Topics

76

Living Room / Tech News Weekly: Edition 09-09

« on: February 28, 2009, 08:45 PM »

The Weekly Tech News

Hi all. Thanks to 40hz for #10, definately worth the watch. Also, the article titles are no longer clickable anymore, but are still blue because the black looked absolutely awful. It is my hope that Mouse Man will finally get me my javascript on the forum and I can make the titles expand the spoilers and get rid of those hideous buttons. As usual, you can find last week's news here.

1. Attackers Targeting Unpatched Vulnerability in Excel 2007

Spoiler

http://www.infoworld.com/article/09/02/24/Attackers_targeting_unpatched_vulnerability_in_Excel_2007_1.html
A zero-day in various versions of Microsoft Excel are being actively exploited in the wild. According to Symantec, early versions of the exploit are installing Trojan.Mdropper.AC. The next patch-tuesday will not be until March 9.

Microsoft's Excel spreadsheet program has a zero-day vulnerability that attackers are exploiting on the Internet.

A zero-day vulnerability is one that does not have a patch and is actively being used to attack computers when it is publicly revealed. Microsoft said Tuesday that it plans to patch the issue, but did not say when. The company's next set of security patches are set to be released March 9.

"At this time, we are aware only of limited and targeted attacks that attempt to use this vulnerability," wrote Microsoft Spokesman Bill Sisk in a blog posting. "We are developing a security update for Microsoft Office that addresses this vulnerability."

2. Conficker Variant Dispenses With Need to Phone Home

Spoiler

http://www.theregister.co.uk/2009/02/23/conficker_variant/
A very nice technical write-up: http://mtc.sri.com/Conficker/
Yet another Conflicker (Downadup) variant, Conficker B++, has been found in the wild. The new update permits the authors of the worm to distribute updates from any website on the internet as opposed to only those on the pre-programmed update site list.

Virus authors have released a new variant of the infamous Conficker (Downadup) worm with enhanced auto-update features.

The changes in the new strain of the malware, dubbed Conficker B++, make it possible for malware authors to push out new code without publishing it on pre-programmed sites, as with earlier variants. The earlier approach has been frustrated by the recent formation of an alliance led by Microsoft geared up to block and take down sites associated with the worm.

3. Unofficial Patch Plugs 0-day Adobe Security Vuln.

Spoiler

http://www.theregister.co.uk/2009/02/24/unofficial_adobe_patch/
Thanks to Adobe playing the part of Johnny-come-lately with the latest vulnerability in its Acrobat Reader product, security researchers have come together to publish an unofficial patch which can be applied prior to Adobe releasing an official patch on March 11.

Security researchers have developed an unofficial patch for a zero-day Adobe Acrobat and Reader vulnerability that's become the subject of hacker attacks.

Adobe acknowledged the vulnerability last week but said an official patch wouldn't be available until 11 March.

This three week window of vulnerability before an update becomes available is all the more serious because hackers have created a exploit, Shadowserver reports. Malicious PDF's in circulation exploit a vulnerability in a function call not related to JavaScript. JavaScript is used in the malicious PDF but only to "fill the heap with shellcode" (ie to crank up the attack), Shadowserver explains.

4. Key Backer's Change of Heart Endangers Aussie 'Net Filtering

Spoiler

http://arstechnica.com/telecom/news/2009/02/key-backers-change-of-heart-endangers-aussie-net-filtering.ars
Finally, (though he is quite the flip-flop when it suits him) someone has had the sense to call the Australian government on their atrociously ill-advised plan to monitor the internet usage of Australian citizens.

Australia's controversial plan to implement a mandatory ISP filtering system may crash into a big brick wall after a backer effectively changed teams. Senator Nick Xenophon was previously in favor of a system that would run all citizens' Internet connections through a filter for "illegal" content because it might have also blocked access to online gambling sites. As more and more concerns about the workability of the ambitious plan have been raised, however, he has decided that there are too many unanswered questions and now says he will move to block any legislation that comes through.

The Australian government first revealed its filtering initiative in 2007, which was met with widespread public outcry. Despite this, Australia moved forward with its plans and began testing the system in Tasmania in February of 2008. At the time, the Australian Communications and Media Authority (ACMA) said that the filters would be enabled by default and that consumers would have to request unfiltered connectivity if they wished to opt-out of the program.

5. ICANN Report: New GTLD Program Riddled With Problems, Delayed

Spoiler

http://arstechnica.com/tech-policy/news/2009/02/icann-releases-new-gtld-guidelines.ars
ICANN is inching closer to seeing the light, having delayed the implementation of their expanded gTLD program until December.

You know that $185,000 you've been saving up to register .zomgilovearstechnica as your very own generic Top Level Domain (gTLD)? It looks like you'll have to wait a bit longer. On Thursday, the Internet Corporation for Assigned Names and Numbers released a revised version of its draft guide to expanded gTLD applications, along with a lengthy analysis of the voluminous comments and critiques they received in response to the first draft. To give themselves time to process a second round of comments, ICANN will push off implementation of the plan from September to December of this year.

Last year, ICANN's directors voted unanimously to move forward with an ambitious plan to massively expand the Net's system of generic Top Level Domains (gTLDs). The proposal would allow anyone able to fork over a princely application fee, along with annual maintenance charges of $75,000, to add their very own gTLD—such as .arstechnica or .blog or .riverrunpasteveandadams—to the familiar roster of 21 existing domain extensions, such as .com and .org. But ICANN's first-draft guidelines for new domains generated an avalanche of critical comments—not least from the US government. It has released a second draft that seeks to address some of those criticisms, as well as a 154-page analysis of the comments they've received—but some critics say the central problems with the proposal remain.

6. EU Group Aims to Eavesdrop On Skype Calls

Spoiler

http://arstechnica.com/tech-policy/news/2009/02/eu-group-aims-to-eavesdrop-on-skype-calls.ars
It seems Skype is becoming ever more the thorn in Intelligence Agencies sides, prevent them from eavesdropping on calls with it's proprietary encryption and p2p connection system.

As high-tech tools expand the ability of intelligence and law enforcement agencies to sweep up and sort vast quantities of communications traffic, European Union officials worry that encrypted Voice over IP technologies like Skype are leaving criminals with a digital hole in the telecom dragnet. In a statement released this weekend, the Italian arm of the European Union's judicial cooperation agency, Eurojust, announced it would lead an international effort to "overcome the technical and judicial obstacles to the interception of internet telephony systems."

The statement singled out Luxembourg-based Skype as presenting particular problems, because "Skype's encryption system is a secret which the company refuses to share with the authorities." Eurojust officials told reporters that the new initiative comes at the request of Italian authorities concerned that organized crime was resorting to encrypted Skype communications to evade eavesdropping.

7. New Zealand P2P Disconnection Plan Delayed After Outcry

Spoiler

http://arstechnica.com/tech-policy/news/2009/02/new-zealand-p2p-disconnection-plan-delayed-after-outcry.ars
New Zelanders have banded together and forced their government to delay the implementation of their P2P internet cutoff plan.

As an Internet blackout hit blogs across New Zealand today, the government announced that it would postpone the implementation of its hugely controversial "graduated response" law for dealing with (and eventually disconnecting) repeat P2P copyright infringers.

New Zealand's 1984 Copyright Act was last year amended in numerous ways, but the most controversial has certainly been new section 92A. "An Internet service provider must adopt and reasonably implement a policy that provides for termination, in appropriate circumstances, of the account with that Internet service provider of a repeat infringer," it says.

8. Microsoft Suit Over FAT Patents Could Open OSS Pandora's Box

Spoiler

http://arstechnica.com/microsoft/news/2009/02/microsoft-sues-tomtom-over-fat-patents-in-linux-based-device.ars
Discussion thread by Edvard: https://www.donationcoder.com/forum/index.php?topic=17212
Microsoft have, for the first time, enforced their patent on the FAT filesystem against navigation device maker TomTom. Several of the products involved are Linux-based.

Microsoft has filed a patent infringement lawsuit against navigation device maker TomTom. The suit alleges that several of TomTom's products, including some that are Linux-based, infringe on a handful of Microsoft's patents. Several of the patents in question relate to car computing systems and navigation, but there are also two that cover Microsoft's FAT32 filesystem. If Microsoft begins to systematically enforce its FAT32 patents, it could have broad ramifications for the Linux platform and for mobile device makers.

The lawsuit, which was reported today at Todd Bishop's Microsoft blog, is thought to be the first time that Microsoft has directly targeted Linux with patent litigation. In an interview with Bishop, Microsoft deputy general counsel for intellectual property Horacio Gutierrez claims that this is not the beginning of a broader intellectual property campaign against Linux. Gutierrez characterizes the lawsuit as a last resort option that Microsoft is pursuing after attempting to negotiate a private settlement with TomTom for over a year.

9. Supreme Court Whacks DSL Antitrust Suit Against AT&T

Spoiler

http://arstechnica.com/telecom/news/2009/02/supreme-court-whacks-dsl-antitrust-suit-against-att.ars
US ISP AT&T have been saved from an antitrust lawsuit alleging that the company is engaging in price squeesing by charging higher rates to wholesale buyers than retail customers by a Supreme Courty Judge who threw the case out.

The Supreme Court has unanimously rejected a lawsuit against AT&T charging that the telco engaged in "price squeezing" against smaller Internet providers. A group of carriers led by Linkline Communications complained that the DSL giant charges high rates for wholesale access and low rates to consumers, effectively pushing competitors out of the market.

But the Supremes ruled on Wednesday that AT&T had "no duty to deal" with these carriers, at least as far as the Sherman Anti-Trust Act is concerned. The key to this logic is that while the Sherman Act forbids a company from monopolizing trade or commerce, it doesn't force the business to sell its services to other firms.

10. A Mermaid's Tale (Thanks 40hz)

Spoiler

http://www.stuff.co.nz/4203291a6442.html
Video: http://tvnz.co.nz/close-up/a-mermaids-tale-4-50-2502188/video
New Zealand physical effects lab Weta Workshop have created a fully functional Mermaid tail for a double amputee that will be used to allow her to swim.

Ms Vessey approached Weta with the ambition of making a tail that was both practical and beautiful, a task that proved to be a pleasing challenge for our team.

The unique articulated construction of the tail will allow Vessey to propel herself through the water with an undulating movement as if she was a mermaid.

11. The Matrix Runs On Windows (Thanks 40hz)

Spoiler

http://www.dailycupoftech.com/2009/02/27/the-matrix-runs-on-windows/
For those that haven't been watching the silly humour thread (I highly recommend you do), here's one of the best ones so far.

Ehtyar.

77

General Software Discussion / Linux on Windows (Sans Cygwin or VM)

« on: February 26, 2009, 12:50 AM »

If you're like me and very much appreciate the Linux philosophy and the endless stream of useful utilities that go hand-in-hand with it, but are stuck on Windows for whatever reason, you'd probably love a way to use common Linux software on Windows. For quite a while now, Cygwin has been available, which provides a near complete port of Linux software to Windows. For some, it's too bloated and heavy, for others too developer-centric, and yet for others is impractical because it requires admin privileges to run and isn't portable.

For some time now I've been using the MinGW gnu toolchain on Windows. gcc may not be the best compiler around, but I believe it does an excellent job given that it's free (you really need the 4.x branch for a lot of the good stuff). Generally speaking, the MSYS environment goes hand-in-hand with MinGW, becuase it allows you to run those painful 'configure' scripts and makefiles that come with a good portion of open source software (at least the cross-platform stuff anyway).

Recently, I've been using Ubuntu on my MSI Wind and have discovered the true depth of the Linux command line. I was ecstatic to find that MSYS as provided by the installer is but a subset of the available utilities. If you get yourself to the download section (two links there) on sourceforge for MinGW you'll find all the most commonly used Linux command line tools available for MSYS, which can be used standalone to provide a Linux-like shell that is fully portable and integrates well with the Windows file system without requiring administrator privileges.

Now, as if this were not enough to keep the geekiest of the geeks happy playing with his new toys for weeks, KDE (K Desktop Environment), being that it's written atop Qt, have begun porting their application suite to Windows (overview). Downloading only those apps considered "stable" by the dev team, I have over 80 KDE apps sitting in my start menu at the moment (don't tell the boss, but 33 of them are games ). It also appears to be portable (though I haven't tested it extensively yet).

Hope you all enjoy, Ehtyar.

78

Living Room / Tech News Weekly: Edition 08-09

« on: February 21, 2009, 05:11 PM »

The Weekly Tech News

Hi all. Nothing funny this week I'm afraid...The Onion seem to have a habbit of producing one awesome video followed some in realy poor taste. Sorry for the screw-up with naming last week's news, you can find it here.

1. SafeNet Demonstrates OMA DRM-compliant Android Smartphone

Spoiler

http://www.earthtimes.org/articles/show/safenet-demonstrates-oma-drm-compliant-android-smartphone,720107.shtml
SafeNet’s DRM Fusion Agent open-standards DRM system has made its way to Android.

SafeNet, Inc., a global leader in information security, today announced the availability of its complete suite of open standards-based Digital Rights Management (DRM) and Mobile TV protection solutions for the Open Handset Alliance’s (OHA) Android platform. A live demonstration of SafeNet’s DRM Fusion Agent, deployed on Android, will be showcased daily at the 2009 Mobile World Congress.

“SafeNet’s DRM Fusion Agent seamlessly integrates with the Android platform and application framework,” said Simon Blake-Wilson, managing director, embedded security solutions, SafeNet. “Pre-integration with today’s leading mobile operating systems, including Android, Windows Mobile, Symbian, and RTOS-based feature phone platforms, as well as with Windows PCs, continues to make SafeNet’s DRM Fusion Agent the ideal solution for reducing cost and time to market for the world’s leading device and handset manufacturers.”

2. Bot Busts Newest Hotmail CAPTCHA

Spoiler

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9128201
Hotmail's newest CAPTCHA will slow hackers down (20% success), but not by enough.

Spammers have cracked Microsoft Corp.'s latest defense against abuse of its Live Hotmail e-mail service using a sophisticated network of hacked computers that receive encrypted instructions from a central server, a security company has reported.

The botnet, or collection of compromised PCs, can decipher Live Hotmail's CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) registration safeguard in about 20 seconds, said Websense Inc. researcher Sumeet Prasad.

3. Satellite-hacking Boffin Sees the Unseeable

Spoiler

http://www.theregister.co.uk/2009/02/17/satellite_tv_hacking/
Confirmation of what most of us would have already known...you can ready anything that's not encrypted sent via satellite with off-the-shelf hardware.

White-hat hacker Adam Laurie knows better than to think email, video-on-demand, and other content from Sky Broadcasting and other satellite TV providers is a private matter between him and the company. That's because he's spent the past decade monitoring satellite feeds and the vast amount of private information they leak to anyone with a dish.

"Looking at what kind of data you can see being broadcast, some of that is quite surprising," he says. "Things you would expect to be secure turn out not to be secure. The most worrying thing is you can just see all this data going by."

4. New In-the-wild Attack Targets Fully-patched Adobe Reader

Spoiler

http://www.theregister.co.uk/2009/02/20/adobe_reader_exploit/
Discission thread by Mouser: https://www.donationcoder.com/forum/index.php?topic=17119
Malicious PDFs are spreading a trojan known as Gh0st RAT through a newly discovered vulnerability in Adobe Acrobat.

Security watchers are warning of a serious unpatched vulnerability in Adobe's Reader program that's actively being exploited to install malware on the PCs of unsuspecting users.

The vulnerability has been confirmed in versions 8.1.3 and 9.0.0 of Adobe Reader running on Windows XP Service Pack 3 and is presumed to work on other versions of Windows as well, according to this advisory from Shadowserver. Adobe for machines running Linux and Apple's OS X were not tested, but may also be vulnerable, Shadowserver's Steven Adair said.

5. State Bill Would Turn RFID Researchers Into Felons

Spoiler

http://www.theregister.co.uk/2009/02/20/nevada_rfid_skimming_bill/
Because...you know...prohibition is bound to fix the RFID problem...

The sponsor of a controversial bill before the Nevada legislature has promised to introduce amendments after security experts and civil libertarians warned it would make felons of people studying privacy threats involving RFID, or radio frequency identification.

In its present form, Senate Bill 125 (PDF) would make it a felony for anyone to possess, read or capture the personally identifying RFID information of others without their consent. Without changes, the legislation would prevent the testing and demonstrating of RFID weaknesses in a state that hosts Defcon and Black Hat, the biggest hacker conference and one of the biggest security conferences respectively.

6. New Attacks On IE7 Go Wild

Spoiler

http://www.theregister.co.uk/2009/02/17/internet_explorer_attacks_go_wild/
For the techies: http://isc.sans.org/diary.html?storyid=5884
An RCE flaw in IE7 is being actively exploited in the wild to steal users data or surreptitiously install software.

Cybercriminals have begun attacking a critical hole that Microsoft patched in its Internet Explorer 7 browser last week, corroborating the company's warning that the vulnerability would be easy to exploit.

The exploit code is spread through a booby trapped Word document that ultimately installs information-stealing malware on unpatched machines, according to researchers. The vulnerability is one of two IE flaws Microsoft patched last week. The company warned at the time that "consistent exploit code" for the remote execution flaws was likely.

7. Wikileaks Forced to Leak Its Own Secret Info

Spoiler

http://blog.wired.com/27bstroke6/2009/02/wikileaks-force.html
Oops, an accidental CC instead of BCC has caused Wikileaks to leak their own donor list to the public.

What's Wikileaks, the net's foremost document leaking site, supposed to do when a whistle-blower submits a list of email addresses belonging to the site's confidential donors as a leaked document?

That's exactly the conundrum Wikileaks faced this week after someone from the controversial whistle-blowing site sent an emergency fund-raising appeal on Saturday to previous donors. But instead of hiding email addresses from the recipients by using the bcc field, the sender put 58 addresses into the cc field, revealing all the addresses to all the recipients.

8. Kiwi "three Strikes" Law Countered With "Internet Blackout"

Spoiler

http://arstechnica.com/tech-policy/news/2009/02/kiwi-three-strikes-law-countered-with-internet-blackout.ars
In protest of the coming "three strikes" law to come into effect February 28, New Zealanders are proposing an "internet blackout" where New Zealand internet users will replace their home pages with a black page.

Perhaps taking a cue from New Zealand rugby team the All Blacks, a group of Kiwi artists and activists are calling for an "Internet Blackout" to protest the country's coming "three strikes" law.

The Creative Freedom Foundation believes that copyright infringement is wrong, but it argues that the proposed penalty (ISP disconnection) doesn't fit the crime, especially since the New Zealand law only relies on evidence and allegations from copyright holders; the law makes no provision for judicial oversight or any other sort of process to contest the evidence of P2P copyright infringement. It goes into effect on February 28.

9. Sun Targets Flash, Brings JavaFX to Mobile Devices

Spoiler

http://arstechnica.com/open-source/news/2009/02/sun-brings-javafx-to-mobile-devices.ars
An interesting move by Sun sees them competing directly with Adobe on the mobile platform.

Sun is bringing its JavaFX development framework to mobile devices. The latest release of the JavaFX SDK, version 1.1, offers full support for mobile JavaFX development and includes an emulator for testing mobile device compatibility. The move could help Java retain its relevance on handhelds as rival Adobe works to boost the popularity of Flash and AIR for mobile development.

JavaFX, which was first announced in 2007 and rolled out to the public in December 2008, is a framework for building rich Internet applications on top of Java. It includes a scene graph library and a unique scripting language that provides a declarative syntax for constructing sophisticated graphical user interfaces. Its graphics capabilities include support for animation, visual effects, gradients, and translucency.

10. Feds Propose Storing Internet User Data for 2 Years

Spoiler

http://blog.wired.com/27bstroke6/2009/02/feds-propose-st.html
In a stunt one might have expected from the English government, the US government is proposing legislation that would require data associated with any dynamically assigned IP address to be retained for a minimum of two years.

In the name of combating child pornography, federal lawmakers are proposing that internet users' online surfing habits be retained for two years.

The so-called "Internet Stopping Adults Facilitating the Exploitation of Today's Youth Act of 2009," or SAFETY Act,  was floated in both the House and Senate on Thursday.

Among other things, it demands: "A provider of an electronic communication service or remote computing service shall retain for a period of at least two years all records or other information pertaining to the identity of a user of a temporarily assigned network address the service assigns to that user."

11. Pirate Bay Joy at Charge Change

Spoiler

http://news.bbc.co.uk/2/hi/technology/7895026.stm
As many were likely aware, the trial of the administrators of The Pirate Bay began earlier this week. SHortly after the trial began, however, half of the charges have been dropped by the prosecution.

Swedish prosecutors dropped charges relating to "assisting copyright infringement" leaving the lesser charges of "assisting making available copyright material" on trial day two.

Pirate Bay co-founder Frederik Neij said it showed prosecutors had misunderstood the technology.

The music industry played down the changes as "simplifying the charges".

12. How the Feds Shook Hands With an Internet Pedophile

Spoiler

http://www.theregister.co.uk/2009/02/20/rise_and_fall_of_digerati/
A rather disturbing insight into the nastier side of plea bargaining, and how knowing the right information can get you out of almost anything. This is a long one guys, and only tech related on the surface, but it was a very good read and is a good alternative to a video ('coz the last two Onions sucked) I think.

As former moderators for an internet relay channel dedicated to hacking, Francine Campbell and Sterlin Ward have seen some of the net's darker quarters. But nothing prepared them for their group's encounter with an internet pedophile who called himself Digerati.

After the hacker repeatedly propositioned channel members as young as 13 to engage in graphic webcam sex, Campbell and Ward alerted the FBI and officials at the University of Pennsylvania, where Digerati attended classes and got his internet access. Digerati - whose real name is Ryan Goldstein - was eventually prosecuted, but the experience left the channel elders - and some law-enforcement experts - critical of what they characterize as a Faustian deal

Ehtyar.

79

Living Room / Tech News Weekly: Edition 07-09

« on: February 13, 2009, 05:31 PM »

The Weekly Tech News

Hi all. Hope you're all partying hard for 1234567890 As usual, you can find last week's news here.

1. Hacker Site Claims Breach of Third Security Firm Web Site in a Week

Spoiler

http://news.cnet.com/8301-1009_3-10161874-83.html
HackersBlog claims the websites of security firms Kaspersky, BitDefender and F-Secure have been breached via various SQL injection and cross-site scripting attacks.

HackersBlog publicized on its site that it had breached the U.S. Web site of Moscow-based firm Kaspersky on Saturday and the Portugal site of BitDefender on Monday using the same attack techniques.

Kaspersky said on Monday that no sensitive or customer data had been exposed in the breach and that it would ask a database expert to audit its systems. BitDefender said the site that had been breached belonged to an unnamed partner and no customer data was stolen.

