0.2, updated versions of its browser, on Wednesday to address a dozen security vulnerabilities. Four are ranked by Mozilla as critical, one high, two moderate, and the rest of the patches are considered low priority. About half do not apply to Firefox 3.

The updates are pushed automatically to current users and will take effect the next time the browser is restarted. Current users of Firefox 2 are encouraged to upgrade by manually downloading Firefox 3 as soon as possible.

Full Story

Ehtyar.

118

Living Room / News Article: HP and Symantec Develop Sandboxed Firefox

« on: September 24, 2008, 07:08 PM »

HP and Symantec have joined forces to develop/release a sandboxed Firefox on HPs new HP Compaq dc7900 enterprise desktop.

Today, the hardware maker unleashed the HP Compaq dc7900, a business desktop with a version of Firefox that isn't really there. Developed in tandem with Symantec, the Firefox for HP Virtual Solutions browser operates in a runtime netherworld that's separate from the rest of the machine.

This means that when malware attacks, the machine itself is unharmed. "[This virtual Firefox browser] ensures that employees can utilize the World Wide Web productively, while keeping business PCs stable and easier to support," writes Symantec technical product manager Scott Jones. "Changes made to a PC while surfing the Web are contained in a 'virtual layer' and do not permanently alter the machine."

Full Story

Ehtyar.

119

Living Room / Introduction To Public Key Cryptography

« on: September 24, 2008, 07:03 PM »

A nice introduction to public key cryptography, focusing on RSA.

Cryptography, the art of concealing the meaning of messages, has been practiced for at least 3000 years. In the past few centuries, it has become an indispensable tool in the military affairs, diplomacy, and commerce of most major nations. During that time there have been many innovations, and cryptography has changed and grown to accommodate the increasingly complex needs of its users. Present techniques are very sophisticated and provide excellent message protection. Current developments in computer technology and information theory, however, are on the verge of revolutionizing cryptography. New kinds of cryptographic systems are emerging that have incredible properties, which appear to eliminate completely some problems that have plagued cryptography users for centuries. One of these new systems is public key cryptography.

In public key systems, as in most forms of cryptography, a piece of information called a key is used to transform a message into cryptic form. In conventional cryptography this key must be kept secret, for it can also be used to decrypt the message. In public key cryptography, however, a message remains secure even if its encryption key is publicly revealed. This unique feature gives public key systems great advantages over conventional systems.

Full Story

Ehtyar.

120

Living Room / Blog Post: India Uses Brain Scans To Confirm Guilt In Court

« on: September 24, 2008, 06:59 PM »

Inidia is now using EEGs to determine the guilt or innocence of a defendant in court.

This latest Indian attempt at getting past criminals’ defenses begins with an electroencephalogram, or EEG, in which electrodes are placed on the head to measure electrical waves. The suspect sits in silence, eyes shut. An investigator reads aloud details of the crime — as prosecutors see it — and the resulting brain images are processed using software built in Bangalore.

The software tries to detect whether, when the crime’s details are recited, the brain lights up in specific regions — the areas that, according to the technology’s inventors, show measurable changes when experiences are relived, their smells and sounds summoned back to consciousness. The inventors of the technology claim the system can distinguish between people’s memories of events they witnessed and between deeds they committed.

Full Blog
Full Story

Ehtyar.

121

General Software Discussion / The New (And Improved?) VLC

« on: September 22, 2008, 10:35 PM »

Recently VLC was updated from 0.8.6 to 0.9.2 (0.9.0 & 0.9.1 were skipped due to blocking bugs, anyone notice a little lag? ). The new release includes the following improvements:
1. New interface based on Qt (see screenshots below).
2. Improved playlist with support for:

• Media library support
• Live search
• Shoutcast TV listings
• Audioscrobbler/last.fm
• Album art support

3. New demuxers
4. New decoders
5. New video/audio/stream output and filters
6. Improvements to the developer interface/libVLC via Google's Summer of Code.
7. A beta LUA module for providing additional functionality.
I am posting this information because after using the new version for some days, I like it much better than the earlier UI, though there are some features that tick me off, so I would like the opinion of other users on the subject.
Firstly, there's the new main window, as shown below. It has much enhanced menus (though they're not visible here) as well as better volume control and an improved controls bar. The volume control appears to ramp the volume to 200%, though playing the same video in 0.8.6 and 0.9.2 side-by-side 100% in the new player sounds exactly the same as 100% in the old player.