2. HP Printer Hack Risk Prompts Update

Spoiler

http://www.theregister.co.uk/2009/02/09/hp_printer_firmware_update/
Several HP printer series have vulnerabilities in their firmware that could allow an attacker to gain access to documents sent to the printer via the web administration panel.

Users of HP LaserJet printers need to apply a firmware update following the discovery of a potentially troublesome vulnerability.

The security bug creates a means for hackers to gain access to files sent to printers via the web administration console on vulnerable machines. A security advisory from HP explains various versions of its HP Digital Senders as well as HP LaserJet printers and HP Color LaserJet printers are all potentially vulnerable.

Users of HP LaserJet 2410, 2420, 2430, 4250, 4350, 9040, and 9050 series all need to upgrade their printer's firmware software to a secure version. HP Color LaserJet 4730mfp, HP Color LaserJet 9500mfp and HP 9200C Digital Sender users also need to update.

3. Houston Justice System Laid Low by Conficker Worm

Spoiler

http://www.theregister.co.uk/2009/02/09/houston_malware_infection/
Yet another corporate network falls prey to Conflicker/Downadup.

The justice system in Houston was thrown into disarray late last week after the infamous Conficker (Downadup) worm infected key systems.

The infection forced municipal courts in the Texan city to shut down on Friday, and police had to temporarily stop making arrests for minor offences, such as those for outstanding traffic warrants or minor drug possession. "The people we pull over with outstanding traffic warrants will be issued a citation rather than being taken to jail," explained Houston Police Department spokesman John Cannon. "Anyone suspected of a violent crime will be taken to jail. We’re not cutting back on that."

Meanwhile, bail bonds agencies report that the process of releasing prisoners and handling bond payments has slowed to a crawl.

4. Win 7 and Smartphones Targeted in Pwn2own Challenge

Spoiler

http://www.theregister.co.uk/2009/02/12/pwn2own_preview/
The next Pwn2Own contest on the 16th of March will feature Windows 7 and Smartphones.

An annual hacking challenge has put the security of browsers and smartphones in the firing line.

The latest Pwn2own contest at CanSecWest next month will reportedly include challenges involving hacking into browser packages running on Windows 7 PCs and a separate contest involving breaking into next-generation smartphones. 3Com's TippingPoint security division is to sponsor both contests, due to take place at the Vancouver conference from 16 March.

5. A Promising New Key Management Standards Effort

Spoiler

http://news.cnet.com/8301-1009_3-10163186-83.html
Several of the big guns in IT have banded together to produce a new standard for encryption key management. Unfortunately, technical details are sketchy.

At ESG, we have this concept called ubiquitous encryption. As more and more encryption technologies are baked into products and enter the enterprise, data will likely be encrypted everywhere--on hard drives, networks, database columns, file systems, tape drives, portable media, etc.

Good news for data confidentiality and integrity but all of this encryption means tons of new encryption keys to create, protect, and manage. This situation has scared me for a while. If encryption keys are stolen, they can easily unlock secret data. If encryption keys are lost, critical data can turn into useless 1s and 0s.

6. Personal Data Of 45,000 Exposed In FAA Data Breach

Spoiler

http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=213402894
The US Federal Aviation Administration has suffered a data breach that has exposed that details of some 45,000 staff. It is not known how the data was exposed.

The Federal Aviation Administration (FAA) is warning some 45,000 employees that their personal data may have been compromised in a hack of one of its computer systems.

A notice about the FAA breach says that "an agency computer was illegally accessed and employee personal identity information was stolen electronically." Affected employees will receive individual letters to notify them about the breach, the notice says.

7. Security Websites Hit By Big DDoS Attack

Spoiler

http://darkreading.com/security/attacks/showArticle.jhtml?articleID=213402595
Security site Metasploit has been subjected DDoS attacks comprised of up to 80,000 hits per second.

Several renowned white-hat hacker security sites have been hit during the past few days with a distributed denial-of-service attack (DDoS). Immunity, Milw0rm, and Packet Storm were in the clear as of this posting, but attackers were still hammering away at Metasploit.

The attackers behind the DDoS -- which began on Feb. 6 and continued through the weekend on most of the sites -- deployed a massive botnet of some 80,000 zombies to flood the sites' domains with HTTP requests, according to Cisco researchers.

8. Cracking Down On Conficker: Kaspersky, OpenDNS Join Forces

Spoiler

http://arstechnica.com/business/news/2009/02/cracking-down-on-conficker-kaspersky-opendns-join-forces.ars
Kaspersky and OpenDNS will be working together to try to stop Conflicker from spreading.

The Conficker botnet is proving to be a feisty bit of malware. It may never become a problem of Storm-sized proportions, but Conficker's authors seem determined to keep their system in play. Team White Hat, however, isn't giving up—OpenDNS and Kaspersky Lab announced on Monday, February 9 that they'd be working together to prevent Conficker from spreading once it's infected a network. There are two components to the new approach. First, Kaspersky Labs is capable of predicting what domains Conficker will attempt to contact, while OpenDNS' Botnet Protection feature prevents those domains from resolving internally. The result—at least in theory—is a cooped-up Conficker.

The problem the two companies are trying to address dates back to a new version of Conficker we first covered three weeks ago. Dubbed Conficker.B, the newer model is capable of spreading via USB stick and attempts to crack the passwords of other local systems. Once it has found additional systems to sink its hooks into, Conficker fires up and begins spreading itself across the network; only one system need remain unpatched for an entire network of systems to become infected.

9.  Mozilla Call for EU Intervention in Browser War is Troubling

Spoiler

http://arstechnica.com/open-source/news/2009/02/mozilla-call-for-eu-intervention-in-browser-war-is-troubling.ars
Mozilla is backing calls from Opera for the EU to impose sanctions on Microsoft for including Internet Explorer in their operating system.

Mozilla Foundation chairperson Mitchell Baker contends that the inclusion of Microsoft's Internet Explorer web browser in the Windows operating system represents an ongoing threat to competition and innovation on the Internet. She supports the European Commission's investigation of Microsoft's bundling tactics and believes that remedies are needed to address Microsoft's alleged abuses. To that end, Mozilla intends to assist the commission by offering expertise about the browser market.

The European Commission (EC) issued a finding last month declaring that Microsoft has abused its dominant position as an operating system vendor by tying its web browser to the Windows platform. The commission has sent a Statement of Objections to Microsoft which outlines the basis for the accusation. Microsoft will be given the opportunity to respond in formal hearings before the EU evaluates the possibility of imposing fines or other remedies.

10. A Farewell to Palm(O)s: Company Stakes Future On WebOS

Spoiler

http://arstechnica.com/gadgets/news/2009/02/a-farewell-to-palm-os-company-stakes-future-on-webos.ars
PalmOS will be laid to rest as Palm's new WebOS takes over.

Palm's Pre debuted with a bang at CES this past January and was arguably the star of the show. Palm has struggled to remain a relevant, profitable player in the smartphone market for years; the company's last major smartphone (the Centro, released in the fall of 2007) was reasonably well-received, but it couldn't entirely negate the barrage of negative criticism that hit Palm following the cancellation of the ill-fated Foleo.

In a meeting with investors today, Palm President and CEO Ed Colligan confirmed that the company intends to leave its past behind and to devote itself entirely to its new webOS—after twelve-plus years, Palm OS is finally headed for retirement.

11. Moonlight 1.0 Brings Silverlight to Linux

Spoiler

http://arstechnica.com/open-source/news/2009/02/moonlight-10-brings-silverlight-to-linux.ars
Moonlight has officially gone gold, bringing Silverlight 1.0 compatibility to the Linux platform.

Novell has announced the official 1.0 release of Moonlight, an open source implementation of Microsoft's Silverlight rich Internet application framework. This release will make it possible for users of the Linux operating system to view content that is compatible with Silverlight 1.0.

The Moonlight project emerged in 2007, shortly after Microsoft unveiled Silverlight at the MIX conference. When Microsoft officially released Silverlight 1.0, the company announced plans to provide specifications and test suites to Novell in order to facilitate development of a Linux-compatible version. Moonlight has evolved significantly over the past year and is now ready for widespread use.

12. Russian and US Satellites Collide

Spoiler

http://news.bbc.co.uk/2/hi/science/nature/7885051.stm
Two communications satellites, one Russian, and one US, have collided in orbit.

The US commercial Iridium spacecraft hit a defunct Russian satellite at an altitude of about 800km (500 miles) over Siberia on Tuesday, Nasa said.

The risk to the International Space Station and a shuttle launch planned for later this month is said to be low.

The impact produced a cloud of debris, which will be tracked into the future.

13. Unix Lovers to Party Like It's 1234567890

Spoiler

http://blog.wired.com/gadgets/2009/02/unix-lovers-to.html
On Friday the 13th, 2009 at 11:31:30pm UTC (here in Aussie land that will be Saturday the 14th at 10:31:30am) the UNIX timestamp will reach 1234567890. This article was posted as close to that time as I could manage. To find out when it happened for you, try executing perl -e "print scalar localtime(1234567890);".

Unix weenies everywhere will be partying like it's 1234567890 this Friday.

That's because, at precisely 3:31:30 p.m. Pacific time on February 13, 2009, the 10-digit "epoch time" clock used by most Unix computers will display all ten decimal digits in sequence. (That's 6:31:30 Eastern, or 23:31:30 UTC.)

14. [NSFW] Sony Releases New Stupid Piece Of S**t That Doesn't F**king Work

Spoiler

http://www.theonion.com/content/video/sony_releases_new_stupid_piece_of
Discussion started by justice: https://www.donationcoder.com/forum/index.php?topic=16990.0
The Onion News Network reports on Sony's new "retarded hunk of garbage" which hit the shelves this week.

Ehtyar.

80

Living Room / Tech News Weekly: Edition 06-09

« on: February 07, 2009, 05:30 PM »

The Weekly Tech News

Hi all. As usual, you can find last week's news here. Enjoy

1. Global ATM Caper Nets Hackers $9 Million in One Day

Spoiler

http://www.privacydigest.com/2009/02/04/global+atm+caper+nets+hackers+9+million+one+day
RBS WorldPay was the victim of a hack last year that, although appeared to be minimal at the time, has been revealed as a $9 million heist.

A carefully coordinated global ATM heist last November resulted in a one-day haul of $9 million in cash, after a hacker penetrated a server at payment processor RBS WorldPay, New York's Fox 5 reports.

RBS WorldPay announced on December 23 that they'd been hacked, and personal information on approximately 1.5 million payroll-card and gift-card customers had been stolen. (Payroll cards are debit cards issued and recharged by employers as an alternative to paychecks and direct-deposit.) Now we know that account numbers and other mag-stripe data needed to clone the debit cards were also compromised in the breach.

2. Experts Question Fallout from New Monster Hack

Spoiler

http://news.findlaw.com/ap/high_tech/1700/02-04-2009/20090204115005_19.html
Job search site Monster.com and USAJobs.gov have been breached for the second time in a year and a half with data thievs making off with user IDs, passwords, e-mail addresses, names and phone numbers.

For the second time in less than 18 months, the job-search Web site Monster.com was breached, along with USAJobs.gov, which Monster's parent company runs for the federal government. And yet Monster might suffer little fallout - because the overall state of computer security is so bad anyway.

Attacks against Web sites have become so common, security experts say, that Monster Worldwide Inc. won't necessarily scare customers away with its January disclosure that its database was plundered of user IDs, passwords, e-mail addresses, names and phone numbers. Monster makes money by charging employers that post jobs and scan the resumes of applicants, who use the service for free.

3. Google Mistakes Entire Web for Malware

Spoiler

http://www.theregister.co.uk/2009/01/31/google_malware_snafu/
Discussion started by Paul Keith: https://www.donationcoder.com/forum/index.php?topic=16841.0
Human error at Google recently caused Google to report all websites as unsafe.

A human error at Google caused its main search engine to briefly identify every site on the web as a potentially malicious destination that represented a threat to end users, the company said.

Starting early Saturday morning California time, the world's largest search engine flagged each search result with the warning: "This site may harm your computer"

Attempts to visit a search link were met with Google's standard malware warning, which blocks users from actually reaching the intended destination:

4. Passport RFIDs Cloned Wholesale by $250 EBay Auction Spree

Spoiler

http://www.theregister.co.uk/2009/02/02/low_cost_rfid_cloner/
A security expert has assembled an inexpensive portable device that is capable of cloning US RFID passports and drivers licenses.

Using inexpensive off-the-shelf components, an information security expert has built a mobile platform that can clone large numbers of the unique electronic identifiers used in US passport cards and next generation drivers licenses.

The $250 proof-of-concept device - which researcher Chris Paget built in his spare time - operates out of his vehicle and contains everything needed to sniff and then clone RFID, or radio frequency identification, tags. During a recent 20-minute drive in downtown San Francisco, it successfully copied the RFID tags of two passport cards without the knowledge of their owners.

5. Sony Taps Veins for Better Biometrics

Spoiler

http://www.reghardware.co.uk/2009/02/02/sony_mofria/
Sony has released details of a new technology that allows biometric identification based on the circulatory system layout of your fingers.

Sony has unveiled the next step in biometric security: a camera-based system that analyses veins in your fingers.

The user first lays one side of their index finger down on a small pad, after which a series of LEDs shine infrared light onto it. A CMOS sensor sat on the other side of the finger then picks up light scattered off of the veins inside the user’s finger.

An algorithm uses this information to build up a picture of the user’s vein layout. Sony claims that, much like a fingerprint, a person’s vein arrangement is unique and that it doesn’t ever change.

6. Open Source Bulletin Board Offline After Hack Attack

Spoiler

http://www.theregister.co.uk/2009/02/04/phpbb_breach/
PHPBB.com was taken offline after hackers breached their servers through a vulnerability in PHPlist.

The website for one of the net's more popular bulletin board software packages has been taken offline following a security breach that gave an attacker full access to a database containing names, email, address, and hashed passwords for its entire user base.

In a message posted Sunday, administrators of phpBB.com said the attacker gained access through an unpatched security bug in PHPlist, a third-party email application. The miscreant had access for more than two weeks before the breach was discovered, and phpBB remained down at time of writing, more than three days later. Administrators didn't respond to emails seeking comment.

7. UK Gov Unleashes Biometric IDs

Spoiler

http://www.theregister.co.uk/2009/02/07/ips_card_readers/
The UK have rolled out their new biometric ID system, but have yet to deliver on the promise of readers for the cards.

The British Identity and Passport Service (IPS) has spent £4.7bn ($6.6bn) on its new biometric ID card system. But it has not established a timeline for a card-reader rollout.

Without the necessary card readers, the biometric information such as fingerprint scans stored in the cards is inaccessible and therefore useless for ID verification.

In a statement released on January 29, the IPS reiterated its schedule for releasing the cards, beginning with over 50,000 foreign nationals by this April, then airport workers in the fall of 2009, and leading up to full availability in 2011 and 2012 "to the wider population on an entirely voluntary basis."

8. Cap Mania Spreads to Charter

Spoiler

http://arstechnica.com/telecom/news/2009/02/charter-modifies-acceptable-use-policy-to-add-caps.ars
US ISP Charter have rolled out monthly download caps to all their customers.

The US ISP market is rapidly heading towards a future where unlimited monthly usage will be the exception rather than the rule. Comcast has already imposed usage caps, while a number of other ISPs are experimenting with limiting their subscribers' downloads. Although most of them are testing the limits in individual markets, it looks like Charter has decided to roll out caps for all its customers.

DSL Reports was tipped off about the plans earlier this week; we received confirmation from a Charter spokesperson this afternoon. She told Ars that the the changes will be implemented through an update to Charter's acceptable use policy that will roll out on Monday, February 9.

9. Department of Defense Launches Open Source Site Forge.mil

Spoiler

http://arstechnica.com/open-source/news/2009/02/department-of-defense-launches-open-source-site-forgemil.ars
Discussion started by 40hz: https://www.donationcoder.com/forum/index.php?topic=16902
The DoD has launched a new open source website for its own open source initiatives, Forge.mil. It was taken offline shortly after going live due to unexpectedly high visitor traffic.

The Department of Defense (DoD) has launched Forge.mil, a software project management site that will host the military's public open source software projects. Inspired by SourceForge, the new site was created to accelerate development by facilitating broader collaboration between government agencies.

The DoD is a major proponent of the open development model and uses open source software extensively in the field. With the aim of fostering broader military adoption of open source software, the DoD defined an Open Technology Development roadmap in 2006 in collaboration with the Open Source Software Institute. In that report, the DoD discussed a wide range of issues that make open source software desirable for government adoption, including reduced risk of vendor lock-in, increased flexibility, greater interoperability, and reduced IT costs.

10. Electric Motorcycle Promises 150 MPH

Spoiler

http://blog.wired.com/cars/2009/02/mission-motors.html
Mission Motors, a San Francisco startup has released details of a dedicated electric motorcycle they claim will reach 150 mph.

A San Francisco startup led by a former Tesla Motors engineer is developing an electric motorcycle capable of 150 mph, a claim that, if true, would make it the fastest production electric vehicle in the world.

Mission Motors unveiled the bike, dubbed Mission One, at the TED conference and said it will begin selling them next year for $69,000 apiece. Although several electric motorcycles have been announced in recent weeks, Mission Motors sticks out because its 12 employees have worked for Tesla, Ducati North America and Intel, and the bike they're building could set a new benchmark for EVs of all kinds.

11. Google Earth Dives Under the Sea

Spoiler

http://news.bbc.co.uk/2/hi/technology/7865407.stm
Google maps will now take you under the ocean's surface.

Google Ocean expands this map to include large swathes of the ocean floor and abyssal plain.

Users can dive beneath a dynamic water surface to explore the 3D sea floor terrain.

The map also includes 20 content layers, containing information from the world's leading scientists, researchers, and ocean explorers.

Al Gore was at the launch event in San Francisco which, Google hopes, will take its mapping software a step closer to total coverage of the entire globe.

12. Privacy Fears Over Google Tracker

Spoiler

http://news.bbc.co.uk/2/hi/technology/7872026.stm
Google has launched their "Latitude" service which enables users to advertise their current physical location to their contacts.

The "opt-in" Latitude service uses data from mobile phone masts, GPS, or wi-fi hardware to update a user's location automatically.

Users can also manually set their advertised location anywhere they like, or turn the broadcast off altogether.

The service has raised a number of security concerns, as many users may not be aware that it is enabled.

Latitude is based on Google's My Location feature that has been in place since last year.

13. Deceased Ex-Football Player's Shady Half Sister Foiled By Microsoft Office Fonts (Thanks 40hz )

Spoiler

http://i.gizmodo.com/5146551/deceased-ex+football-players-shady-half-sister-foiled-by-microsoft-office-fonts
An attention seeker has been caught out in a lie when a letter she alleged was written in 1999 was using the Calibri font which has been available in Microsoft Office only since the 2007 edition.

At a recent Hall of Fame news conference, a woman claiming to be Ex-Cowboys receiver Bob Hayes' half sister read an emotional thank you letter written by him in 1999. But something is amiss.

Bob Hayes died in 2002 and this letter was supposedly a thank you pre-written in the the hope that he would someday enter into the Hall of Fame after three decades of disappointment. Naturally, a reading at the conference by his half-sister Lucille Hester sparked a lot of emotion among the Cowboy's organization, the fans and the NFL. However, it appears that the letter is actually a forgery, and Lucille may be a Texas-sized fraud.

14. Are Reality Shows Setting Unrealistic Standards For Skanks?

Spoiler

http://www.theonion.com/content/video/in_the_know_are_reality_shows
Onion news debates whether or not reality television sets unattainable goals for todays Skanks.

Ehtyar.

81

Living Room / Tech News Weekly: Edition 05-09

« on: January 31, 2009, 08:24 PM »

The Weekly Tech News

Hi all. Sorry guys, no funny this week 'coz the Onion videos sucked. If anyone has a place they'd suggest I check please reply. As usual, you can find last week's news here.

1. Hacking Programmable Road Signs (Thanks Deozaan)

Spoiler

http://news.cnet.com/8301-13772_3-10149229-52.html
We'll start this week's news with a little something light hearted. It seems instrument panels have been left unlocked and default passwords left unchanged on many large roadside electronic billboards which has given rise to Road Sign Hacking.

We see them everywhere these days, digital signs by the side of the road telling us about road conditions or that we should prepare to stop or that our local bridge might be closed next Tuesday from noon to midnight. And if you're like me, you've always just assumed that the message on the signs is legitimate and properly authorized.

But what if the sign, instead of reading something like "Ice Ahead" was flashing the message, "Zombies Ahead"?

2. Hard Drive Manufacturers Back New Disk Encryption Standard

Spoiler

http://arstechnica.com/hardware/news/2009/01/hard-drive-manufacturers-unveil-disk-encryption-standard.ars
The major storage manufacturers have agreed to a standardized form of disk encryption based on 128 or 256 bit AES.

The Trusted Computing Group (TCG) has released three final specifications for hardware-level data encryption, and virtually all the major storage manufacturers have declared that they intend to adopt the new standards in the near future. Self-encrypted disks are already available on the market— Seagate has been actively pushing its DriveTrust technology for several years—but there was no central standard for drive encryption developers to refer to. The two new encryption standards provide a blueprint for desktop, laptops, and enterprise-level protection, while the third (dubbed the Storage Interface Interactions Specification) details how self-encrypted drives should interact with various communication protocols.

These new encryption methods do not require the presence of a Trusted Platform Module (TPM), but it's hard to imagine why an OEM would bother to build a system using self-encrypting hard drives and not include one. The TCG expects self-encrypting drives (and presumably TPM modules) to become ubiquitous across the enterprise/business market over the next few years. "With 48 states and many countries enforcing data protection laws, it has become crucial for enterprises to protect all data to avoid fines, lawsuits or even being put out of business. Encryption with authentication directly in the drive or enterprise storage devices as outlined in the Trusted Computing Group specifications is one of the most effective ways to ensure data is secure against virtual and physical attacks,” noted Jon Oltsik, senior analyst, Enterprise Strategy Group.

3.  CT Legislator Moves to Protect Online Student Speech

Spoiler

http://arstechnica.com/tech-policy/news/2009/01/ct-legislator-moves-to-protect-online-student-speech.ars
In relation to the case of Avery Doninger (here and here) who was denied certain rights at school due to a post on her LiveJournal labeling school administrators "douchebags", a member of Conneticut's General Assembly has proposed laws to spell out the rights of students and educators regarding free speech on the Internet.

Thursday, we checked in on the case of Avery Doninger, the former Connecticut high school student who was barred from seeking reelection to her student council seat after calling school administrators "douchebags" in a LiveJournal post. As we noted, a federal court has ruled that, given the fuzzy state of the law concerning the scope of school authority over online student speech, Doninger can't press her First Amendment claim for damages against those who punished her. She plans to appeal that decision, but one state legislator has already declared his intention to introduce a bill establishing separation of blog and state.

According to the Journal-Inquirer, a local paper, former high school teacher Gary LeBeau, who sits on the state's General Assembly, will seek to create a "bright line" between speech produced on school computers or sent over school networks—which falls within the school's disciplinary purview—and private speech merely concerning the school. The court had found such a line lacking because "

• ff-campus speech can become on-campus speech with the click of a mouse."

4. Microsoft Asks Open Source Developers to Play in Web Sandbox

Spoiler

http://arstechnica.com/microsoft/news/2009/01/microsoft-asks-open-source-developers-to-play-in-web-sandbox.ars
Microsoft has released its Web Sandbox technology under the Apache License 2.0, enabling its use in open source projects.

Microsoft has announced plans to release the code of its Web Sandbox project under the open source Apache Software License. This move reflects Microsoft's growing interest in contributing to interoperable standards-based Web technologies and also demonstrates the company's willingness to adopt well-established open source licenses for its own projects.

The Web Sandbox project aims to mitigate some of the security risks that are associated with building Web mashups that mix in untrusted content from third-party sources. The task of isolating untrusted code poses some complex technical challenges. Web Sandbox is one of several ongoing research projects that are implementing experimental solutions. It is similar in function to Google's Caja project.

5. "Digital Britain" to Legislate Graduated Response for ISPs

Spoiler

http://arstechnica.com/tech-policy/news/2009/01/digital-britain-will-legislate-graduated-response-for-isps.ars
Britain is preparing legislation that will require ISPs to install a graduated response system to reports of piracy.

The UK has officially announced its intention to legislate a "graduated response" system for P2P copyright infringement, though it sounds remarkably balanced compared to some proposals; the government insists that the "availability of legal content in the forms that consumers want" is actually the most important step content owners can take to address the problem. Disconnection of users without a court order appears not to be on the table, either.

The government's long-awaited interim Digital Britain report has just been released. It's a lengthy document that lays out UK thinking about universal broadband, spectrum reform, and digital radio, but nestled right in the middle of the report is one of the most controversial ideas: a mandatory "code" for ISPs to follow, and the creation of a government "Rights Agency" to help stakeholders deal with the issue of civil copyright infringement online.

6. Gears of War DRM Screwup Makes PC Version Unplayable

Spoiler

http://arstechnica.com/gaming/news/2009/01/pc-gears-of-war-drm-causes-title-to-shut-down-starting-today.ars
In a stunning example of how DRM comes back to bite the legitimate consumer in the proverbial backside, the PC game Gears Of War was rendered unplayable for legitimate owners on the 28th when the certificate used in the registration process expired.

Gamers who tried to play Gears of War on the PC Thursday ran into a slight snag: it seems that the digital certificate that allows the game to run expired on January 28, 2009. Basically that means if you keep your PC's clock up to date, you can no longer play the game. The official Epic forum is ablaze with complaints about this issue, as the still-kicking community becomes enraged.

"I had this problem this evening, I had to change the date and time (from PM to AM) and I am able to get in just fine," one frustrated gamer posted. "I also changed it back to the current date and time and it didn't work. Change it back to yesterday AM and it works fine... EPIC games won't be on my list anytime soon...."

7. Judge's Ruling That WoW Bot Violates DMCA is Troubling

Spoiler

http://arstechnica.com/gaming/news/2009/01/judges-ruling-that-wow-bot-violates-dmca-is-troubling.ars
The popular 'Glider' bot for World of Warcraft was ruled to be a 'circumvention device' under the DMCA and that the founder of the company who produced it was personally liable for the actions of the company.

Blizzard notched another victory in its legal campaign against World of Warcraft bots when a judge on Wednesday ruled that a leading bot violates the Digital Millennium Copyright Act. MDY Industries LLC, the firm that develops and sells the Glider bot, already suffered a major setback last summer when the judge granted Blizzard summary judgment on several key issues. This week's decision deals with the issues the judge believed could not be decided until the conclusion of this month's trial. The judge ruled that Glider violated the DMCA's ban on "circumvention devices," and he also found that MDY's founder, Michael Donnelly, was personally liable for the actions of his firm.

As we've noted before, Blizzard's legal arguments, which Judge David G. Campbell largely accepted, could have far-reaching and troubling implications for the software industry. Donnelly is not the most sympathetic defendant, and some users may cheer the demise of a software vendor that helps users break the rules of Blizzard's wildly popular role playing game. But the sweeping language of Judge Campbell's decision, combined with his equally troubling decision last summer, creates a lot of new uncertainty for software vendors seeking to enter software markets dominated by entrenched incumbents and achieve interoperability with legacy platforms.

8. Meet Son of Storm, Srizbi 2.0: Next-gen Botnets Come Online

Spoiler

http://arstechnica.com/security/news/2009/01/meet-son-of-storm-srizbi-2-0-next-gen-botnets-come-online.ars
I would normally consider stories like this to be sensationalist, but it does include some interesting tidbits about the next generation of botnets.

As notable as the sustained fall-off in spam levels has been, we've all known it's only a matter of time before botnets began to worm their way back into the the Internet. It turns out that part of the reason spam levels may have stayed lower these past months is that the same authors who might have normally spent time resurrecting their dead botnets on new servers were instead writing new botnets altogether. The new malware networks aren't just rehashes of what's come before; many of them incorporate advanced techniques to render themselves harder to detect/remove.

First the good news: SecureWorks reports that Storm is dead, Bobax/Kraken is moribund, and both Srizbi and Rustock were heavily damaged by the McColo takedown; Srizbi is now all but silent, while Rustock remains viable. That's three significant botnets taken out and one damaged in a single year; cue (genuine) applause.

9.  ICANN Tries to Tackle Botnet-friendly Fast Flux Hosting

Spoiler

http://arstechnica.com/tech-policy/news/2009/01/icanns-fast-flux-report-open-for-comments-short-on-data.ars
Domain registrars are concerned about efforts by ICANN to determine what can be done about the use of Fast Flux hosting for illegal purposes.

Fast flux and double flux hosting present both registrars and registrants with a thorny problem. These two hosting methods are not classified as attack methods in and of themselves, but are often employed by spammers and malware botnets.

At "best," fast flux hosting obfuscates and delays security personnel working to shut down an attack; a particularly sophisticated double flux hosting system could allow a botnet to grow and remain active long enough to establish itself as a threat of Storm-worthy proportions. That last mention isn't an accident; fast flux hosting was a prominent Storm tactic.

10. Verizon: We've Been Having a Little Database Trouble

Spoiler

http://arstechnica.com/telecom/news/2009/01/verizon-weve-having-a-little-database-trouble.ars
US ISP Verizon have "lost" 3,400 database records pertaining to customers who chose to opt-out of their marketing campaign.

Verizon seems to have run into a glitch with one of its customer databases, losing thousands of  records. Here's the background: in compliance with Federal Communications Commission rules, the company has established a system to permit consumers to "opt out" of letting Verizon use their phone records for marketing campaigns.

The wireless giant hires a vendor to handle these requests. Verizon then integrates this data, or "customer proprietary network information" (CPNI), into a database, which it says it checks prior to launching a campaign. CPNI usually includes calling records and the services that consumers use, such as voicemail or call forwarding. The opt out system caused quite a stir in late 2007, when the FCC beefed up its CPNI security rules, but it has more or less faded into the background auto flow of telecom policy since then.

11. Irish ISP Agrees to Disconnect Repeat P2P Users

Spoiler

http://arstechnica.com/telecom/news/2009/01/irish-isp-agrees-to-disconnect-repeat-p2p-users.ars
An Irish ISP has settled a court case with the music industry by agreeing to a graduated response plan to target repeat offenders in online piracy.

One of Ireland's largest ISPs, Eircom, has capitulated to the major music labels and agreed to implement a full "graduated response" program—complete with disconnections. Users get two warnings regarding file-sharing, and a third violation brings down the banhammer. The music industry has already said that it intends to pursue the same agreement with Ireland's other ISPs.

The dispute began some time ago when the Irish branches of EMI, Warner, Universal, and Sony filed suit against Eircom. They charged that the ISP was essentially aiding and abetting piracy by doing things like advertising its services on The Pirate Bay, and the labels believed they could get a judge to force the ISP to install network monitoring equipment.

12. Cox Ready to Throttle P2P, Non "time Sensitive" Traffic

Spoiler

http://arstechnica.com/tech-policy/news/2009/01/cox-opens-up-throttle-for-p2p-non-time-sensitive-traffic.ars
US ISP Cox is preparing to throttle "non time-sensitive" traffic across its network.

It takes guts—or perhaps something a bit further down the anatomy—to wait until Comcast has been smacked down for singling out P2P, the Obama administration has come to power, and Democrat Michael Copps (temporarily) heads the FCC to roll out a new Internet traffic management system that delays only some kinds of content during moments of congestion.

But that's exactly what Cox Cable, the third largest cable system in the US, has just announced.

According to the announcement made Tuesday night, Cox will trial the system in Kansas and Arkansas first, expanding it to the rest of its territory later in the year if all goes well.

13. 390,000 to Access Child Database

Spoiler

http://news.bbc.co.uk/2/hi/uk_news/education/7850871.stm
The British "Child Protection Database", containing contact details for every under-18 year old in England will be accessible to 390,000 people, and parents will not be permitted to have their child removed from the database, it has been revealed.

The ContactPoint database is intended to improve information sharing between professionals working with children.

Children's Minister Baroness Morgan said parents would not be allowed to remove their children from the list.

The Conservatives attacked the £224m database as "another expensive data disaster waiting to happen".

The Liberal Democrats have also previously opposed what they called an "intrusive and expensive project".

Ehtyar.

82

Developer's Corner / Cross-platform Coders Editor

« on: January 30, 2009, 12:33 AM »

Hi all.

Off the bat, I'm not looking for an IDE (for anyone who is I recommend Code::Blocks).

What I'm looking for is a text editor that is friendly to code, you know..syntax hilighting, regex, maybe code folding, scripting (yay perl!), command line piping etc etc. Notepad++ for Windows and Linux if you will (I so don't care about Mac compatibility). ATM it looks like gvim is the winner (if anyone mentions emacs, your shoes will spontaneously catch fire), but I wanted to check things out before I commit myself. All suggestions are appreciated guys, and IDE comments are welcome, though that's not what I am after.

Thanks, Ehtyar.

83

Best Virtual Machine Tool / VirtualBox - Top of the Lot

« on: January 28, 2009, 04:11 AM »

I understand why there has been no mention of VirtualBox around these parts yet - there are virtually (no pun intended) no good reviews of the product anywhere.

Fortunately, I found this rather comprehensive overview on Ars Technica. It's for Mac, but that doesn't particularly matter as VirtualBox is virtually (really, no pun intended) identical on every supported platform.

VirtualBox has been mentioned on DC in the past, but not since it became a real-world contender in the world of virtualisation. There are two threads here and here.

Personally, I would recommend VirtualBox above any other virtualisation solution available, paid or free.

Ehtyar.

84

Living Room / Cube Craft - Very Cool

« on: January 27, 2009, 05:32 AM »

There's a thing going round work atm (some of us get a little spare time every now and then OK? ) and I'm having quite some fun with it. It's called Cube Craft. Basically you get prints off a website, you print them out on your standard color laser and cut them out and fold them up. There are images of all your favorite nerdy characters from Star Wars to Family Guy, and they're all in a cube (or more accurately, rectangular prism) shape.

The website I'm into is cubeecraft.com. Here are a few samples, click on them to download their pattern:

         

Let us know which ones you make, and give us some photos if you can. I'll post back once I've completed my Vader

Ehtyar.

85

Living Room / Tech News Weekly: Edition 04-09

« on: January 24, 2009, 05:44 PM »

The Weekly Tech News

Hi all. Not much news this week guys. Honestly, I'd prefer to have fewer articles than inflate the list with boring junk. As usual, you can find last week's news here.

1. New Paint Promises Low-cost Wi-Fi Shielding

Spoiler

http://www.itworldcanada.com//Pages/Docbase/ViewArticle.aspx?ID=idgml-80c6f4f0-b11e-461c-bb03-6fd5712d3d16&RSS=1&UID=B82BC1BD-28FF-4AEE-9A3A-B2C4D89EE233
Of course any organisation using a proper certificate-based authentication system isn't gonna care, but it's still cool...right?

IT managers should start familiarising themselves with a new security tool, the paint brush, as Japanese researchers have come up with a paint that they say will block high-speed wireless signals, giving businesses a cheap option to protect their wireless networks.

The problem of securing wireless networks has been an issue for a while now. Wi-Fi LANs with no encryption or running the obsolete WEP system, run the risk of having hackers outside the building eavesdrop on wireless LAN traffic, or simply stealing bandwidth. However, there are a number of solutions, besides encryption, for companies wishing to secure their networks.

2. Mac Malware Piggybacks On Pirated IWork

Spoiler

http://www.theregister.co.uk/2009/01/22/mac_trojan_attack/
Be careful Mac users, downloading a pirated copy of iWork could see you with a copy of OSX.Trojan.iServices.A bouncing around your machine with root privileges.

Malware masquerading as part of Apple's iWork 09 productivity suite is targeting unsuspecting Mac users foolish enough to install pirated software downloaded on warez sites.

Once installed, iServices.A has unfettered root access, which it promptly uses to connect to a remote server over the internet, according to Intego, which sells anti-virus software for Macs. A secondary download installs malware that makes victims part of a botnet that's attacking undisclosed websites.

3. Newly-discovered Mac Exploit to Be Detailed at Black Hat

Spoiler

http://arstechnica.com/journals/apple.ars/2009/01/22/newly-discovered-mac-exploit-to-be-detailed-at-black-hat
Seemingly unrelated to post No. 2, researchers have discovered a memory injection vulnerability in standard Apple hardware that could allow an attacker to run code on an Apple box without any indication to the user whatsoever. The exploit will be presented at the next Black Hat scheduled to begin in mid-February.

A student who researches malware and intrusion detection systems at the University Politecnico di Milano in Italy will be making a presentation next month at the upcoming Black Hat conference in Washington D.C. The briefing, as Black Hat refers to it as, will deal with a memory injection technique specific to Apple hardware, which subsequently allows a piece of code to be run from memory.

While it may sound like the RAM Disk feature from the days of OS 9 and before, the technique is nowhere near as benign. What makes the memory injection technique particularly attractive to would-be hackers is that no traces are left on the hard drive and a new process is not created, making it what the experts call an "anti-forensic technique." What is run in memory is up to the attacker; it can range from code snippets to complete applications.

4. Superworm Seizes 9m PCs, 'stunned' Researchers Say

Spoiler

http://www.theregister.co.uk/2009/01/16/9m_downadup_infections/
The Conficker/Downadup worm has reached staggering number of infections, almost 9 million according to security firm F-Secure. The massive spike has been attributed to the worm's ability to propagate across an entire network via a single infection.

Downadup, the superworm that attacks a patched vulnerability in Microsoft Windows, is making exponential gains if estimates from researchers at F-Secure are accurate. They show 6.5 million new infections in the past four days, bringing the total number of machines it has compromised to almost 9 million.

The astronomical growth stunned some researchers, although others cautioned the numbers could be inflated since the counting of infected computers is by no means an exact science. Most agreed F-Secure's estimate was certainly plausible and if it proved to be correct, represented a major development in the world of cyberthreats.

5. Judge: 17,000 Illegal Downloads Don't Equal 17,000 Lost Sales

Spoiler

http://arstechnica.com/news.ars/post/20090119-judge-17000-illegal-downloads-dont-equal-17000-lost-sales.html
A US district court judge (finally, one with some form of logic) has ruled that each illegal download in a piracy case is not equivalent to a lost sale.

Record companies cannot collect restitution for every time a song has been illegally downloaded, a US District judge has decided. Judge James P. Jones gave his opinion on United States of America v. Dove, a criminal copyright case, ruling that each illegal download does not necessarily equate to a lost sale, and that the companies affected by P2P piracy cannot make their restitution claims based on this assumption.

Daniel Dove was originally found guilty of criminal copyright infringement for running a torrent group called "Elite Torrents" between 2004 and 2005. The jury in the case had found Dove guilty of reproduction and distribution of copyrighted works, as well as conspiracy to commit criminal copyright infringement. At the time, Judge Jones sentenced Dove to 18 months in prison for each count, plus a special assessment of $200 and a $20,000 fine ($10,000 per count).

6. Microsoft Contributes Code to Apache Interoperability Effort

Spoiler

http://arstechnica.com/journals/linux.ars/2009/01/23/microsoft-contributes-code-to-apache-interoperability-effort
Microsoft have contributed source code to Apache's Stonehence project aimed at interoperation of projects built on different programming platforms.

Microsoft has contributed source code to Apache's Stonehenge project, an open source effort that collects sample implementations of applications that are built with Service Oriented Architecture (SOA). The aim of the project is to test and demonstrate interoperability between application implementations that are built on different underlying technology.

The project was launched in November under the aegis of the Apache Incubator, a pool of nascent community-driven projects that are working their way into the Apache ecosystem. According to Stonehenge participant Paul Fremantle, this is the first Incubator podling that has received direct involvement from Microsoft.

7. The Plot to Kill Google

Spoiler

http://www.wired.com/techbiz/it/magazine/17-02/ff_killgoogle
As anyone who knows me well will likely expect, I'm not a fan of the headline, though this article is an excellent read if you're interested in the gory details of how the Yahoo/Google deal went south.

When Google's lawyers entered the smooth marble hallways of the Department of Justice on the morning of October 17, they had reason to feel confident. Sure, they were about to face the antitrust division—an experience most companies dread—to defend a proposed deal with Yahoo. But they had to like their chances. In the previous seven years, only one of the mergers that had been brought here had been opposed. And Google wasn't even requesting a full merger. It just wanted the go-ahead to pursue a small deal that it was convinced would benefit consumers, the two companies, and the search-advertising market as a whole. Settling around a large oval table in the conference room, the attorneys from Google and Yahoo prepared to make their arguments. Google wanted to serve its ads for certain search terms on Yahoo's pages in exchange for a share of the revenue those ads generated. It already had similar arrangements with AOL, Ask.com, and countless other Web sites. And the deal wasn't exclusive or permanent.

Tom Barnett, assistant attorney general for antitrust, took his seat at the table and called the meeting to order. The Yahoo lawyers kicked things off by describing their negotiations with DOJ staff; they had already suggested limiting the length of the deal and capping the amount of money in play. Barnett seemed unimpressed. "Staff," he proclaimed, "is irrelevant." He made the decisions around there.

9. YouTube Contest Challenges Users To Make A 'Good' Video

Spoiler

http://www.theonion.com/content/video/youtube_contest_challenges_users
Youtube has challenged users to create a video that "is actually worth watching".

Ehtyar.

86

Living Room / Tech News Weekly: Edition 03-09

« on: January 17, 2009, 05:52 PM »

The Weekly Tech News

Hi all. Keep an eye out for No. 1 everyone, looks like it could get out of hand pretty quickly. Enjoy this week's news As usual, you can find last week's news here.

1. Three Million Hit by Windows Worm

Spoiler

http://news.bbc.co.uk/2/hi/technology/7832652.stm
http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=212900793
A virus is rapidly infecting Windows machines that have not yet applied the patch for MS08-067. Researchers at security firm F-Secure peg the infection rate closer to 8 million, and have expressed concerns the virus could be the beginning of a new massive botnet.

A worm that spreads through low security networks, memory sticks, and PCs without the latest security updates is posing a growing threat to users.

The malicious program, known as Conficker, Downadup, or Kido was first discovered in October 2008.

Although Microsoft released a patch, it has gone on to infect 3.5m machines.

2. Windows 7 Now 'available to all'

Spoiler

http://news.bbc.co.uk/2/hi/technology/7825111.stm
After last week's debacle in which Microsoft failed to anticipate the level of enthusiasm surrounding the BETA of Windows 7, availability of the pre-release operating system has been restored, and without the planned limit on downloads.

The latest Windows release will be available to everyone after a surge in demand crashed the Microsoft website on 9 January, the original release date.

In response, the company has lifted a planned limit on the number of copies of the Windows 7 Beta available for download.

Microsoft delayed the launch by one day to add "more infrastructure and servers" to cope with demand.

3. UK Ministry of Defence Stung by Rapidly Spreading Virus

Spoiler

http://www.networkworld.com/news/2009/011609-uk-ministry-of-defence-stung.html
http://www.theregister.co.uk/2009/01/15/royal_navy_email_virus_outage/
The UK's Ministry of Defence has been overwhelmed by a virus rapidly spreading across its computer infrastructure. Although they have released no details ragarding the nature of this virus, one can suspect this story is related to item No 1.

The U.K. Ministry of Defence is in the midst of an electronic fight with a computer virus that rapidly spread through its computer networks starting Jan. 6.

The virus infected computers throughout the military, including those used by the Royal Air Force and Royal Navy, and is one of the most severe attacks the organization has ever faced, according to a Ministry of Defence spokeswoman.

4. Storm Worm Smackdown As Researchers Unpick Control System

Spoiler

http://www.theregister.co.uk/2009/01/13/storm_worm_unpicked/
As a new potential botnet rises, another may finally fall.

A team of security researchers have developed a technique for automatically purging the remnants of the Storm worm infection from the internet. But the approach - which involves turning the botnet's command and control system against itself - could run foul of computer hacking laws in Germany and elsewhere, which ban the modification of computer systems without consent.

Nonetheless, the work of the team from Bonn University and RWTH Aachen University have advanced knowledge about how botnets (networks of compromised zombie PCs) are established and maintained that could advance the development of more acceptable tracking and take-down techniques.

5. RIM Squashes BlackBerry PDF Peril

Spoiler

http://www.theregister.co.uk/2009/01/14/blackberry_pdf_patch/
A flaw in the way Blackberry PC software handles malformed PDFs that could potentially lead to remote code execution has been patched by Blackberry maker Research In Motion.

Research in Motion (RIM) has published a patch that fixes a pair of critical flaws in the way BlackBerry servers handle malformed PDF files.

The two related security updates address vulnerabilities in the PDF Distiller of the BlackBerry Attachment Service for BlackBerry Unite and BlackBerry Enterprise Server, respectively. As a result of the bugs, hackers might be able to inject hostile code onto computer systems running the BlackBerry Attachment Service, providing they can trick the user of a BlackBerry smartphone into opening a maliciously crafted PDF attachment, contained in an email message sent to them.

6. Why Microsoft Left Windows 7 Unpatched On Patch Tuesday

Spoiler

http://arstechnica.com/journals/microsoft.ars/2009/01/14/why-microsoft-left-windows-7-unpatched-on-patch-tuesday
Microsoft ignored the BETA of Windows 7 when it released its patch for MS09-001 this week because the remote code execution vulnerability was rated "moderate", a level that Microsoft deem unnecessary to patch in BETA versions of Windows.

Microsoft started 2009 by fixing just one security flaw in its software; this month's Patch Tuesday only had a single security bulletin, MS09-001.