Then there is the new open dialog, which unfortunately IMO is quite the step backward. VLC now appears to handle indexing of files itself, which in windows causes some big issues when indexing a large directory, and the interface is not particularly intuitive. I've also found that, occasionally, trying to open something in VLC via one of the open dialogs causes a CPU spike prior to the display of the dialog itself, and the fullscreen control panel appears briefly at the bottom of the screen.

Speaking of the fullscreen UI, here it is. It has also been a much missed feature of VLC.

And just for comparison sake, here is the old UI:

I've never been a fan of VLCs skinning options, as you always seem to lose controls and menu options with the skins, indeed frequently you lose the menus altogether. I am however a fan of the new VLC as a whole, and I hope the new UI at least will encourage users to move away from behemoths like QuickTime and WMP to this free, open alternative. Please let us know your opinion.

Ehtyar.

122

Living Room / News Article: Comcast Discloses Bandwidth Throttling Practices

« on: September 22, 2008, 06:49 AM »

Comcast has finally relented and admitted that it throttled p2p traffic on its network to the Federal Communications Commission.

Comcast came clean with the Federal Communications Commission late Friday, detailing how it throttled and targeted peer-to-peer traffic -- maneuvers it has repeatedly denied.

The cable concern said it indeed hit "particular protocols that were generating disproportionate amounts of traffic." The peer-to-peer protocols, Comcast said, include Ares, BitTorrent, eDonkey, FastTrack and Gnutella -- vehicles used to transport copyrighted material without the owners' permission.

Full Story

Ehtyar.

123

Living Room / Vuln. Alert: VMWare ESX RCE

« on: September 22, 2008, 06:46 AM »

VMWare has patched two buffer overflows in its ESX server software that could potentially allow remote code execution by an unauthenticated party.

VMware has fixed critical security bugs in two of its virtualization products that could allow a remote attacker to remotely install malware on a host machine.

The patches, which apply to ESXi and ESX 3.5, fix two buffer overflow bugs that reside in a component known as openwsman. It provides web services management functionality and is enabled by default. The vulnerabilities could be exploited by people without login credentials to the system.

Full Story

Ehtyar.

124

DC Gamer Club / Blog Post: Bejeweled + WoW = Entertainment While Queued

« on: September 19, 2008, 04:30 PM »

An innovative addon developer has created bejeweled for WoW, lessening the boredom one may suffer while waiting for BGs etc.

Where will PopCap Games' megahit puzzle game Bejeweled pop up next? Would you believe ... World of Warcraft?

A version of the match-three game is set to launch next Thursday within the World of Warcraft MMO (massively multiplayer online), letting players kill time with puzzles during raids and long stints farming rare items.

Full Blog

Ehtyar.

125

Living Room / News Article: EFF Sues For Details of Anti-Counterfeiting Trade Agreement

« on: September 19, 2008, 04:27 PM »

The EFF and Public Knowlege are sueing the Federal Government for details regarding the up and coming Anti-Counterfeiting Trade Agreement.

The Electronic Frontier Foundation and Public Knowledge are two public interest groups leaving no stone unturned when it comes to trying to uncover details about the proposed Anti-Counterfeiting Trade Agreement.

Details of the proposed multicountry accord are sketchy at best. Speculation is running rampant that, if ratified, the agreement might criminalize peer-to-peer file sharing, subject iPods to border searches and allow internet service providers to monitor their customers' communications.

Full Story

Ehtyar.