The security update kills three birds with one stone: two privately reported vulnerabilities and one publicly disclosed vulnerability. This is possible since all three problems, which could allow remote code execution and give an attacker full user rights, are found in the Microsoft Server Message Block (SMB) Protocol.

7. FreeYourPhone.org Launches, Pushes for New DMCA Exemption

Spoiler

Good news for those with jailbroken phones. FreeYourPhone.org has launched a petition to have the DMCA amended to allow owners of jailbroken phones to maintain their legal rights as phone owners.

The Electronic Frontier Foundation has begun a new campaign to get the public to complain to lawmakers about the limitations of locked mobile phones. The new site, FreeYourPhone.org, encourages citizens to sign a petition going to the US Copyright Office in support of the EFF's recent push for an exemption to the Digital Millennium Copyright Act (DMCA), which it hopes will offer legal protection to phone users who have jailbroken or unlocked their devices.

The EFF submitted the exemption request back in December as part of the Copyright Office's triennial DMCA exemption reconsideration. In addition to phone jailbreaks and unlocks, the EFF asked for exemptions from the DMCA for YouTube's "remix culture," and university libraries across the country asked for more rights for using DVDs in classroom settings.

8. Meet Tim Cook: The Man in Charge of Apple

Spoiler

http://blog.wired.com/gadgets/2009/01/meet-tim-cook-h.html
Earlier this week, Apple announced Steve Jobs will stepping down as Apple CEO until June on medical grounds. Tim Cook, Jobs' right-hand-man, will stand in for him until such time as Jobs is able to return.

For millions of Apple fans, Steve Jobs is irreplaceable. But if there's one man Jobs himself trusts to stand in his shoes, it is his second in command, Apple Chief Operating Officer Tim Cook.

With Jobs on medical leave until June, Cook will be leading the team at Apple. And it is likely that when Jobs leaves Apple, it will be Cook he will anoint as the new CEO of the company.

"Tim runs Apple," says Michael Janes, the first general manager of Apple's online store and now co-founder of ticketing search engine FanSnap, "and he has been running Apple for a long time now."

9. Obama to Defend Telco Spy Immunity

Spoiler

http://blog.wired.com/27bstroke6/2009/01/obama-to-fight.html
It seems the Obama Administration will go along with the immunisation of Telcos that assisted the Bush Administration in its domestic spy program.

The incoming Obama administration will vigorously defend congressional legislation immunizing U.S. telecommunication companies from lawsuits about their participation in the Bush administration's domestic spy program.

That was the assessment Thursday by Eric Holder, President-elect Barack Obama's choice for attorney general, who made the statement during his confirmation hearings before the Senate Judiciary Committee. A court challenge questioning the legality of the legislation is pending in U.S. District Court in San Francisco -- where the judge in the case wanted to know what the Obama administration's position was.

10. Judge Calls RIAA Objections "specious," Will Stream Hearing

Spoiler

http://arstechnica.com/news.ars/post/20090115-judge-calls-riaa-objections-spurious-will-stream-hearing.html
Once again the RIAA planted it's proverbial foot squarely in its mouth when it objected to the live streaming of one of its infamous piracy lawsuits.

A federal judge has agreed to a novel request: streaming parts of an upcoming file-sharing trial over the Internet. Judge Nancy Gertner has granted the request of Harvard Law professor Charles Nesson and students to put the gavel-to-gavel footage on the Internet for any non-commercial use, over the RIAA's objections. But only on a one-time basis.

Joel Tenenbaum's first strategy for dealing with an RIAA settlement letter wasn't real helpful: he called them up and offered $500 instead of $3,500. His offer was rejected. When the case actually went to court, Tenenbaum tried to settle again, this time for $5,000, but by then the RIAA wanted $10,500.

11. Barbara Bush Runs Aground Off Coast Of Maine

Spoiler

http://www.theonion.com/content/video/barbara_bush_runs_aground_off
In an apparent send-off for her son as he leaves office, President Bush's mother, Barbara Bush, has run aground off the US cost.

Ehtyar.

87

General Software Discussion / Internet Explorer Settings On USB Device?

« on: January 15, 2009, 06:57 PM »

Hi all.

I have the unfortunate task of administering the Sharepoint site where I work, and thus am forced to use Internet Explorer as Sharepoint is not fully functional in browsers that do not support ActiveX. I would like my IE favorites and passwords to be carried on a USB storage device. Does anyone know if this is possible?

I can't tote the entire browser around me, because that would be illegal. I've tried portable Maxthon, but it does not portablise saved passwords (they remain saved in the local browser, which is not acceptable).

If anyone has any suggestions I'd very much appreciate a reply.

Thanks, Ehtyar.

88

Living Room / eBay USB Thumb Drive Buyers: Beware

« on: January 12, 2009, 12:11 AM »

It seems that eBay is still a benefactor of all things nefarious. A currently running scam on eBay involves the modification of USB thumb drives to report a higher-than-actual capacity to the operating system. A friend of mine recently purchased a 16 GB drive for $6, only to find that when attempting to copy more than 4gb of data onto the key, he would corrupt the drive. Be wary people. Read More

Ehtyar.

89

Living Room / Tech News Weekly: Edition 02-09

« on: January 10, 2009, 03:41 PM »

The Weekly Tech News

Hi all. To add a little humour the what is usually just a list of bad events taking place in the IT realm, the final article for each week will now be my favorite video or article from The Onion News Network for the week. I hope you like it As usual, you can find last week's news here.

1. Password Guessing Attack Exposed in Twitter Pwn

Spoiler

http://www.theregister.co.uk/2009/01/07/twitter_hack_explained/
The account of a Twitter admin was compromised recently via a dictionary attack, and was used to deface the accounts of several prominent tweeters.

Miscreants broke into Twitter's admin system on Sunday night using a simple password guessing hack, it has emerged.

A teenage hacker, known in the digital underground as GMZ, claims he obtained access to the micro-blogging site’s admin controls using a brute force dictionary attack. After guessing the login identity of an administrator, in part based on the large number of people she followed, GMZ ran an automated password guessing program overnight to reveal that 'Crystal' used the eminently guessable password of "happiness". The 18-year-old student then used these details to offer up access to Twitter accounts on request through Digital Gangster, an underground hacker forum, Wired reports.

The move enabled griefers to break into the Twitter feeds of the likes of Britney Spears, Fox News and US President-Elect Barack Obama on Monday to push out bogus messages. GMZ sat on the sidelines during this attack because he had failed to use a proxy during his password cracking attack, making him more at risk of identification.

2. Boffin Brings 'Write Once, Run Anywhere' to Cisco Hijacks

Spoiler

http://www.theregister.co.uk/2009/01/05/cisco_router_hijacking/
http://www.darkreading.com/security/perimeter/showArticle.jhtml?articleID=212700896
Felix Lindner of Recurity Labs has finally answered the age-old question of how to target multiple IOS versions with a single exploit. Admins, start your engines... I hope word man was sitting on a plastic-covered chair for this one

A researcher has discovered a way to reliably exploit a known security vulnerability in a wide class of Cisco System routers, a finding that for the first time allows attackers to hijack millions of devices with a single piece of code.

The discovery by Felix "FX" Lindner of Recurity Labs in Berlin brings the write-once-run-anywhere approach of software development to the dark art of compromising routers that form the core of the internet. Previously, reliable exploit code had to be specifically fashioned to one of more than 15,000 different supported builds of IOS, or Internet Operating System, which run various Cisco devices.

3. Researchers Poke Holes in Intel's Anti-tampering Tech

Spoiler

http://www.theregister.co.uk/2009/01/07/intel_vpro_hack/
Details regarding bypass of Intel's Trusted Execution Technology (TXT) are due to be unveiled at the next Black Hat Conference.

A practical attack on Intel's trusted execution technology (TXT) is due to be demonstrated at a hacking conference next month.

Security researchers from Invisible Things Lab have created a technique for compromising the integrity of software loaded via TXT, a key component in Intel's Safer Computing Initiative and part of the chip giant's vPro brand. Intel's TXT technology - which aims to protect systems against tampering - hooks into CPUs and chipsets as well as featuring use of Trusted Platform Module 1.2 (TPM) technology.

For example, the technology ensures programs running on a virtual machine are free to go about their business without interference from other (potentially malicious) packages loaded onto the same system. It also has applications in Digital Rights Management.

4. VeriSign Remedies Massive SSL Blunder (kinda, Sorta)

Spoiler

http://www.theregister.co.uk/2009/01/09/verisign_ssl_remedy/
In response to a story published last week Verisgn claim to have fixed the vulnerability discovered in SSL certificates.

After being publicly outed issuing web credentials that were vulnerable to attacks that could allow criminals to spoof the encryption certificates of any website on the internet, VeriSign has issued assurances it has neutralized any real-world threat.

Tim Callan, vice president of VeriSign's product marketing, has said that within hours of last week's news that researchers had uncovered a devastating weakness in secure sockets layer certificates issued by VeriSign subsidiary RapidSSL, the company made changes to ensure all its SSL products were immune to the attacks.

As usual, the truth is a little more complicated.

5. 'Curse of Silence' Smartphone Flaw Disclosed

Spoiler

http://news.cnet.com/8301-1009_3-10130499-83.html
Certain older versions of Nokia's Symbian OS for mobile phones has been found to be susceptible to a buffer overflow vulnerability triggered by a speciall crafted SMS that in certain cases prevents the user from receiving further SMS messages.

A denial-of-service attack that limits the number of SMS messages that can be received by Nokia smartphones has been disclosed and demonstrated.

Dubbed the "curse of silence" by German security researcher Tobias Engel, the attack occurs when Nokia Series 60 phones are sent a malformed e-mail message via SMS (Short Message Service). Engel demonstrated the attack on Tuesday at the Chaos Communication Congress in Berlin, according to a blog post by security vendor F-Secure.

6. Interface Controlled by Hand Gestures

Spoiler

http://www.wired.com/video/latest-videos/latest/1815816633/conceptual-interface-is-controlled-by-hand-gestures/6750621001
Toshiba has shown off concept hardware at CES capable of reading hand gestures for input.

At CES 2009, Toshiba showed off a conceptual computer interface that uses hand gestures for control. With simple motion sensing technology and a software interface, Toshiba hopes to open up applications for video games and other interactive media.

7. Microsoft Begins Windows 7 Push

Spoiler

http://news.bbc.co.uk/2/hi/technology/7817190.stm
Windows 7 Thread: https://www.donationcoder.com/forum/index.php?topic=15107
Windows BETA Thread: https://www.donationcoder.com/forum/index.php?topic=16482
Microsoft were set to make Windows 7 BETA available to the public on Jan 9, but it appears you'll have to torrent this one too as they were unable to meet demand.

Microsoft boss Steve Ballmer used his keynote speech at CES to announce that software developers would get at the trial version on 7 January.

On 9 January members of the public will get the chance to download the successor to Windows for themselves.

Mr Ballmer said Windows 7 would be the pivot of a broader Microsoft push to improve the way its separate software and service families work together.

8. Another DNS Flaw

Spoiler

http://www.internetnews.com/security/article.php/3795311/Another+DNS+flaw.htm
Another DNS flaw has been discovered in the implemntaton of DNSSEC in BIND. The flaw has already been patched, and there don't appear to be any exploits in the wild.

Security researcher Dan Kaminsky made headlines last year when he discovered a critical DNS flaw. If left unpatched it could have crippled vast parts of the Internet.

As 2009 starts up, a new DNS flaw has emerged, but the severity of the threat is less pronounced.

ISC (Internet Systems Consortium) the group leading development of the open source BIND DNS server that dominates the Internet, quietly issued a patch to multiple versions of BIND this week.

9. DOCSIS 3.0 Laggard Charter Files Patent Suit Against Verizon

Spoiler

http://arstechnica.com/news.ars/post/20090108-docsis-3-0-laggard-charter-files-patent-suit-against-verizon.html
Charter has filed suit against Verizon for patent infringement after Verizon offered video on demand services that blew Charter's offering out of the water.

If you're an incumbent cable operator who has had the TV market to yourself for several years only to be challenged by an upstart that offers a better service, you've got two options: ratchet up your own offerings or sue the upstart. Faced with an incursion by Verizon's FiOS TV and Internet service into some of its territories, Charter is apparently going with door number two, filing a patent infringement lawsuit against Verizon on the last day of 2008.

At issue are four patents owned by Charter covering video-on-demand services, dynamic pricing for subscription-on-demand services, and a pair of patents covering data transmission. The most interesting appear to be the three patents which relate to video transmission. One patent, 6826197, seems rather generic, describing a data packet with a header, routing information field, data field, data payload, and error correction field. It does have the capability of "efficiently propagating a payload through a multi-user, digital video distribution system," however.

10. Kiwis Rally Opposition to NZ Copyright Bill

Spoiler

http://arstechnica.com/news.ars/post/20090106-kiwis-rally-opposition-to-nz-copyright-bill.html
It appears New Zealand is following Australia's lead in tyranny of the internet, proposing a new law that would see "suspected copyright infringers" cut off from the internet.

Borrowing the "Not in My Name" slogan popularized by anti-war and pro-Palestinian activists, New Zealand's newborn Creative Freedom Foundation is leading a petition drive to block implementation of copyright legislation slated to take effect at the end of February. Critics charge that Section 92 of the Copyright (New Technologies) Amendment Act, enacted this past April, requires ISPs to act on a principle of "guilt upon accusation," cutting off the Internet connections of users merely alleged to be violating copyright.

Section 92 has also drawn the ire of New Zealand's ISPs, under the umbrella of the Telecommunications Carriers' Forum, which has blasted the reform as "a deeply flawed law that undermines fundamental rights and simply will not work.” Jamie Baddeley, who heads the country's ISP trade association, argues that the legislation, which makes providers legally liable for failing to delete infringing material and disconnect infringers, "has the potential to put some of our smaller innovative members out of business."

11. Apple Introduces Revolutionary New Laptop With No Keyboard

Spoiler

http://www.theonion.com/content/node/92328
Discussion thread by CodeByter: https://www.donationcoder.com/forum/index.php?topic=16449.0
Apple has unveiled a revolutionary new laptop that has completely replaced the keyboard with something very...Apple.

Ehtyar.

90

Living Room / Google and Feedburner

« on: January 07, 2009, 07:27 PM »

Firstly, I want praise for not using 'GOOGLE IS EVIL!!' as the title of this thread.

There, now that that's out of the way...

We have here and here two identical RSS feeds, yes? One is the source feed from TechCrunch's Wordpress, the other is that very same feed proxied through Google's recent Feedburner acquisition which happens to be the only feed that TechCrunch themselves link to.

Now I understand people using Google services when Google gets to mine the user's data/behavior in return. I have a personal objection to it, but if people are willing to expose themselves like that then it's on their back. But exactly what benefit does the user receive when retrieving feeds from Google's proxy as opposed to getting them directly from the source site?

I fully acknowledge that the provider of said service benefits from using this service, but it's not the provider's behavior Google gets to mine. It deeply concerns me that in this case Google has, in my opinion, moved from providing services that entice users, to providing services that entice providers into forcing users to use said services.

I'm going to stop short of claiming Google is evil in this case simply because I can't imagine I'm not missing something here. I would really appreciate some insight into what the F is going on here.

Ehtyar.

91

Living Room / Tech News Weekly: Edition 01-09

« on: January 03, 2009, 02:19 PM »

The Weekly Tech News

Hi all. Happy New Year everyone Enjoy the news. As usual, you can find last week's news here.

1. Hackers Create Rogue CA Certificate Using MD5 Collisions

Spoiler

http://blogs.zdnet.com/security/?p=2339
Another: http://www.theregister.co.uk/2008/12/30/ssl_spoofing/
Another: http://www.securityfocus.com/news/11541
A group of hackers have used 200 PS3s and a weak SSL certificate (timing prediction and MD5 collision) to create a rogue CA which they used to forge SSL certificates for severval major websites. Certificates validated by the rogue CA will be valid for 2004 only to prevent misuse, though browsers will be blacklisting the rogue CA in their next updates.

Using computing power from a cluster of 200 PS3 game consoles and about $700 in test digital certificates, a group of hackers in the U.S. and Europe have found a way to target a known weakness in the MD5 algorithm to create a rogue Certification Authority (CA), a breakthrough that allows the forging of certificates that are fully trusted by all modern Web browsers.

The research, which will be presented today by Alex Sotirov (top left) and Jacob Appelbaum (bottom left) at the 25C3 conference in Germany, effectively defeats the way modern Web browsers trust secure Web sites and provides a way for attackers to conduct phishing attacks that are virtually undetectable.

2. Cybersecurity Attracts Boeing, Rival Lockheed

Spoiler

http://seattletimes.nwsource.com/html/boeingaerospace/2008575662_cybersecurity31.html
U.S. military contractors Boeing and Lockheed Martin have drastically increased the capacity of their cyber-security divisions anticipating higher demand in 2008.

Lockheed Martin and Boeing, the world's biggest defense companies, are deploying forces and resources to a new battlefield: cyberspace.

The military contractors, eager to capture a share of a market that may reach $11 billion in 2013, have formed business units to tap increased spending to protect U.S. government computers from attack.

Boeing set up its Cyber Solutions division in August "because of a realization by the company that it's a very serious threat," said Barbara Fast, vice president of the unit.

3. CA Issues No-questions Asked Mozilla Cert

Spoiler

http://www.theregister.co.uk/2008/12/29/ca_mozzilla_cert_snaf/
A security researcher successfully procured an SSL certificate for Mozilla.com after identifying a CA that did not check the credentials of the entity making the request, highlighting the primary weak point in SSL: the CA.

Security researchers have uncovered weaknesses in low-assurance digital certificates that create a means for miscreants to mount more convincing man-in-the-middle (MITM) attacks.

MITMs involve a hacker planting himself between two parties in a dialogue, relaying messages between them and effectively controlling the conversation. The approach might be used, for example, to trick a user into handing over online banking login credentials in the mistaken belief that they are talking directly to a financial institution.

Normally untrusted certificates from an unknown issuer are used by fraudster sites in these kind of scenarios. This would generate error messages or warnings that flag up possible problems, at least to the more internet-savvy.

4. DECT Wireless Eavesdropping Made Easy

Spoiler

http://www.theregister.co.uk/2008/12/31/dect_hack/
In yet another Epic Fail of security by obscurity, your household cordless phone is likely vulnerable to eavesdropping, even with the standard encryption scheme enabled.

Conversations relayed through cordless household phones might be far easier to snoop upon than previously suspected.

A new attack against phones based on DECT (Digital Enhanced Cordless Telecommunication) technology - demonstrated during the Chaos Communication Congress in Berlin earlier this week - might be carried out cheaply using off-the-shelf kit, together with a little know-how. A modified $30 VoIP laptop card running on a Linux portable were used to demonstrate the attack, which relies on using specially outfitted equipment to impersonate legitimate wireless base stations.

5. Windows Media Player Flaw Denied

Spoiler

http://www.theregister.co.uk/2008/12/30/wmp_bug_spat/
Microsoft have denied that a flaw in WMP uncovered by researchers is capable of enabling remote code execution.

Researchers reckon a security bug in Windows Media Player creates a means for hackers to inject hostile code onto vulnerable systems. However Microsoft has denied this, saying that the bug only creates a means to crash the software without posing a more damaging security risk.

The WMP integer overflow bug reportedly kicks in when the media player attempts to process maliciously constructed WAV, SND, or MIDI files. Security researchers have created proof of concept code demonstrating the vulnerability, the SANS Institute's Internet Storm Centre reports.

6. FBI Issues Code Cracking Challenge

Spoiler

http://www.networkworld.com/community/node/36704
Code: http://www.fbi.gov/headlines/code.swf
The FBI has issued another code cracking challenge.

The FBI today challenged anyone in the online community to break a cipher code on its site.  The code was created by FBI cryptanalysts. The bureau invited hackers to a similar code-cracking challenge last year  and got tens of thousands of responses it said.

7. UK: Private Firm to Guard Database of Every Phone Call, E-mail

Spoiler

http://arstechnica.com/news.ars/post/20090101-uk-private-firm-to-guard-database-of-every-phone-call-e-mail.html
Another: http://news.bbc.co.uk/2/hi/uk_news/politics/7805610.stm
The UK is considering contracting out the maintenance of its national call and email database.

A contentious proposal to create a massive database of communications metadata in the United Kingdom has just become even more controversial. According to reports in the British press, a "consultation paper" laying out the plan, slated for release in January, contemplates outsourcing the maintenance of the database to private-sector firms. The proposal has already come under fire from civil liberties groups, the European human rights commissioner, and former public officials.

Initially included in Britain's Communications Data Bill as part of a sweeping Interception Modernisation Programme, the surveillance proposal was dropped from the legislation in September, but it was not abandoned. The database is projected to cost some £12 billion ($17.5 billion US), and would contain metadata about every phone call placed, every e-mail or text message sent, and every Web site visited in the UK, reports say. Such "metadata" would include routing information, such as the sender and recipient of an e-mail, as well as times and dates.

8. FCC Okays DTV "Analog Nightlight" Rules

Spoiler

http://arstechnica.com/news.ars/post/20081228-fcc-oks-analog-nightlight-rules.html
The FCC has okay'd a proposal to keep analogue TV running for 30 days after digital TV broadcasting becomes compulsory. Broadcasters will be able to show critical news and update instructions to those without a DTV tuner.

On the night before Christmas, the Federal Communications Commission proposed rules that would let some full-power TV stations continue streaming a bare-bones analog signal for 30 days after the DTV transition. The "Analog Nightlight" program will allow those stations to keep their analog broadcast going "for the limited purpose of providing public safety and digital transition information," the FCC says. Meanwhile a key member of the House of Representatives is warning Congress that it may need to rush more money to the government's analog converter set top box program.

The analog nightlight rule means that couch potatoes who, as of February 17, still haven't figured out that their old analog sets can't receive digital broadcasts won't be left completely in the dark. After that day, all full-power stations must go digital. The nightlight system will permit eligible full-power license holders to continue to broadcast emergency news and information in analog using both English and Spanish. They can also transmit information about the transition and where to get help—at for roughly a month after DTV Day.

9. 30GB Zunes Killing Themselves In Droves

Spoiler

http://blog.wired.com/gadgets/2008/12/30gb-zunes-kill.html
Another: http://news.bbc.co.uk/2/hi/technology/7806683.stm
Discussion thread by CWuestefeld: https://www.donationcoder.com/forum/index.php?topic=16414.0
Microsoft's Zune MP3 player has been effected by a leap-year bug that cases it to crash around the end of 2008. Exhausting the battery should solve the issue.

The internet is awash with reports that the 30GB Zune is committing suicide across the planet. Not just one of them, either. It seems that some weird bug is simultaneously causing the music players to kill themselves, like lemmings leaping from a cliff.

While the Zune is a distant also-ran in the MP3 market, which is dominated by Apple's, the Microsoft-made device has gained critical approbation with its most recent, version 3.0 models, whose features are quite competitive with the iPod line. Many users appreciate the player's built-in FM radio and "Zune Social" features, which facilitate the communal sharing and discovery of new music.

10. Final Rewind: The VHS Tape Has Breathed Its Last

Spoiler

http://www.crn.com/retail/212501855
JVC, the last of the VHS manufacturers, has finally ceased production.

Remember the days when VHS tapes were so ubiquitous that every video store you knew had the slogan, "Be kind, rewind?" We bring you this bit of pressing nostalgia not because VHS has suddenly slowed its long decline, but because the last distribution holdout for VHS tapes this week announced it's finally cutting the format from its inventory.

According to the Los Angeles Times, Distribution Video Audio in Burbank, Calif., shipped its final truckload of VHS tapes in October -- the last time it plans to make VHS shipments, and the last major VHS distributor in the country to do so.

Ehtyar.

92

Living Room / Tech News Weekly: Edition 52

« on: December 28, 2008, 04:48 AM »

The Weekly Tech News

Hi all. Well guys, it's the end of another year. I hope you all had a wonderful Christmas (Giftmas for those in the know ) and will have a most enjoyable new year As usual, you can find last week's news here.

1. CastleCops, No More

Spoiler

http://www.castlecops.com/
Popular online threat fighting website CastleCops is no more. Recently their website began displaying a message on their homepage explaining to users that the site would no longer be available. There are (entirely unsubstantiated as yet) rumors that the sites owner, Paul Laudanski, has closed the site due to pressure from his employer of 7 months, Microsoft, though most suspect it is due to the costs of running a site that was constantly under cyber attack.

You have arrived at the CastleCops website, which is currently offline. It has been our pleasure to investigate online crime and volunteer with our virtual family to assist with your computer needs and make the Internet a safer place. Unfortunately, all things come to an end. Keep up the good fight folks, for the spirit of this community lies within each of us. We are empowered to improve the safety and security of the Internet in our own way. Let us feel blessed for the impact we made and the relationships created.

With respect to the server marathon, by March 17 2009 CastleCops will refund contributions made through PayPal that were specifically designated for servers. Unfortunately, server donations made via check cannot be returned because we do not have the addresses for the donating entity. Unless instructed otherwise, CastleCops will re-allocate these funds as a donation to the Internet Systems Consortium (ISC.org). This organization sponsored our hosting environment for approximately the past 2 years. Please contact us [cc at laudanski dot com] before March 17, 2009, if you would like a return of your server marathon donation. Otherwise, we would like to thank the ISC for their unfettered support.

2. Subway Fare Hackers to Partner With Transit Agency

Spoiler

http://www.wjla.com/news/stories/1208/579813.html
Another link: http://news.cnet.com/8301-1009_3-10128632-83.html
The Massachusetts Bay Transportation Authority has backflipped, and asked the MIT Subway Hackers to work with them to secure their ticketing system from potential fraudsters.

A trio of Massachusetts Institute of Technology students who found a way to hack into the Boston subway system's payment cards have agreed to partner with transit officials there to make the system more secure. The Electronic Frontier Foundation announced the agreement Monday, two months after the Massachusetts Bay Transportation Authority dropped a lawsuit against the students, who were represented for free by the EFF, a civil-liberties group that frequently takes up cases involving security researchers and computer hackers.

The transit agency had sued to stop the students from presenting findings at a computer-security conference.

The students - Zack Anderson, R.J. Ryan and Alessandro Chiesa - have argued all along they were trying to help the MBTA by giving it advance notice of their planned talk last summer and keeping specific details of their hack secret.

3. MS (finally) Confirms Unpatched SQL Server Flaw

Spoiler

http://www.theregister.co.uk/2008/12/23/sql_server_0day_latest/
Microsoft have fessed up that a recently exposed remote code execution in various versions of their SQL Server software is a real threat.

Microsoft came clean and admitted its SQL Server database software is vulnerable to code injection attacks. It's not a new flaw but the same bug in the database software that emerged around the time of Microsoft's monthly Patch Tuesday update earlier this month.

In an advisory, Redmond's security gnomes confirmed that code has been produced that exploits a security bug affecting Microsoft SQL Server 2000, Microsoft SQL Server 2005 and Windows Internal Database, in certain configurations.

4. URL Redirects Open Scareware Loophole at Major Sites

Spoiler

http://arstechnica.com/news.ars/post/20081224-url-redirects-open-scareware-loophole.html
A hacker has found that using redirect pages as a jumping point for malware distribution is a worthwhile endeavor.

URL redirect notifications are often meant to serve as security measures, but at least one malware blackhat is exploiting these services and redirecting site visitors from the website they think they are about to visit to a spyware-infested haven. That's bad enough on its own, but the as-yet-unknown assailant has also used search engine optimizations to push the polluted redirectors higher in Google's search rankings.

Part of the problem—a significant part—is that many companies/websites use open redirects that will cheerfully redirect incoming traffic to whatever URL they're asked to send it to, even if that traffic didn't originate within the host site. When MySpace or Microsoft inform you that you're about to be redirected off their site, they don't perform any sort of check to see if that's a good place for you to be going.

5. Firefox Halting 2.x Security Patching/Support

Spoiler

http://tech.blorge.com/Structure:%20/2008/12/17/mozillas-security-warning-upgrade-to-firefox-3-today/
Firefox 2 is dead as of now. It is highly recommended anyone still using v2 upgrade to v3 now.

Mozilla has told Firefox users that it will no longer be updating version 2 of the browser and they should upgrade to version 3 right away. The warning came alongside a security update patching ten problems, four of them critical.

The critical problems involve cross-site scripting. That’s a serious concern as it allows the unauthorized transfer of data that a user sends to one site (such as a legitimate online bank) to another site (such as one used by hackers to harvest information).

6. No More Lawsuits: ISPs to Work With RIAA, Cut Off P2P Users

Spoiler

http://arstechnica.com/news.ars/post/20081219-no-more-lawsuits-isps-to-work-with-riaa-cut-off-p2p-users.html
The RIAA will no longer be pursuing indivuals it believes to have engaged in piracy after signing voluntary agreements with many ISPs aimed at cutting off repeat offenders.

In a stunning turn of events, the US music industry has ceased its long-time litigation strategy of suing individual P2P file-swappers. Instead, with New York Attorney General Andrew Cuomo acting as a broker, the RIAA has signed voluntary "graduated response" agreements with major Internet service providers. Those currently on the receiving end of an RIAA lawsuit, though, will have to see it through to the (very) bitter end.

7. IPodhash Project Moves to Wikileaks Following DMCA Notice

Spoiler

http://arstechnica.com/journals/apple.ars/2008/12/22/ipodhash-project-moves-to-wikileaks-following-dmca-notice
The code made available by the iPodHash project has been moved to WikiLeaks in response to Apple's DMCA takedown notice.

When you think of Wikileaks, things like government secrets and Sarah Palin's private e-mail come to mind. However, there's a decent amount of technology-related information on the site as well. The fact that it's nearly impossible to get content removed from Wikileaks could lead to its use as a haven for controversial technology projects, too. It turns out that the code related to the iPodhash project was posted to Wikileaks shortly after the project's BluWiki page was taken down in response to a legal notice from Apple's lawyers.

The project received a DMCA anticircumvention notice in the middle of November, and operator of BluWiki removed the content that Apple didn't like until the legal notice could be scrutinized. Since then, the Electronic Frontier Foundation has agreed to represent iPodhash, and the project's owner has come forward with a few comments, but the original project information is still unavailable, as the various legal machinations continue. Just a few days after the takedown notice was received, however, the code generated by iPodhash thus far was posted to Wikileaks, once again making the information publicly available.

8. Australian 'Net Filters - What's Being Blocked?? and Chinese Espionage

Spoiler

http://arstechnica.com/news.ars/post/20081222-australian-net-filter-testing-set-will-include-p2p.html
Another link: http://www.theregister.co.uk/2008/12/18/huawei_optus_ties_nbn_security_concerns/
The Australian government are insisting on rolling out tests of their widely criticized internet "filtering" system, and are defending it to the last in public communication medium. Australian citizens will not be able to view the content of the filter list, and it seems there is some concern regarding relations between a bidder for the contract and a Chinese technology firm.

Australia's Minister of Broadband, Communications, and the Digital Economy (BCDE), Stephen Conroy, appears to have recognized that his country's plan to install mandatory content filters at the ISP level is causing a public backlash. Conroy has set up several FAQs that describe the program in detail, and has even started defending the program on the departmental blog. But neither the backlash nor an apparent lack of preparation will stop him from putting the system in operation, as live tests on Internet traffic are set to begin any day now—even though the ISPs that want to participate aren't sure what's happening.

First, the practicalities. Initial lab tests of web filtering equipment suggested that the current generation of hardware had appreciable rates of false positives (filtering legal content) and false negatives (allowing illegal content through), and several models caused severe degradation of the network's performance. This isn't much of a surprise; as we described in detail, filtering content is a difficult challenge. The Australian government's own FAQ also recognizes that anyone with sufficient technical expertise can also evade the filters.

9. Windows XP Allowed to Live Again

Spoiler

http://news.bbc.co.uk/2/hi/technology/7795302.stm
Microsoft have yet-again extended the sell life of Windows XP, this time to May 2009.

The cut off date for PC makers to obtain licenses for the software was 31 January 2009.

But now Microsoft has put in place a scheme that will allow the hardware firms to get hold of XP licences until 30 May 2009.

Previously Microsoft extended XP's life until 2010 - provided it was installed on netbooks and low-cost laptops.

10. EU's New Online Library Reopens

Spoiler

http://news.bbc.co.uk/2/hi/entertainment/arts_and_culture/7798789.stm
The EU's online library, Europeana, is back online after having its server capacity quadrupled since it crashed last month just hours after opening due to high demand.

The European Union's huge digital library Europeana, which crashed last month just hours after its launch, is back online.

The website's server capacity has been quadrupled to cope with demand, European Commission spokesman Martin Selmayr told reporters.

But the homepage - at www.europeana.eu - warns that "the user experience may not be optimal in this test phase".

The site gives multilingual access to cultural collections across the EU.

Being that this will be last Tech News Weekly for 2008, I just had to throw in a few best-of lists for the year, enjoy
11. Top 10 New Organisms of 2008

Spoiler

http://www.wired.com/science/planetearth/multimedia/2008/12/YE8_organisms
A interesting look at some newly discovered organisms this year.

The world's smallest snake, a prehistoric ant and microbes that may be 120,000 years old: These are just a few of the species revealed to the world in the last 12 months.

With animals going extinct at rates unseen since the dinosaurs disappeared, it's nice to be reminded that some species haven't even been discovered.

As Smithsonian Institute ornithologist Brian Schmidt said after finding the olive-backed forest robin: "It is definitely a reminder that the world still holds surprises for us."

12. 2008 Foot-in-Mouth Awards

Spoiler

http://blog.wired.com/business/2008/12/2008-foot-in-mo.html
Have a good laugh at the expense of those who gaffed on technical subject matter this year.

In 2008, scientists turned on the Large Hadron Collider without ending the world as some had feared, but they did not come up with a cure for foot-in-mouth disease.

In fact, the disease led quite a healthy existence this year, thanks in part to the never-ending presidential campaign.

But Yahoo CEO Jerry Yang topped all political gaffes to become this year's winner (or biggest loser) for his comments defending his decision to turn down Microsoft's $44 billion offer for the perpetually lost-in-the-woods troubled internet venture....

93

Living Room / Tech News Weekly: Edition 51

« on: December 19, 2008, 07:31 PM »

The Weekly Tech News

Hi all. Still no button..*sigh*. As usual, you can find last week's news here.

1. Microsoft Releases Fix for IE

Spoiler

http://www.theregister.co.uk/2008/12/17/emergency_microsoft_patch/
Microsoft have released an out-of-band patch this week for IE to close a vulnerability being exploited by up to 10,000 websites.

Microsoft has issued a rare emergency update for its Internet Explorer browser as miscreants stepped up attacks targeting a vulnerability on hundreds of thousands of webpages.

In many cases, the websites distributing the toxic payload are legitimate destinations that have been commandeered, allowing an attacker to snare victims as they surf to online banks, forums, and other trusted sites. There are at least six distinct versions of attack code circulating in the wild, according to researchers at iDefense, a security lab owned by VeriSign.

2. AT&T, T-Mobile Fined For Voice-Mail Security

Spoiler

http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=212500153
AT&T and T-Mobile have each paid tens of thousands of dollars in fines for advertising secure voice mail that wasn't actually secure.

AT&T and T-Mobile have paid fines and agreed to stop advertising that their voice-mail systems are safe from hackers.

In a permanent injunction filed in a Los Angeles court Thursday, District Attorney Steve Cooley said the wireless operators were overstating how secure their voice mails are. The settlements are the culmination of year-long investigation that was launched after multiple complaints of unauthorized voice-mail access, including some from celebrities Paris Hilton and Lindsay Lohan.

3. American Express Web Bug Exposes Card Holders

Spoiler

http://www.theregister.co.uk/2008/12/16/american_express_website_bug/
Amnericanexpress.com has been vulnerable to a cross-site-scripting explot for more than two weeks, putting card holders at risk of fraud.

A glaring vulnerability on the American Express website has unnecessarily put visitors at risk for more than two weeks and violates industry regulations governing credit card companies, a security researcher says.

Among other things, the cross-site scripting (XSS) error on americanexpress.com allows attackers to steal users' authentication cookies, which are used to validate American Express customers after they enter their login credentials. Depending on how the website is designed, miscreants could use the cookies to access customer account sections, said Russ McRee of the Holistic Security blog.

4. Net Firms Rebuff Filtering Plan

Spoiler

http://news.bbc.co.uk/2/hi/technology/7779547.stm
An interesting interview from a professional: http://www.banthisurl.com/2008/12/exclusive-white-hat-hacker-tears-apart-flaws-in-aussie-net-filtering-scheme/
Australian ISPs have finally all weighed in on the plan to filter the country's internet. Thankfully, neither Optus nor Telstra will support the plans, though as one might have expected, Optus will support a scaled back version.

Telstra, Australia's largest ISP, has said it will not join trials of the filters and others say they will only back a scaled-down system.

The government wants to filter all net traffic and block access to 10,000 sites deemed to hold illegal content.

The initial trials of the filtering technology were due to take place before Christmas.

5. Wikileaks Posts Secret Bomb-Stopper Report — Did It Go Too Far?

Spoiler

http://blog.wired.com/defense/2008/12/warlock-wikilea.html
From ArsTechnica: http://arstechnica.com/journals/law.ars/2008/12/18/et-tu-wikileaks
Wikileaks have published the specifications for a mostly-obsolete remote bomb detonation jammer. Many are questioning the validity of their claim that it should be published as a "leak".

In July, 2005, I asked a member of a Baghdad-based military bomb squad about the radio-frequency jammers his team was using to cut off signals to Iraq's remotely detonated explosives. His response:  "I can't even begin to say the first fucking thing about 'em." A few days later, one of those jammers seemed to save me and him from getting blown up. Months after that, David Axe was thrown out of Iraq by the U.S. military, for a blog post which mentioned the Warlock family of jammers.

So I was more than a little surprised, when I saw that Wikileaks had posted a classified report, outlining how the Warlock Red and Warlock Green jammers work with — and interfere with — military communications systems. The report, dated 2004, gives specific information about how the jammers function, their radiated power and which frequencies they stop. That Baghdad bomb tech would've put his fist through a wall, if he saw it out in public.

6. ICANN Plan for New TLDs Comes Under Barrage of Criticism

Spoiler

http://arstechnica.com/news.ars/post/20081216-icann-plan-for-new-tlds-comes-under-barrage-of-criticism.html
It seems most corporations are not interested in having additional TLDs added to the pool, though one has to wonder how long it will before you can no longer find an acceptable domain name for anything under the current system.

For an organization that describes itself as "a not-for-profit public-benefit corporation with participants from all over the world dedicated to keeping the Internet secure, stable and interoperable." ICANN sure seems willing to make decisions that go against the wishes of the corporations and governments it serves. Yesterday was the last day for anyone to submit comments on the organization's plan to launch 200-800 new domain name extensions next year, yet there's no sign that ICANN has actually paid meaningful attention to the vehemently negative reactions of numerous companies.

Currently, there are just a handful of generic Top Level Domains (gTLDs), including well-known extensions like .com, .net, .org, and .biz. ICANN's new plan would expand the number of potential gTLDs by several orders of magnitude, and would allow for extensions 3-63 characters long. Allowed extensions would include pretty much anything a company might want—Ars Technica, for example, could conceivably register *.ars, *.arstechnica, or *.arstech. ICANN claims that this new system would offer domain name holders vastly improved choices and allow for more diversity in domain names, particularly for non-English-speaking countries. In and of themselves, these are worthy goals, but arbitrarily redefining the meaning of gTLDs seems a poor way to achieve them, particularly when said redefinition wrecks the current system so thoroughly.

7. Facebook Profile Used to Serve Legal Docs in Australian Case

Spoiler

http://arstechnica.com/news.ars/post/20081216-facebook-profile-used-to-serve-legal-docs-in-australian-case.html
Only in Australia.

'Tis the season to be in debt, fa la la la la, la la la la. If you've missed a few payments, however, you might find yourself being hunted down by debt collectors and lawyers looking to serve you court papers. And now—at least if you live in Australia—your Facebook account is fair game. The Australian Capital Territory Supreme Court has approved the use of Facebook to serve legal documents to a couple who was otherwise inaccessible at their home or by e-mail, although the couple has since disappeared from the social networking site as well.

The unnamed Australian couple had defaulted on their home loan for AUS$100,000 (almost US$67,000), which spurred the bank to seek the services of Canberra-based law firm Meyer Vandenberg. Attorney Mark McCormack was assigned to the case and unsuccessfully attempted to contact the couple several times at their home, and then again via e-mail. With nowhere else to turn, McCormack asked the Australian court to allow him to serve the papers electronically to the couple via Facebook.

8. French Regulators Nix Orange IPhone Exclusivity

Spoiler

http://arstechnica.com/journals/apple.ars/2008/12/17/french-regulators-nix-orange-iphone-exclusivity
Finally, a country with some balls (I know, I know, but seriously...).

In many countries, Apple has an exclusive deal with one particular carrier to sell and provide service for the iPhone 3G. However, the Conseil de la concurrence ruled today that any French mobile operator should be allowed to carry the iPhone.

The Conseil de la concurrence, or Competition Council, is France's competition regulator. Its decision comes after a complaint filed by Bouygues Télécom, the number three mobile operator in France. The council has complained of the lack of competition in the mobile communications market before, and says that Apple and Orange's deal further stifles competition.

9. Student Sentenced to 15 Years for YouTube Terror Video

Spoiler

http://blog.wired.com/27bstroke6/2008/12/student-sentenc.html
A 27 year old student has been sentenced to 15 year imprisonment in the United States for posting a video to YouTube detailing how to convert a radio remote control unit into a remote bomb detonator.

An Egyptian engineering student was sentenced in the United States on Thursday to 15 years imprisonment after pleading guilty to uploading a 12-minute video to YouTube that demonstrated how to convert a remote-control toy car into a bomb detonator.

In June, Ahmed Abdellatif Sherif Mohamed, 27, pleaded guilty in a Florida federal court to one count of providing material support to terrorists. He was a student at the University of South Florida. South Carolina authorities said they found various bomb-making materials in the vehicle he was driving when he was pulled over last year.

10. ;-) Trademark Claim Makes Us Go :-o and Then >:-[

Spoiler

http://arstechnica.com/news.ars/post/20081214--trademark-claim-make-us-all--o-and-then.html
A Russian "entrepreneur" has trademarked the winking smilie [;-)].

There are certain things on the Internet that the general public uses with great abandon: acronyms (lol!), txt speak, and emoticons. If you run a business in Russia and you make use of the winky smiley face, however, then you may soon find yourself being asked to pay royalties to Oleg Teterin, an entrepreneur who claims he owns the trademark to the popular emoticon in Russia.

Teterin said in an interview with Russian TV channel NTV this week that Russia's patent agency had granted him the trademark to ;-), and that he wouldn't hesitate to go after companies who have exploited the emoticon without paying up. He noted, according to the BBC, that a license would cost "tens of thousands of dollars," and would be renewed on a yearly basis.

11. Studios (temporarily?) Gain Upper Hand in Blu-ray DRM Battle

Spoiler

http://arstechnica.com/news.ars/post/20081215-studios-temporarily-gain-upper-hand-in-blu-ray-drm-battle.html
It appears the upgradable nature of the BD+ protection algorithm used on blu-ray disks has finally won the major recording studios some time.

Movie studios and software companies fought to maintain (and crack) the efficacy of Blu-ray's BD+ DRM scheme throughout all of 2008, but the content industry has won a round of its own as the year draws to a close. Thanks to an update in late November, there's a growing list of movies Slysoft's AnyDVD HD product can't yet handle; the software company believes it could take three months or more to recrack the algorithm.

The back-and-forth cracking war officially began last March when Slysoft announced that it had cracked the BD+ algorithm and would include Blu-ray backup support in AnyDVD HD 6.4.0.0. At the time, Slysoft poked fun at the notion that BD+ would remain unbroken for any length of time, and noted that it had been just eight months since Richard Doherty of the Envisioneering Group had predicted BD+ would remain unbreached for the next decade. The company's hubris may have been premature, as BD+ is putting up something of a fight.

12. Data Mining Still Going Strong Under New Yahoo Privacy Policy

Spoiler

http://blog.wired.com/27bstroke6/2008/12/data-mining-una.html
While Yahoo have announced it will keep individual user information for only 3 months, it doesn't appear to have hampered their data mining efforts.

On Wednesday, Yahoo was hailed as a privacy leader among the major search engines: It said it would retain individual user data for only three months, down from 13 months. Google keeps individualized search data of its users for nine months and Microsoft for 18 months.

Privacy groups point out that the change is a good thing if Yahoo lives up to its word. Perhaps only three months' worth of one's search queries and web clicks could be exposed under a data breach, or handed over to the authorities with a warrant.

But Yahoo isn't giving up anything under the plan: Individual internet web surfers' browsing habits will continue to be analyzed under a microscope in order to target web users with ads for products they are likely to purchase.

14. Vote for the Sexiest Geeks of 2008

Spoiler

http://blog.wired.com/underwire/2008/12/every-geeks-a-l.html
Wired have started a poll for the sexiest geek of 2008. Somehow, it seems the ladies have much less of a choice this year, with the list primarily consisting of women.

Every geek's a little bit sexy, somehow. Maybe it's the glasses, the hot talk about black holes or the Asperger's-like obsession with sci-fi, science or gadgets.

But which nerds really moved the sexy needle in 2008?

Welcome to the fourth annual Wired.com Sexiest Geeks contest. Each year we seed the list with some of the smartest, sexiest and most "wired" men and women on the scene, then throw open the competition to our readers.

15. Trek Creator's Widow Dies Aged 76

Spoiler

http://news.bbc.co.uk/2/hi/entertainment/7791210.stm
Discussion thread here: https://www.donationcoder.com/forum/index.php?topic=16248
Majel Barrett-Roddenberry has died of leukemia at her home in Los Angeles. May she rest in peace.

Actress Majel Barrett Roddenberry, the widow of Star Trek creator Gene Roddenberry, has died aged 76.

She died of leukaemia on Thursday at her home in Los Angeles, her family said in a statement.

The actress, who featured in nearly every Star Trek TV show and film, nurtured the legacy of the sci-fi series after her husband died in 1991.

Ehtyar.

94

Living Room / R.I.P. Majel Barrett-Roddenberry

« on: December 19, 2008, 05:57 AM »

Majel Barrett-Roddenberry, wife of Star Trek creator Gene Roddenberry has died, aged 76, of leukemia at her home in Los Angeles.

Majel was a well know and much beloved fixture in the Star Trek universe. Know best perhaps for her role as the voice of Enterprise Computer in each and every Star Trek series  to date, she also played several characters including The Original Series' Number One and Dr. Christine Chapel. She also featured in many television shows throughout her career.

Affectionately know as the "First Lady of Star Trek", she nurtured and cherished the memory of her late husband through her continued embrace of Star Trek and its fans. She had only recently completed recording her final recording as the Enterprise Computer for next year's Star Trek film. She leaves behind her only son, Eugene, to continue the Roddenberry legacy.

I found this video on YouTube, I thought it worth posting:

http://www.youtube.com/v/fJfkYjrbPS4&hl=en&fs=1&rel=0&border=1

BBC Story

Ehtyar.

95

Living Room / Tech News Weekly: Edition 50

« on: December 12, 2008, 03:17 PM »

The Weekly Tech News

Hi all. I got a "meh" from Mouse Man this morning when I mentioned the expand all button, so I guess we'll be waiting longer for that But perhaps some tech news will lift your spirits As usual, you can find last week's news here.

1. Microsoft Fixes 28 Flaws; 6 Are Critical

Spoiler

http://news.cnet.com/8301-1009_3-10119227-83.html
http://www.theregister.co.uk/2008/12/10/ms_patch_tuesday_december/
Microsoft has released its biggest ever patch tuesday update, and includes its new "Exploitability Index" to aid administrators in determining the possibility a vulnerability will be exploited in the wild.

Microsoft on Tuesday released its December 2008 security bulletin. The "critical" bulletins affect Windows GDI, Word, Excel, Internet Explorer and Windows Search. The "important" updates affect SharePoint and Windows Media Components.

Microsoft is including within each bulletin an "exploitability index" to help system administrators prioritize the patches. All Microsoft security patches for both Windows and Office software are available via Microsoft Update.

2. Exploit for Unpatched WordPad, IE Flaws in the Wild

Spoiler

http://arstechnica.com/journals/microsoft.ars/2008/12/10/exploit-for-unpatched-wordpad-ie-flaws-in-the-wild
An exploit is wild for a vulnerability not patched this month, in WordPad. The exploit involves opening a specially crafted word document in WordPad. The exploit is currently spread via email, using a .wri extensions for the document so as to be certain it opens in WordPad and not Word itself.

Yesterday Microsoft released patches for some 28 flaws in Windows, IE, and Office, most of them critical, in the largest ever Patch Tuesday update. The company also issued a bulletin for another critical flaw—but this one didn't receive a patch, and there are exploits in the wild. The flaw is in WordPad; specifically, in WordPad's converter for opening Word 97 documents, which can be made to execute arbitrary code when given a suitably crafted file.

This flaw does not affect all versions of Windows. Windows 2000, XP with Service Pack 2, and Windows Server 2003 (all versions) are affected; however, XP with Service Pack 3 (slightly surprisingly), Vista, and Windows Server 2008 are not. Accordingly, XP SP2 users can therefore protect themselves simply by installing the current Service Pack. Users of other affected systems can disable the flawed component (details are contained within Microsoft's bulletin), or just sit tight to see how the company responds. There is no word yet of an out-of-cycle update, so as things stand it looks like this flaw may not be fixed until the next Patch Tuesday, which will be January 13, 2009.

3. Security Chief Window Snyder Leaving Mozilla

Spoiler

http://security.blogs.techtarget.com/2008/12/10/security-chief-window-snyder-leaving-mozilla/
Head of security at Mozilla, Window Snyder, is leaving Mozilla to help establish a new start-up venture.

Window Snyder, the head of security at Mozilla, is leaving the company to help found a start-up venture unrelated to security. Snyder has been at Mozilla for more than two years and has been the driving force behind the company’s effort to make security a top priority in its popular Firefox browser.

 Snyder’s departure is a blow to Mozilla, a small organization that counts on participation from the open-source community for much of its work. Snyder has helped raise the company’s profile in the security community and made transparency about security issues a key initiative. The company currently is working on a  security metrics project with security analyst Rich Mogull of Securosis that is designed to measure the relative security of Firefox in a number of different ways.

4. Computer Scientists Find Audio CAPTCHAs Easy to Crack

Spoiler

http://arstechnica.com/news.ars/post/20081208-computer-scientists-find-audio-captchas-easy-to-crack.html
Audible CAPTCHAs may be next on the menu for those attemping to automate signing up to online services as they're apparently easier to crack than their well developed image-based cousins.

The Carnegie-Mellon University team behind the reCAPTCHA service is continuing to expand its effort to mix basic security and useful work. CAPTCHAs are the distorted text that helps various online services ensure that the entity opening an account is a human, not a bot bent on using the service to dish out spam. The reCAPTCHA service puts the mental horsepower need to interpret these images to good use, harnessing it to identify text in scanned books where OCR software has failed. Now, the team has turned its attention to the audio CAPTCHAs used by the visually impaired.

Audio CAPTCHAs consist of a string of spoken characters, typically masked and distorted by a form of background noise. To start with, the researchers looked into the security of existing audio CAPTCHAs used by Google and Digg. In a paper that will be presented later this week at the Neural Information Processing Systems Conference, the authors demonstrate that these are relatively easy to crack.

5. More SHA-3 News

Spoiler

http://www.schneier.com/blog/archives/2008/12/more_sha-3_news.html
NIST has officially brought the SHA-3 competition into its first round, publishing all 51 candidates publicly, excluding those already broken.

NIST has published all 51 first-round candidates. (Presumably the other submissions -- we heard they received 64 -- were rejected because they weren't complete.) You can download the submission package from the NIST page. The SHA-3 Zoo is still the best source for up-to-date cryptanalysis information.

Various people have been trying to benchmark the performance of the candidates, but -- of course -- results depend on what metrics you choose.

6. Koobface Worm Targets MySpace, Other Sites

Spoiler

http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=212400218
Against my better judgment, I'm posting yet another Koobface story. Though this time it appears the newest Koobface variant is attempting to spread to other social networking sites.

The Koobface worm which has plagued the Facebook social networking site during the past week, is now targeting MySpace, Bebo, and other sites as well, security researchers warn.

Researchers at security vendor F-Secure said yesterday in a blog about the Koobface worm that the new infection is designed to spread to other popular social networking sites, including MyYearbook.com, BlackPlanet.com, and Friendster.com.

7. Sony Pays $1M to FTC for Illegally Collecting Data On Kids

Spoiler

http://arstechnica.com/news.ars/post/20081211-sony-pays-1m-to-ftc-for-illegally-collecting-data-on-kids.html
Sony BMG has copped a $1 million fine, among the biggest ever for a case of this kind, to the US Federal Trade Commission for its violation of the Children's Online Privacy Protection Act by collecting information from children under the age of 13 without their parent's consent.

Sony BMG will pay $1 million to the Federal Trade Commission to settle charges that it violated the Children's Online Privacy Protection Act (COPPA) by collecting information on users under the age of 13 without their parents' consent. The FTC says that the civil penalty will match the largest penalty ever paid out in a COPPA case.

The FTC filed a lawsuit against Sony BMG just yesterday in the US District Court in Manhattan. The Commission, suing on behalf of the United States, said that Sony has been operating a number of websites since 2004 in order to promote and advertise its music offerings,. These sites—many of which contain social networking functionality that allow users to create profiles and interact with others—apparently did not restrict users under the age of 13 from registering, despite the fact that the sites claimed that users under 13 would not be able to use the sites.

8. Sun Closes 'future' Pay-per-use Utility Computing Service

Spoiler

http://www.theregister.co.uk/2008/12/10/sun_closes_cloud/
Sun has decided to close its computer processing rental service, Network.com, after determining the business model was not as successful as they'd hoped.

Sun Microsystems has killed its once high-profile utility computing experiment, Network.com, which let customers buy computing power by the hour.

The company revealed it's no longer accepting new customers after four years, saying parts of the business and technology model "were not in the sweet spot". The 13 customers and 48 applications using Network.com are will be offered continued service.

9. FSF Sues Cisco

Spoiler

http://www.fsf.org/blogs/licensing/2008-12-cisco-complaint
The FSF has finally run out of patience, and has marked the 5th year of its battles to have CISCO properly comply with the GPL on GNU code it uses, by filing suit.

The FSF has sued Cisco for damages regarding their continued violations of the GPL and LGPL by not distributing source for FSF code in a long list of products:

Defendant distributed Plaintiff’s Programs in this manner in the Firmware for Linksys’ models EFG120, EFG250, NAS200, SPA400, WAG300N, WAP4400N, WIP300, WMA11B, WRT54GL, WRV200, WRV54G, and WVC54GC, and in the program Quick-VPN.

10. Google Chrome Out of Beta, Official 1.0 Release Available

Spoiler

http://blog.wired.com/business/2008/12/chrome-10.html
Google has brought Chrome out of BETA with an official v1.0 release. Don't suppose that means they'll stop exploiting it to datamine users?

Google has officially released a 1.0 version of its Chrome web browser, dropping the beta status after a mere one hundred days. It might seem an astounding move for a company best known for keeping projects in an indefinite beta status (Gmail is going on five years as a beta), but Google Chrome isn't just another web app, it's desktop software and to compete with Internet Explorer, Chrome needs to be 1.0.

Unfortunately for Chrome fans there isn't much new in the 1.0 release (nor is there any news on the much-anticipated Mac and Linux versions). Google has been fixing bugs and adding some small new features as the beta progressed — like much improved privacy controls. However, Chrome still lacks some basic web browser features such as reliable RSS detection and form auto-filling tools.

11. Don't Be 404, Know the Tech Slang

Spoiler

http://news.bbc.co.uk/2/hi/technology/7775013.stm
And now for this weeks odd article. Apparently, the tech industries penchant for acronyms and numeric error codes has translated in verbal and written slang.

A study of new slang terms entering English finds that technology is driving and perpetuating them.

For instance, "404" - the error message given when a browser cannot find a webpage - has come to mean "clueless".

Ehtyar.

96

Living Room / Tech News Weekly: Edition 49

« on: December 05, 2008, 05:48 PM »

The Weekly Tech News

Hi all. Well I've had the new button ready for a week now, but since Mouse Man has 'bigger fish to fry', it's not ready Sorry folks, I assure you I'll have beaten him into submission by next week As usual, you can find last week's news here.

1. New Windows Worm Builds Massive Botnet

Spoiler

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9121958
In followup to this story last week, it appears that Conficker.a/Downadup is being used by hackers to hijack themselves a fresh, new botnet.

The worm exploiting a critical Windows bug that Microsoft Corp. patched with an emergency fix in late October is being used to build a new botnet, a security researcher said today.

Ivan Macalintal, a senior research engineer with Trend Micro Inc., said that the worm, which his company has dubbed "Downad.a" -- it's called "Conficker.a" by Microsoft and "Downadup" by Symantec Corp. -- is a key component in a new botnet that criminals are creating.

"We think 500,000 is a ball park figure," said Macalintal when asked the size of the new botnet. "That's not as large as some, such as [the] Kraken [botnet], or Storm earlier, but it's still starting to grow."

2. Destructive Koobface Virus Turns Up On Facebook

Spoiler

http://www.reuters.com/article/newsOne/idUSTRE4B37LV20081204
It appears Koobface is still doing the rounds on Facebook, despite many-an-attempt to squish it.

Facebook's 120 million users are being targeted by a virus dubbed "Koobface" that uses the social network's messaging system to infect PCs, then tries to gather sensitive information such as credit card numbers.

It is the latest attack by hackers increasingly looking to prey on users of social networking sites.

"A few other viruses have tried to use Facebook in similar ways to propagate themselves," Facebook spokesman Barry Schnitt said in an e-mail. He said a "very small percentage of users" had been affected by these viruses.

3. U.K.'s DNA Database Violates Rights, Court Rules

Spoiler

http://news.cnet.com/8301-1009_3-10114304-83.html
Up till now, the UK has been keeping the DNA of suspected criminals on file. The European Court of Human Rights has ruled that this behavior breaches the human rights of those who's DNA is stored is stored as a suspect.

The DNA records of about 850,000 people could be wiped from the U.K.'s national database after the European Union ruled it breached human rights.

The European Court of Human Rights decision on Thursday means that the DNA details and possibly fingerprints of people suspected of a crime, but later cleared, could be removed.

The court found that in keeping the DNA details of people suspected of a crime the "state had overstepped any acceptable margin of appreciation."

4. New Trojan Targets Firefox, Masquerades As Greasemonkey

Spoiler

http://arstechnica.com/news.ars/post/20081205-new-trojan-targets-firefox-masquerades-as-greasemonkey.html
A Trojan targeting Firefox masquerades as Greasemonkey and will steal your login details for various websites and online services.

Firefox's broad support for plug-ins and extensions has always been a major feature of the browser, particularly back in the days of IE6. The the browser's enduring popularity has finally caught the eye of malware authors, as a trojan is now targeting Firefox specifically

BitDefender has identified this new bit of holiday cheer as Trojan.PWS.ChromeInject.A." The ChromeInject suffix is a bit puzzling, since this attack is supposedly Firefox-only, but we weren't able to find clarification on what it refers to. The trojan installs itself into Firefox's add-on directory, registers itself as Greasemonkey, and begins searching your hard drive for passwords, login details, your World of WarCraft account information, and your library card number.

5. EU: Judges Not Required for P2P Disconnections

Spoiler

http://arstechnica.com/journals/law.ars/2008/12/02/eu-judges-not-required-for-p2p-disconnections
The French have managed to convince the EU's Council of Ministers to strip the 138th amendment from its Telecom Packet, effectively permitting ISPs to cut users off without any judicial oversight or solid evidence.

With the French revving up their "graduated response" plan and the UK government leaning on rightsholders and ISPs to hash something out before 10 Downing Street gets involved, it's important to remember that the European Parliament has some strong opinions on the issue as well. Unfortunately for consumers, no one wants to hear them.

The EU is in the midst of major overhaul of telecom law. The so-called Telecom Packet passed Parliament a few months back, complete with amendments that tried to rein in some of the graduated response proposals. The big concern is that rightsholders and ISPs could become judge, jury, and executioner over someone's 'Net connection without proper avenues for appeal or solid standards of evidence. That concern led to the introduction of amendment 138, which required judicial oversight of the process.

6. Australia's Internet Filtering Too Ambitious, Doomed to Fail

Spoiler

http://arstechnica.com/news.ars/post/20081205-australias-internet-filtering-too-ambitious-doomed-to-fail.html
A succinct list of reasons why the Australian government will not be capable of managing their proposed Internet filter.

It's tough being a government these days; who has the energy to clean up the Internet after a hard day's work bailing out the financial sector? Not the Australian government, it seems. Rather than actually doing something about illegal content, they just make a list of it and tell ISPs to filter everything that's on the list. Sidestepping the murky political details and—for the moment—the civil liberties problems inherent in this approach, let's take a closer look at the technical aspects of such a plan.

In the Internet Service Provider Content Filtering Pilot Technical Testing Framework document, the Australian Government Department of Broadband Communications and the Digital Economy provides some details about what it wants ISPs to do in a pilot project. The main part is that ISPs who are interested in participating in the pilot will test solutions for filtering a list of at most 10,000 URLs on a blacklist maintained by the Australian Communications and Media Authority, a regulator not unlike the FCC. "Prohibited online content" includes what you would imagine, but also your garden variety porn (yes, the stuff they broadcast over the air on public TV in the Netherlands), and under special circumstances even R-rated movies. Filtering URLs on the ACMA blacklist is a mandatory part of the pilot, though additional filters that aren't clearly specified are optional.

7. Hackers Boot Linux On IPhone

Spoiler

http://news.cnet.com/8301-13579_3-10110018-37.html
Hackers have managed to get a copy of Linux running on the iPhone.This is an impressive step forward, though it's far from suitable for users.

A new front has opened in the ongoing arms race between Apple and iPhone hackers, with one hacker group making the iPhone boot with a Linux 2.6 kernel.

The announcement of the successful kernel porting was made on the Linux on the iPhone blog, complete with instructions and source code.

8. AT&T Starts Metered Billing Trial In Reno

Spoiler

http://www.dslreports.com/shownews/ATT-Starts-Metered-Billing-Trial-In-Reno-98856
AT&T have commenced trials of limiting their customers' monthly download capacity in Reno, Nevada.

Earlier this year, AT&T began laying the political and public relations groundwork for a shift toward metered billing, throwing comments to the press about how such a shift was "inevitable," while company lobbyists began dropping vague hints that a billing shift was coming. Last summer, executives at the company announced that the telco would be conducting a metered billing trial this fall. The time for that trial has arrived, and Broadband Reports has learned that Reno, Nevada will be the lucky first market. Last Friday, AT&T filed [a] ... notice with the FCC that confirms the nation's largest ISP will be conducting a metered billing trial in Reno.

9. New Domain to Be Web's Phone Book

Spoiler

http://news.bbc.co.uk/2/hi/technology/7761395.stm
The new .tel top level domain is to be used as a universal online phone book of sorts to enable a universal contact point for online corporations.

Called .tel, the domain is intended to act as a universal contact point rather than as a hook on which to hang websites.

Owners of .tel domains will be encouraged to populate it with details about how they can be contacted.

The domain is designed to work on the web and with mobile phones such as the Apple iPhone and Blackberry.

10. Biz Travelers Howl Over US Gov RFIDs

Spoiler

http://www.theregister.co.uk/2008/12/01/rfid_scanning_under_fire/
In followup to this story from last week's news, several organizations have spoken out against the US government's use of long range RFID scanners at border crossings.

A travel industry group has called on the US government to halt its use of new machinery that remotely reads government issued identification cards at border crossings until the safety of the new system can be better understood.

Monday's call by the Association of Corporate Travel Executives (ACTE) follows similar requests by a chorus of civil liberties and computer researchers. They warn that use of the new long-range radio frequency identification (RFID) scanners could jeopardize the privacy and security of people who pass through US borders.

11. Online Payment Site Hijacked by Notorious Crime Gang

Spoiler

http://www.theregister.co.uk/2008/12/03/checkfree_hijacked/
A popular online payment website, checkfree.com, had two of their domains temporarily hijacked by malware distributers for an unknown period of time.

Online payment service CheckFree lost control of at least two of its domains on Tuesday in an attack that sent customers to servers run by a notorious crime gang believed to be based in Eastern Europe.

Reg reader Richard D. reported receiving a bogus secure sockets layer certificate when attempting to log in to his Mycheckfree.com account early Tuesday morning. On further examination, he discovered the site was mapping to 91.203.92.63. To confirm the redirection was an internet-wide problem, he checked the site using a server in another part of the US and got the same result.

12. Nasa Delays Its Next Mars Mission

Spoiler

http://news.bbc.co.uk/2/hi/science/nature/7765818.stm
NASA has been forced to delay its next mission to Mars due to testing and hardware issues surrounding new technology to be used on its next mission.

MSL was scheduled to fly next year, but the mission has been dogged by testing and hardware problems.

The rover's launch would now be postponed until late 2011, agency officials said.

The mission is using innovative technologies to explore whether microbial life could ever have existed on the Red Planet.

13. Sony Emulates Nintendo's Wii With New Controller

Spoiler

http://www.infopackets.com/news/gaming/ps3/2008/20081114_sony_emulates_nintendos_wii_with_new_controller.htm
Sony is developing a new controller for its Playstation platform that is similar in operation to Nintendo's 'Wiimote'.

It's a topic that has long been debated by video game aficionados all over the world: which features make for a better system: the pristine graphics of the Sony PlayStation 3 or the motion-sensitive game play of the Nintendo Wii? If Sony is successful in patenting their new controller concept, they just may be able to sway undecided consumers towards the PS3.

If you can't beat them, join them!

The idea will be to stray away from the traditional "Dual Shock" solid controller, opting instead to introduce a controller that resembles two ice-cream cones attached side-by-side. The controllers would be able to break-apart to maximize the look and feel of what is quickly becoming the next generation of game play control.

Ehtyar.

97

Living Room / Tech News Weekly: Edition 48

« on: November 29, 2008, 05:48 AM »

The Weekly Tech News

Hi all. My apologies for getting a little carried away last week folks, this week should be more of a 'summary' as these things are intended to be. Perhaps if people have an opinion on what the minimum and maximum number of articles included should be they could let me know in a reply. I'm afraid I haven't gotten around to getting code out to Mouse Man for the 'Expand All' button. If I get it done before next week's news and we can actually implement it I'll add it here. As usual, you can find last week's news here.

1. Facebook Wins Record $873m Fine Against Smut Spammer

Spoiler

http://www.theregister.co.uk/2008/11/25/facebook_spam_lawsuit/
Facebook have won a lawsuit worth $837 million against a Canadian accused of hacking into users' accounts and spamming from them.

Facebook has won a $873m judgment against a Canadian sued for spamming users of the social networking site with "sexually explicit" messages after hacking into the profiles of its members.

Adam Guerbuez, of Montreal, who runs Atlantis Blue Capital and Ballervision.com, was ordered to pay exemplary damages by US District Judge Jeremy Fogel last Friday. Guerbuez did not contest the case, which also resulted in an injunction against him that effectively prevents him from accessing Facebook for any reason ever again.

2. Security Breach Gives PayPal Phish the Personal Touch

Spoiler

http://www.theregister.co.uk/2008/11/24/pamela_security_breach/
A breach of user information held by Pamela Systems has given rise to a personalized phishing scam against users of the Pamela Skype addon.

Skype users who use a piece of software dubbed Pamela to manage their online phone accounts should be on the lookout for customized phishing attacks following revelations that one or more user databases containing names and email addresses have been breached.

The attack, which took place last week, has already led to one phishing campaign that calls recipients by their real names and then tries to trick them into turning over personal information. That added personal touch could throw some users off guard because most phishing emails address their marks by generic terms such as "Dear PayPal User."

3. Unofficial Fix Issued for Vista Networking Flaw

Spoiler

http://www.securityfocus.com/archive/1/498471
For the more technically inclined: http://www.securityfocus.com/archive/1/498471
Calls to a user mode API in Vista Ultimate and Enterprise can lead to kernel mode memory corruption, potentially causing a blue screen or remote code execution in kernel mode. Microsoft has not issued at time of writing, though the researchers that made the discovery have released a modified version of the vulnerable library that fixes the issue.

A system-crashing bug with potential malware implications has been uncovered in Vista. But a fix for the vulnerability, which revolves around flaws in the operating system's network stack, may have to wait until the next service pack.

The TCP/IP stack buffer overflow was discovered by security researchers at Austrian firewall firm Phion in October. Details of the flaw, which also creates a potential mechanism to inject hostile code into vulnerable systems, were disclosed in a posting to BugTraq on Friday.

4. More MS08-067 Exploits

Spoiler

http://blogs.technet.com/mmpc/archive/2008/11/25/more-ms08-067-exploits.aspx
In followup to: https://www.donationcoder.com/forum/index.php?topic=15476.0#post_Microsoft_Issue_OutOfBand_Security_Patch
For the more technically inclined: http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99&tabid=2
An exploit for MS08-067 is running rampant over the internet according to Microsoft itself.

As expected, we are seeing another wave of attacks exploiting the vulnerability detailed in security bulletin MS08-067.

Early last week we blogged about MS08-067 exploits. At that time, the number of exploits in the wild was still low and they were mostly targeted attacks. However, during the weekend we started receiving customer reports for new malware that exploits this vulnerability. During the last two days that malware gained momentum and as a result we see an increased support call volume. The SHA1 hash of the malware is 0x5815B13044FC9248BF7C2DBA771F0E6496D9E536 and we detect it as Worm:Win32/Conficker.A.

5. Judge Says BU Can't Turn Over Infringers' IPs in P2P Case

Spoiler

http://arstechnica.com/news.ars/post/20081126-judge-says-bu-cant-turn-over-infringers-ips-in-p2p-case.html
A sane judge on on a copyright infringement case? Who knew...

The music industry's requests for more personal information regarding the identity of several accused file-sharers have been shot down by a federal judge. Judge Nancy Gertner quashed a subpoena this week in the infamous London-Sire v. Does 1-4 case, saying that the IP addresses of three anonymous Boston University students could not be handed over because the university had "adequately demonstrated that it is not able to identify the alleged infringers with a reasonable degree of technical certainty."

The legal system has been chipping away at the London-Sire case all year, starting this spring when Judge Gertner said that making files available on a P2P network does not equal copyright infringement. At that time, she also noted that IP addresses can't always be traced to a particular individual and that, if Boston University were compelled to turn over a list of possible infringers, it could give a green light to RIAA fishing expeditions.

6. Key Molecule for Life Found in Habitable Region of the Galaxy

Spoiler

http://blog.wired.com/wiredscience/2008/11/sugar-molecule.html
An important molecule linked to the origin of life has been discovered in a region of The Milky Way.

A sugar molecule linked to the origin of life was discovered in a potentially habitable region of our galaxy.

The molecule, called glycolaldehyde, was spotted in a large star-forming area of space around 26,000 light-years from Earth in the less-chaotic outer regions of the Milky Way. This suggests the sugar could be common across the universe, which is good news for extraterrestrial-life seekers.

7. Lenovo Kills Notebooks With a Text Message

Spoiler

http://www.tgdaily.com/html_tmp/content-view-40351-108.html
Lenovo's next generation of Thinkpad notebooks will permit its owner to disable the 3G-enabled unit via text message. I wonder how long until this gets cracked...

As notebook theft is becoming an increasingly important topic in the IT world, we are now seeing innovative solution to protect users and corporations from data theft almost on a weekly basis. One of the most interesting and potentially most effective solutions was announced by Lenovo this morning.

A new feature that is expected to become available in Q1 2009 for select Thinkpad laptops will allow notebook owners to disable a notebook with a text message that is sent to a 3G-enabled system via a cellular network. The lockdown will happen immediately if a notebook is turned on or, when it is turned off, the next time the system signs on to a cellular network. To reactivate the disabled PC, a user needs to enter a pre-set passcode created during notebook startup.

8. Another Layer of Security for PayPal Accounts

Spoiler

http://www.net-security.org/secworld.php?id=6768
Paypal users now have access to another layer of security with the option of receiving a security code as a text message prior to logging in.

PayPal announced a new way for members to add even more security to their PayPal accounts using their mobile phones. Customers can now choose to receive a unique six-digit security code via text message to their mobile phones prior to logging in to their accounts.

The PayPal SMS Security Key adds another layer of protection to PayPal accounts and uses the same security infrastructure as the PayPal Security Key, which generates a unique security code approximately every 30 seconds on a small electronic token. Members receive this code to their phones or tokens, and use the codes along with their usernames and passwords to sign in to their accounts.

9. New Machines Scan IDs at Border Crossings

Spoiler

http://www.usatoday.com/tech/news/computersecurity/2008-11-23-passport-chips_N.htm?csp=34
Machines are in use at several US border crossing stations that permit border security agents to read information stored in RFID-enabled government documentation.

Agents along the Canada and Mexico borders are using a controversial new machine that can "read" the personal information contained in some government-issued ID cards — such as passports and driver's licenses — as travelers approach a checkpoint.

The Homeland Security Department says the new practice will tighten security and speed the flow of traffic. Privacy advocates say the technology could make Americans less secure because terrorists or other criminals may be able to steal the personal information off the ID cards remotely.

Ehtyar.

98

Living Room / Tech News Weekly: Edition 47

« on: November 21, 2008, 10:23 PM »

The Weekly Tech News

Hi all. No meta-news this week. As usual, you can find last week's news here.

1. E-mails Show How Intel Benefited from Vista Capable Changes (Thanks 40hz)

Spoiler

http://arstechnica.com/news.ars/post/20081117-e-mails-show-how-intel-benefited-from-vista-capable-changes.html
It seems Wintel is still truly alive and kicking. Documents have been produced in the "Vista Capable" lawsuit against Microsoft showing that Intel was the sole beneficiary in some of the decisions made about the campaign.

A federal court judge recently unsealed a fresh batch of documents pertaining to the ongoing Vista Capable lawsuit, including two recent filings by both the plaintiff (Diane L. Kelley, et al) and defendant (Microsoft). The first filing, on behalf of Diane L. Kelley, begins by stepping through what we learned from the bevy of internal emails Microsoft was forced to release earlier this year. Plaintiffs allege that Microsoft's behavior as it regards the use of the "Vista Capable" designation constitutes an unfair and deceptive practice, and request summary judgment on this point. Microsoft's filing addresses a somewhat different matter, and requests a protective order from the court that would relieve the company of the obligation to produce CEO Steve Ballmer for deposition.

2. Big Guns Come Out In Effort To Show RIAA's Lawsuits Are Unconstitutional

Spoiler

http://techdirt.com/articles/20081030/0203582685.shtml
Some VERY interesting material on how the legal heavyweights are finally getting involved in RIAA lawsuits...and may actually succeed in proving that much of the RIAA's backing is in fact unconstitutional.

People have been submitting this story nonstop, but I wanted to take some time to read the details before commenting on it. It's not the first time that folks have argued that the damages sought by the RIAA in various lawsuits against file sharers are unconstitutional. However, the few times it's been brought up in court, the arguments haven't been persuasive. However, this time around, it looks like the big legal guns are getting involved, and the argument seems a lot more comprehensive and compelling.

In the past, it's been noted that the RIAA has curiously avoided suing any Harvard students, with one of the theories being that Harvard had made it quite clear to the RIAA that it would fight back hard. And, with Harvard law school at its disposal, and various professors there indicating that they had serious legal problems with the RIAA's strategy, the RIAA simply decided to ignore any file sharing going on at that prestigious university.

3. Secret German IP Addresses Leaked

Spoiler

http://wikileaks.org/wiki/German_Secret_Intelligence_Service_(BND)_T-Systems_network_assignments,_13_Nov_2008
Via: http://www.schneier.com/blog/archives/2008/11/secret_german_i.html
A document has been fed to Wikileaks detailing several IP address ranges allegedly held by German intelligence agency Bundesnachrichtendienst (BND). There is some proof it is legitimate.

The PDF document holds a single paged scan of an internally distributed mail from German telecommunications company T-Systems (Deutsche Telekom), revealing over two dozen secret IP address ranges in use by the German intelligence service Bundesnachrichtendienst (BND). Independent evidence shows that the claim is almost certainly true and the document itself has been verified by a demand letter from T-systems to Wikileaks.

4. Online Age Verification for Children Brings Privacy Worries

Spoiler

http://www.nytimes.com/2008/11/16/business/16ping.html?_r=1&oref=slogin
An interesting essay on one potential avenue for misuse of online age verification technology.

Child-safety activists charge that some of the age-verification firms want to help Internet companies tailor ads for children. They say these firms are substituting one exaggerated threat — the menace of online sex predators — with a far more pervasive danger from online marketers like junk food and toy companies that will rush to advertise to children if they are told revealing details about the users.

“It’s particularly upsetting,” said Nancy Willard, an expert on Internet safety who has raised concerns about age verification on her Web site over the last month. “Age verification companies are selling parents on the premise that they can protect the safety of children online, and then they are using this information for market profiling and targeted advertising.”

5. Lego Safe is Ultra Secure

Spoiler

http://www.slipperybrick.com/2008/11/legos-safe/
Video: http://au.youtube.com/watch?v=XjWt4O4bSjQ
An awfully fun way to spend ones cody-currency.

You might think that a Lego safe would be easy to open. Maybe just remove a few bricks and you’re in. But that’s not the case with this thing, the cutting edge of Lego safe technology. The safe weighs 14 pounds and has a motion detecting alarm so it can’t be moved without creating a huge ruckus.

The lock takes five double digit codes to open it. That translates into over 305 billion different combinations. It even boasts an electronic status display showing the numbers as you turn the combination dials. When you enter the combination, the door electronically opens itself. It’s a great place to store all of your valuable geek stuff.

6. Microsoft Kills OneCare, Replaces It With Freebie 'Morro'

Spoiler

http://blogs.zdnet.com/security/?p=2190&tag=nl.e589
Discussion started by Carol Haynes: https://www.donationcoder.com/forum/index.php?topic=15803.0
Microsoft have decided to drop their Microsoft OneCare subscript in mid-2009 and replace it with a free anti-virus suite.

Microsoft today announced plans to kill its Windows Live OneCare PC care and security suite and replace it with a free anti-malware utility.

The new product, code-named “Morro,” will be designed for a smaller footprint that will use fewer computing resources, making it ideal for low-bandwidth scenarios or less powerful PCs, Microsoft said its surprise announcement.

7. Under Worm Assault, Military Bans Disks, USB Drives

Spoiler

http://blog.wired.com/defense/2008/11/army-bans-usb-d.html
The US Military has banned the use of removable storage on it's classied and unclassified networks in an attempt to stop the spread of a worm that has infected their computer systems.

The Defense Department's geeks are spooked by a rapidly spreading worm crawling across their networks. So they've suspended the use of so-called thumb drives, CDs, flash media cards, and all other removable data storage devices from their nets, to try to keep the worm from multiplying any further.

The ban comes from the commander of U.S. Strategic Command, according to an internal Army e-mail. It applies to both the secret SIPR and unclassified NIPR nets. The suspension, which includes everything from external hard drives to "floppy disks," is supposed to take effect "immediately." Similar notices went out to the other military services.

8. Dead Network Provider Arms Rustock Botnet from the Hereafter

Spoiler

http://www.theregister.co.uk/2008/11/18/short_mccolo_resurrection/
http://www.networkworld.com/news/2008/111708-dodgy-isp-briefly-comes-online.html
In followup from this story in last week's news, ISP McColo briefly returned from the dead thanks to a backup arrangement with another ISP in order to allow its client to transfer control of botnets and such to new ISPs.

McColo, a network provider that was yanked offline following reports it enabled more than half the world's spam, briefly returned from the dead over the weekend so it could hand-off command and control channels to a new source, security researchers said.

The rogue network provider regained connectivity for about 12 hours on Saturday by making use of a backup arrangement it had with Swedish internet service provider TeliaSonera. During that time, McColo was observed pushing as much as 15MB of data per second to servers located in Russia, according to Paul Ferguson, a security researcher for anti-virus software maker Trend Micro.

9. E-gold Directors Avoid Jail

Spoiler

http://www.theregister.co.uk/2008/11/21/e_gold_sentencing/
The top-knobs of notorious online money transfer firm E-Gold have escaped jail after a District Court Judge took leniency on them when she found they had not intentionally serviced criminals.

Three directors of digital currency firm e-gold avoided a spell behind bars on Thursday after earlier pleading guilty to offences for money laundering and running an unlicensed money transfer business.

The three directors, along with the e-gold company itself and parent firm Gold & Silver Reserve, were charged in April 2007 with becoming a clearing house for child pornography payments and investment scams. Prosecutors charged that slack-shod verification meant the service had become a banker to cybercrooks. After initially disputing the charges the defendants pleaded guilty in July 2008.

10. Phisher-besieged PayPal Sends Users Faux Log-in Page

Spoiler

http://www.theregister.co.uk/2008/11/20/paypay_hyperlink_snafu/
PayPal have been sending customers emails directing them to an incorrect login URL possibly for as long as two months.

PayPal, the online payment service that is a major target of phishers, has been caught sending customer emails that confuse its own login page with a third-party landing site that offers spyware protection and a bevy of other products.

The faux hyperlink to secure.uninitialized.real.error.com was included in official emails PayPal sent to customers to confirm recent payments. PayPal advertised it as the official address to log in to the service. Recipients who configured their systems to read email as HTML wouldn't notice the link was incorrect unless they were paying close attention.

11. PC Virus Forces Three London Hospitals Into Computer Shutdown

Spoiler

http://www.theregister.co.uk/2008/11/18/london_hospital_malware_shutdown/
Three London hosptals had their computer system shutdown when it became apparent they were infected with malware. The systems have since returned and there is no indication any information on them was exposed.

Three London Hospitals shut down their computer systems on Tuesday in response to a computer virus infection.

Infection by the Mytob worm sparked the emergency response, involving St Bartholomew's (Barts) the Royal London Hospital in Whitechapel and The London Chest Hospital in Bethnal Green. The three hospitals are members of the Barts and The London NHS Trust.

12. Lame Mac Trojan Limps Into View

Spoiler

http://www.theregister.co.uk/2008/11/19/mac_trojan/
Look out folks, believe it or not MACs might actually be becoming popular enough to have their own trojans, however ineffectual.

Security researchers have uncovered a rare example of a Trojan that affects Mac PCs.

Lamzev-A creates a backdoor on compromised Mac OS-X systems. The malware typically disguises itself as video codec on dodgy websites. Mac users hoping to watch a clip from a grumble flick get infected instead, a trick carried out by the earlier RSPlug Mac Trojan.

13. British National Party Membership List Leaks Online

Spoiler

http://www.theregister.co.uk/2008/11/18/bnp_loses_list/
The membership list of Britain's right-wing-nutjob political party has been leaked online. Included are names, phone numbers and email addresses along with various other personal details. Serves them right.

The British National Party has lost its membership list - the whole thing has been published online.

The list includes names, addresses, phone numbers and email addresses of all members up to September 2008. It also includes some people's ages, especially those under 18 - the BNP offers family membership for £40. Many entries also contain more personal comments about jobs or hobbies. That's how we know that that BNP members include receptionists, district nurses, amateur historians, pagans, line dancers and a male witch.

14. SSH Sniffer Attack Poses Minor Risk

Spoiler

http://www.theregister.co.uk/2008/11/18/ssh_sniffer_attack/
A vulnerability that has the potential to reveal the plaintext of an SSH session has been discovered and is confirmed to affect OpenSSH and various commercial SSH clients and servers. The vulnerability is not considered to be particularly harmful, though users are urged to update their software or switch from CBC to stream mode.

UK security researchers have discovered hard-to-exploit cryptographic weaknesses in the Secure Shell (SSH) remote administration protocol.

The shortcoming creates a potential means to recover the plain text of encrypted sessions, depending on remote access configurations. Potential attacks - which would take ninja-like hacking skills to pull off - would involve inducing and observing error conditions. It's much more likely that a potential attack would crash a conversation than yield useful results.

15. Obama's Cell Records Improperly Accessed

Spoiler

http://news.cnet.com/8301-1009_3-10104997-83.html
Verizon staff have illegitimately accessed the mobile phone records of US president-elect Barack Obama. The phone in question is no longer being used.

President-elect Barack Obama's cell phone billing records were improperly accessed by employees of Verizon Wireless, CNN reported late on Thursday.

Obama's transition team was informed of the breach by Verizon Wireless representatives on Wednesday, team spokesman Robert Gibbs told the news agency. The Secret Service has been informed, Gibbs said.

The phone, a voice flip-phone with no e-mail access, is no longer active or being used by Obama, the report said. Lists of phone numbers and calls made by Obama could have been accessed, but "nobody was monitoring voicemail," Gibbs is quoted as saying.

16. Researchers Find Flaws In Microsoft VoIP Apps

Spoiler

http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=212100043
Flaws have been found in Microsoft Office Communications Server 2007, Office Communicator, and Windows Live Messenger that could allow an attacker to cause a denial-of-service condition in the software.

Security researchers say they have discovered several vulnerabilities in Microsoft applications that work with voice over IP (VoIP).

VoIPshield Laboratories, a new research division at VoIPshield Systems, says the new vulnerabilities affect applications that use media stream protocols like Real-time Transport Protocol (RTP), a popular standardized packet format for delivering audio and instant messaging over the Internet. The vulnerabilities could allow attackers to launch denial-of-service (DoS) attacks -- not only against the Microsoft applications, but against the entire desktop environment, the researchers say.

17. FOIA Docs Show Feds Can Lojack Mobiles Without Telco Help

Spoiler

http://arstechnica.com/news.ars/post/20081116-foia-docs-show-feds-can-lojack-mobiles-without-telco-help.html
According to documents obtained through Freedom of Information (and a lawsuit, naturally) by the ACLU and the EFF, US federal law enforcement is capable of tracking the location of cellphones without the assistance of cell providers as previously believed.

Courts in recent years have been raising the evidentiary bar law enforcement agents must meet in order to obtain historical cell phone records that reveal information about a target's location. But documents obtained by civil liberties groups under a Freedom of Information Act request suggest that "triggerfish" technology can be used to pinpoint cell phones without involving cell phone providers at all.

Triggerfish, also known as cell-site simulators or digital analyzers, are nothing new: the technology was used in the 1990s to hunt down renowned hacker Kevin Mitnick. By posing as a cell tower, triggerfish trick nearby cell phones into transmitting their serial numbers, phone numbers, and other data to law enforcement. Most previous descriptions of the technology, however, suggested that because of range limitations, triggerfish were only useful for zeroing in on a phone's precise location once cooperative cell providers had given a general location.

18. Duke's New P2P Policy Won't Stop RIAA Lawsuits

Spoiler

http://arstechnica.com/news.ars/post/20081116-analysis-dukes-new-p2p-policy-wont-stop-riaa-lawsuits.html
If nothing else, an interesting insight into the way the RIAA conducts their lawsuits.

Since the RIAA decided to go after on-campus P2P use in a big way back in February 2007, one of the major questions facing university IT departments was how to respond to the RIAA's prelitigation settlement letters. Duke University has decided that it will now require concrete evidence that copyright infringement actually occurred before forwarding those letters to students.

As an incentive to get students to settle sooner rather than later, the RIAA has instituted a tiered settlement system. Basically, the faster the student forks over the cash to the record labels, the less it will cost him or her. If a school receives a prelitigation settlement letter from the RIAA and immediately forwards it on to the target, it will cost the student $3,000. If the RIAA needs to file a Doe lawsuit to learn the identity of the student, the cost goes up to $4,000. And should the student seek to block the subpoena or otherwise block the RIAA's attempts to discover the name behind the IP address, the price doubles to $8,000.

19. Tennessee Anti-P2P Law to Cost Colleges Over $13 Million

Spoiler

http://arstechnica.com/news.ars/post/20081118-tennessee-anti-p2p-law-to-cost-colleges-over-13-million.html
New legislation in the state of Tennessee requiring public and private colleges to to prevent copyright infringement on campus networks is likely to cost $13 million.

With the RIAA's long-running legal war against file-sharing not having the desired effects, the music industry has turned its sights on legislation aimed at getting others to do the dirty work of copyright enforcement. Last week, they scored a victory when the state of Tennessee passed a law that would require colleges and universities to work to prevent copyright infringement over campus networks. It's great news for the RIAA, but bad news for Tennessee students and taxpayers who will have to foot the $13 million bill.

SB 3974 was introduced this past February into the state legislature. Championed by the RIAA, who pointed to the University of Tennessee's no. 4 position on the list of top music piracy schools, and the MPAA, which noted the school's no. 19 spot on its infringement list, the law will force both public and private schools in the state to implement policies to prevent and prohibit copyright infringement on campus computers and networks.

20. Apple Lawyers Hand IPod Hash Cracking Site a DMCA Notice

Spoiler

http://arstechnica.com/journals/apple.ars/2008/11/21/apple-lawyers-hand-ipod-hash-cracking-site-a-dmca-notice
As one might expect, Apple isn't taking kindly to attempts to reverse engineer a file system protection mechanism on its iPods.

Although not a widely-publicized addition, one of the newer "features" Apple has added to its iPods and iPhones is a hash that protects the iTunesDB file, which stores information about what music you have on your iPod and where it's located on the iPod's hard drive. As it turns out, Apple doesn't seem to like people meddling with the iPhone and iPod touch hash, and according to Slashdot, Apple lawyers recently sent a DMCA violation notice to a project that was attempting to reverse-engineer the current version of the iTunesDB protection.

Without the ability to access the iTunesDB file, it's harder (or impossible) for iTunes alternatives like Songbird to work fully with iPods. The hash used on things like the iPod classic was cracked fairly quickly, but Apple changed the iTunesDB hash when it released the iPhone and iPod touch 2.0 firmware. According to the notice, Apple is claiming that attempts to reverse-engineer the iPhone 2.0 hash count as circumvention of its FairPlay DRM, possibly because the new hash is more closely related to Apple's DRM technology. Apple really doesn't want people trying to hack FairPlay, and appears to be nipping the iPod hash project in the bud before too much progress is made.

21. Inaction On Disconnect Pleas at Root of Aussie ISP Lawsuit

Spoiler

http://arstechnica.com/news.ars/post/20081121-inaction-on-disconnect-pleas-at-root-of-aussie-isp-lawsuit.html
Several Hollywood studios are taking Australian ISP iiNet to court in response to their failure to act on infringement notices.

Seven major film studios and affiliates have filed suit in Australia against one of the country's large ISPs, iiNet, charging the company with a failure to act on detailed reports of illegal file-sharing across its network.

In their quest to police illegal online video sharing, film and television rightsholders have long wanted to deputize ISPs. Going directly after consumers is slow, expensive, and capable of generating substantial bad press (see: RIAA litigation campaign), and it has the added downside of requiring huge amounts of work. Such attempts have been sometimes successful, as in various "graduated response" agreements in Europe, but most often have been sharply resisted by ISPs unwilling and unable to play traffic cop.

22. First Test for Interplanetary Net

Spoiler

http://news.bbc.co.uk/2/hi/technology/7741184.stm
NASA has made its first successful test of the new Disruption-Tolerant Networking (DTN) technology it hopes will be the standard for communication through space in the future.

Nasa has successfully transmitted images to and from a spacecraft 20 million miles away with a communications system based on the net.

The Disruption-Tolerant Networking (DTN) technology is designed to work across vast distances where response times can be measured in days.

Further tests of DTN are due to take place on the International Space Station (ISS) in 2009.

23. Huge Buried Water Glaciers Discovered On Mars

Spoiler

http://blog.wired.com/wiredscience/2008/11/huge-buried-wat.html
Huge subterranean glaciers have been discovered on Mars.

Giant glaciers buried under the surface of Mars at much lower latitudes than any previously known ice are a potential source of drinking water for future astronauts.

The discovery, made using ground-penetrating radar on NASA's Mars Reconnaissance Orbiter, offers new possibilities in the search for life on the red planet.

Ehtyar.

99

Living Room / Tech News Weekly: Edition 46

« on: November 14, 2008, 06:12 PM »

The Weekly Tech News

Hi all. No metanews this week ladies and gents. As usual, you can find last week's news here.

1. Valve Tried to Trick Half Life 2 Hacker Into Fake Job Interview

Spoiler

http://blog.wired.com/27bstroke6/2008/11/valve-tricked-h.html
Well known game making firm Valve attempted to lure a suspected German hacker to the United States (to be arrested) by offering him a job.

After the secret source code for its then-unreleased shooter Half Life 2 showed up on file sharing services in 2003, game-maker Valve Software cooked up an elaborate ruse with the FBI targeting the German hacker suspected in the leak, even setting up a fake job interview in an effort to lure him to the United States for arrest.

The gambit ultimately failed, and Axel "Ago" Gembe remained safely in Germany. He was indicted last month in Los Angeles on new charges of creating the Agobot malware, and sharing it with a crew of U.S. hackers who used it to stage denial-of-service attacks in 2003.

2. Security Experts Reveal Details of WPA Hack

Spoiler

http://www.heise-online.co.uk/security/Security-experts-reveal-details-of-WPA-hack--/news/111922
Followup from: https://www.donationcoder.com/forum/index.php?topic=15629.0#post_WPA_WiFi_Encryption_is_Cracked
For the more technically inclined: http://arstechnica.com/articles/paedia/wpa-cracked.ars
Also, WPA2 is not next on the chopping block: http://erratasec.blogspot.com/2008/11/wpa2-is-not-next-on-chopping-block.html
The researchers who last week claimed to have broken WEP encryption have revealed their technique; it's a variant of the chopchop attack used against WEP. IMO the attack probably isn't worthy of all the hype.

In their paper, Practical attacks against WEP and WPAPDF, Martin Beck and Erik Tews have published details about their attacks on WPA secured networks. The attack is essentially a variant of the chopchop attack used against WEP secured networks, which surfaced in early 2005. The name "chopchop attack" is a nod to the KoreK-developed chopchop tool, which allows the user to decrypt an arbitrary encrypted data packet without having to know the WEP key.

The program slices off the last byte of a WEP packet. Under the assumption that the final byte was the zero byte, it attempts to reconstruct a valid checksum with an XOR link from the last four bytes to a specific value. Then it sends the packet to an access point and observes whether it is accepted. If not, it assumes that the sliced off byte was a 1 – in the worst case it continues this process all the way to 256. This process is then repeated for every other byte in the packet. Once finished, the attacker has the packet in plain text.

3. Google Encourages Profile Verification

Spoiler

http://www.datastronghold.com/index.php/tech-news/1481-who-are-you-google-profiles-knows
Google are encourages users with profiles to have the information on them 'verified' by a third party.

Google also added an additional feature that lets people verify their actual information by checking the data against phone records or credit card records.  Here's what Google had to say about the verify procedure.

"Profiles will display a 'verified name' badge, if the user has verified their name through Knol. Any user can go through Knol's interface to obtain the verified badge," Google said in a statement.

4. IT Security 'Myth Or Truism'

Spoiler

http://edge.networkworld.com/news/2008/110608-security-myths.html
If nothing else, and interesting insight into the opinions of some of IT's best known security gurus. Shame about some of the awful questions.

They are etched into the conventional wisdom of IT security, but are these 12 articles of faith (to some) actually wise, or are they essentially myths? We've assembled a panel of experts to offer their judgments.

5. Firefox 3.0.4 Closes Nine Security Holes

Spoiler

http://www.heise.de/english/newsticker/news/118852
http://news.cnet.com/8301-1009_3-10096399-83.html
Mozilla's most recent Firefox fixes 9 security vulnerabilities, 4 critical. They involve crash bugs, a privilege escalation vulnerability, and a remote code execution vulnerability.

The Mozilla Foundation has released Firefox version 3.0.4 to close nine security holes. The developers rated four of the holes as critical because they allow attackers to execute arbitrary code on the victim's system. One of the critical holes is a classical buffer overflow that can be triggered via specially crafted server responses.

A flaw in the way the browser restores a session after a program crash can cause Firefox to violate the same-origin policy when executing JavaScript code, which could be exploited to execute the code in the context of a different website. Attackers could remotely trigger a crash and subsequent restart to steal a user's access data to other web pages, for example.

6. Spam Declines After Hosting Company Shut-down

Spoiler

http://news.cnet.com/8301-1009_3-10095730-83.html
A significant drop in eMail SPAM has been seen across the globe as a direct result of the closure of a notorious ISP.

Internet hosting site McColo disappeared on Tuesday. Along with it went thousands of pieces of spam, thanks, in part, to investigative work by Washington Post reporter Brian Krebs.

For about four months, security experts have been collecting data about McColo Corp., a San Jose, Calif.-based Web hosting service that may have been used by by the cyber underground, according to the The Washington Post. Krebs said that the McColo hosting company had been responsible for up to 75 percent of all spam spent.

7. Equifax Offers Its First I-card

Spoiler

http://news.cnet.com/8301-1009_3-10096835-83.html
As one might have expected: Equifax's new age-verification tool cumbersome, limited
The first 'online over-18 cards' have been dispensed by Equifax. Governments and corporate identities hope it will soon become the norm to posses an 'online wallet' in order to verify ones identity online. As a member of the tin-foil-hat-brigade, I'm far from impressed.

Equifax on Thursday introduced it's first information card or I-card, Equifax Over 18 card. I-cards are envisioned to be the online equivalent of a driver's license, passport, or similar ID. The basic idea is that customers would have an electronic wallet with various information cards that would allow customers to bypass typing in user names and passwords.

In this case, the Equifax card proves--via a trusted third party--that you are over 18 when accessing specially marked Web sites. "With fraud and identity theft on the rise, companies need better, more secure ways to conduct transactions online and take their identity management practices to the next level," said Steve Ely, president of Equifax Personal Information Solutions, in a statement.

8. IE Supports HTTPOnly Cookies

Spoiler

http://ha.ckers.org/blog/20081111/httponly-fix-in-msxml/
With the release of MS08-069 cookies marked as HTTPOnly will no longer be accessible to javascript in IE.

I’m happy to announce that Microsoft has released MS08-069 today. It’s got a lot of changes in it, but one in particular that I’ve been tracking for about a year now. MSXML has made a change so that HTTPOnly cookies cannot be read by XMLHTTPRequest within IE. Why is that good? It makes it so that JavaScript can no longer steal cookies that try to protect themselves. That’s a good thing.

It might seem like a big thing that that was even possible, but really it’s not as bad as it sounds, making this issue a lower priority in my mind. Cookies are rarely sent from the server to the client on every request and typically do require some information to be sent (like a username and password) before the Set-Cookie header is sent. So XMLHTTPRequest was really only useful for stealing cookies if the Set-Cookie header was sent on every request. Maybe there are some sites out there that do that, but it’s not that common. Either way, I’m glad MS got around to fixing it.

9. Visa Tests Credit Card With Random Number Generator

Spoiler

http://www.darkreading.com/security/privacy/showArticle.jhtml?articleID=212001898
Visa is now testing a credit card with a built in random number generator to replace the existing 'CCV' verification system in the hopes it will better protect against card-not-present fraud.

Visa is testing a new credit card that can generate a random-number passcode to help ensure it won't be used by unauthorized individuals.

In trials starting this week at four banks -- Bank of America UK, Corner Bank in Switzerland, Cal in Israel, and IW Bank in Italy -- Visa and EMUE Technologies are testing a Visa PIN card, an alternative to the "CCV" code currently printed on the back of most cards to help ensure that the individual is actually in possession of the card. The technology was first introduced in June.

10. AVG Incorrectly Flags User32.dll in Windows XP SP2/SP3

Spoiler

http://arstechnica.com/journals/microsoft.ars/2008/11/11/avg-incorrectly-flags-user32-dll-in-windows-xp-sp2sp3
A routine signature database update for AVG antivirus last week saw users of Windows XP SP2/SP3 warned that user32.dll was actually a virus, and upon removal could not boot their systems.

After a Sunday virus definition update, AVG's antivirus software began to mistakenly warn users that their system had a virus entitled PSW. banker4.APSA and suggested it had to be removed. The file that was being flagged was actually "user32.dll," a key Windows file. Many users chose to delete the file, which resulted in their Windows systems going into an endless reboot cycle, or stopped them from booting at all. Only users of Windows XP Service Pack 2 and Service Pack 3 seem to have been affected (users who have moved to Vista can apparently breathe a sigh of relief). Both AVG 7.5 or 8.0 was affected by the flawed definition file.

11. 26th Year of Asteroids Record

Spoiler

http://www.wired.com/science/discoveries/news/2008/11/dayintech_1113
The record for the highest score in the arcade game 'Asteroids' has been standing (and still is) for twenty-six years.

1982: Fifteen-year-old Scott Safran of Cherry Hill, New Jersey, sets the world record score in the arcade game Asteroids — the longest-standing videogame high score in history.1

Safran, who had been practicing nonstop at the game for the previous two years, agreed to play a marathon session of Atari's popular outer-space shooting game as part of a charity event in Pennsylvania. His mother drove him to the event and lent him a quarter, which he dropped into the machine Nov. 13.

12. Pentagon Clears Flying-Car Project for Takeoff

Spoiler

http://blog.wired.com/defense/2008/11/darpas-flying-c.html
The Pentagon has commissioned work on "Personal Air Vehicle Technology" which it hopes will lead to the development of a helicopter/car hybrid or something similar. Sorry guys, this is for military application only at the moment

Pentagon mad-science division Darpa is helping build thought-controlled robotic limbs, artificial pack mules, real-life laser guns and "kill-proof" soldiers. So it comes as no surprise, really, that the agency is now getting into the flying-car business, too.

Darpa hopes its "Personal Air Vehicle Technology" project, announced yesterday, will ultimately lead to a working prototype of a military-suitable flying car -- a two- or four-passenger vehicle that can "drive on roads" one minute and take off like a helicopter the next. The hybrid machine would be perfect for "urban scouting," casualty evacuation and commando-delivery missions, the agency believes.

13. First Direct Image of Multiple Exoplanets Orbiting a Star

Spoiler

http://blog.wired.com/wiredscience/2008/11/first-direct-im.html
Firstly...COOL!! In the past, planets were detected by the disturbances their field of gravity caused their star. Now, we can see them directly.

For the first time, astronomers have taken a visual image of a multiple-planet solar system beyond our own.

Using the Gemini North telescope and the W. M. Keck Observatory on Hawaii's Mauna Kea, researchers observed in infrared light three planets orbiting around a star about 130 light-years away from Earth, called HR 8799. The discovery, published today in Science Express, is a step forward in the hunt for planets, and life, beyond Earth.

14. Net Spying Firm and ISPs Sued Over Ad System

Spoiler

http://blog.wired.com/27bstroke6/2008/11/net-spying-firm.html
A class action lawsuit has been filed against advertising firm NebuAd and its partner ISPs for illegally spying on their customers in order to deliver targeted advertisements. Tin-foil-hat-brigade: 1, ISPs/NebuAd: 0.

Net eavesdropping firm NebuAd and its partner ISPs violated hacking and wiretapping laws when they tested advertising technology that spied on ISP customers web searches and surfing, according to a lawsuit filed in federal court Monday.

The lawsuit seeks damages on behalf of thousands of subscribers to the five ISPs that are known to have worked with NebuAd. If successful, the suit could be the final blow to the company, which abandoned its eavesdropping plans this summer after powerful lawmakers began asking if the companies and ISPs violated federal privacy law by monitoring customers to deliver targeted ads.

15. Google Fixes Embarrassing Android Bug

Spoiler

http://blog.wired.com/gadgets/2008/11/google-fixes-an.html
Google has fixed a rather odd flaw in Android that caused any text typed in any application to be passed to the phone's command shell, then executed with root privileges.

Google has fixed an a potentially devastating bug in its newly released Android operating system.

Some users of T-Mobile's G1 phone found that typing any word on the phone's keyboard — in any application — sent whatever they typed to the phone's command line shell.

Those commands were then executed with root user privileges, meaning there were no limitations on what the commands could do to the phone. For instance, texting the word 'reboot' would actually cause the phone to do so.

16. Obama Administration To Keep Fewer Secrets?

Spoiler

http://arstechnica.com/journals/law.ars/2008/11/07/setec-astronomy
An interesting collection of potential indications of a more open information policy from the soon-to-be Obama administration. Yay tin-foil-hat-brigade! For those of you that don't get the 'Setec Astronomy' reference, it's an anagram of 'Too Many Secrets', and you'd better get your arse down to the local rental place and get yourself a copy of Sneakers RIGHT NOW!!

Steven Aftergood of Secrecy News dangles this tantalizing (if vague) tidbit about classification policy under the Obama administration:

    “I know things are going to change,” one executive branch official with national security classification responsibility said this morning.  “The folks that are inbound have a keen appreciation for the kind of things that need to occur,” the official said.

Aftergood notes that Center for American Progress honcho John Podesta, the Clinton White House alumnus who's heading up Obama's transition team, delivered a broadside against overclassification in testimony before Congress just a few months ago:

    Excessive secrecy conceals our vulnerabilities until it is too late to correct them. It slows the development of the scientific and technical knowledge we need to understand threats to oursecurity and respond to them effectively. It short-circuits public debate, eroding confidence in the actions of the government. It undermines the credibility of the information security system itself, encouraging leaks and causing people to second-guess legitimate restrictions.

Ehtyar.

100

Living Room / Tech News Weekly: Edition 45

« on: November 06, 2008, 06:05 PM »

The Weekly Tech News

Hi all. As most of you who frequent the IRC channel will know, this week has been my first as the Junior IT Administrator at Amnesia Razorfish. The reason I mention this is that from next week onward I will no longer be able to post the news at the usual time. It will likely be posted a day or two later than usual (though no less regularly). Hopefully I be able to determine a set time within the next fortnight. Also, thanks to Mouse Man and Darwin for their kind words about the weekly tech news in this months newsletter. As usual, you can find last week's news here.

1. Microsoft and Google to Offer OpenID

Spoiler

http://dev.live.com/blogs/devlive/archive/2008/10/27/421.aspx
http://google-code-updates.blogspot.com/2008/10/google-moves-towards-single-sign-on.html
Google and Microsoft plan to offer OpenID services from their current sign-on mechanisms.

Currently users are required to create individual passwords for many websites they visit, but users would prefer to avoid this step so they could visits websites more easily. Similarly, many websites on the Internet have asked for a way to enable users to log into their sites without forcing them to create another password. If users could log into sites without needing another password, it would allow websites to provide a more personalized experience to their users.

2. Programming Tools for Cracking Mifare Published

Spoiler

http://www.heise-online.co.uk/security/Programming-tools-for-cracking-Mifare-published--/news/111807
Practical tools for cracking the Mifare RFID chip have been released onto the internet.

A hacker using the pseudonym Bla has published an open source tool called Crapto1 for cracking the encryption of the Mifare Classic RFID chip, as used in the Oyster Card. Besides an implementation in C of the vulnerable Crypto1 algorithm, the archive also contains the C source code for an attack that has been described in a paper by Dutch security researchers at Radboud University.

Using the tool it is said to be possible to calculate the access code of a Mifare Classic card within around two seconds. All an attacker requires is a live recording of an encrypted radio communication between the card and a legitimate reader, as well as a little programming knowledge. The access code then allows him not only to decode the encrypted data, but also to manipulate the card's content virtually without limit and to clone it to obtain services fraudulently.

3. Adobe Acrobat 8 Critically Vulnerable

Spoiler

http://www.net-security.org/secworld.php?id=6715
Acrobat 8 has a vulnerability allowing a maliciously crafted PDF file to gain unauthorized access to the systems it's running on and assume the rights of the user running it via javascript.

Core Security Technologies issued an advisory disclosing a vulnerability that could affect millions of individuals and businesses using Adobe’s Reader PDF file viewing software. Engineers from CoreLabs determined that Adobe Reader could be exploited to gain access to vulnerable systems via the use of a specially crafted PDF file with malicious JavaScript content. Upon making the discovery, CoreLabs immediately alerted Adobe to the vulnerability and the two companies have since coordinated efforts to ensure that a patch could be created and made available to protect users of the program.

4. AT&T Imposes Monthly Bandwidth Caps

Spoiler

http://www.datastronghold.com/index.php/tech-news/1480-atat-imposes-monthly-bandwidth-caps
AT&T is trialing new monthly bandwidth caps in certain areas with the monthly limit based on the speed of a user's connection (read: based on the amount of money they're paying).

Bad news off the wire for AT&T broadband customers, as AT&T has announced the fact that they are now imposing bandwidth limits in certain test areas.  Currently this market trial was started November 1 in Reno and users will get between 20 GB and 150 GB a month depending on their speed tier.  Unlike the bandwidth limitations that were imposed by companies like Time Warner and Comcast, there were only applied to new users this bandwidth cap will be applied to all users including current ones.

It seems like the long feared bandwidth caps are going to be the norm and no longer the exception to the rule when it comes to Broadband providers and home users.  My personal opinion is that bandwidth caps are not an attempt for broadband companies to provide greater service to their customers, it is an attempt for them to start charging either broadband content providers or customers for accessing broadband content.  The cable companies have seen the writing on the wall and they know that the future is TV and video being sent over Internet lines to customers houses and they want a piece of the pie.

5. Virtual Heist Nets 500,000+ Bank, Credit Accounts

Spoiler

http://voices.washingtonpost.com/securityfix/2008/10/virtual_bank_heist_nets_500000.html
http://www.theregister.co.uk/2008/10/31/sinowal_trojan_heist/
RSA's FraudAction Research Lab has uncovered a massive cache of stolen banking details accrued since 2006 via the Sinowal/Torpig/Mebroot trojan.

A single cyber crime group has stolen more than a half million bank, credit and debit card accounts over the past two-and-a-half years using one of the most advanced strains of computer spyware in existence, according to research to be published today. The discovery is among the largest stolen data caches ever recovered.

Researchers at RSA's FraudAction Research Lab unearthed the massive trove of purloined data while tracking the activities of a family of spyware known as the "Sinowal" Trojan, designed to steal data from Microsoft Windows PCs.

6. Man Gets 21 Months for Recording Movies in Theatre With Camcorder

Spoiler

http://www.piracyisacrime.org/In-The-Courtroom/man-gets-21-years-for-recording-movies-in-theatre-with-camcorder.html
A man has been found guilty of filming up to 100 movies in movie theatres in Washington DC and sentenced to 21 months in prison. He was caught via the use of "A Covert Anti-Camcording System" installed by the MPAA.

Michael Logan, 31, of Maryland was sentenced today in federal court in the District of Columbia for filming with a camcorder in theatres, "28 Weeks Later", “Enchanted” and maybe up 100 more movies over the last few years according to the MPAA.

Prosecutors wrote that Logan's voice could be heard on a pirated version of the film "28 Weeks Later," which MPAA investigators purchased on the streets of New York on May 11 and May 15 of last year. Investigators believe that Logan recorded that film May 11 at the Regal Cinemas, prosecutors wrote.

7. Google Abandons Deal With Yahoo

Spoiler

http://news.bbc.co.uk/2/hi/business/7711429.stm
Google has abandoned their advertising deal with Yahoo to avoid the legal rammifications.

The deal involved Google providing some of the advertising around Yahoo's search results and would have been worth $800m (£494m) a year to Yahoo.

It was originally announced in June but has faced anti-trust objections.

Yahoo said in a statement it was disappointed that Google had decided not to fight for the deal in court.

8. Yahoo Tells Microsoft: 'Buy Us'

Spoiler

http://news.bbc.co.uk/2/hi/technology/7712298.stm
Yahoo's CEO Jerry Yang has commented that Microsoft would still benefit from acquiring the company. His comments come on the tail of Google pulling out of the ad deal with them.

The internet portal's co-founder and CEO Jerry Yang made the comment despite the fact Yahoo rejected a $33 (£21) a share offer from Microsoft back in May.

Mr Yang's suggestion also came hours after Google pulled out of an internet advertising partnership with Yahoo.

"To this day the best thing for Microsoft to do is buy Yahoo," said Mr Yang.

9. French Pirates Face Net Cut-off

Spoiler

http://news.bbc.co.uk/2/hi/technology/7706014.stm
Anyone caught sharing pirated digital media in France will receive warnings before having their internet connection terminated under new legislation.

The French Senate voted overwhelmingly in favour of the law, which aims to tackle ongoing piracy of music, movies, and games online.

Those caught illegally sharing digital media will get warnings e-mailed and posted to them before having their net connection terminated.

10. Fire Fear Sparks Battery Recall

Spoiler

http://news.bbc.co.uk/2/hi/business/7701348.stm
Discussion by app103: https://www.donationcoder.com/forum/index.php?topic=15546
Devices containing batteries manufactured by Sony over a period of almost a year will be recalled by the likes of HP, Toshiba and DELL due to overheating fears.

Sony said the recall came after 40 instances of overheating, including four cases where users had minor burns.

The recall affects around 74,000 HP laptops, 14,400 from Toshiba, and small numbers from Dell, Acer and Lenovo.

Sony said the affected batteries were caused by a production line problem between October 2004 and June 2005.

11. British Tax Website Shut Down After Data Breach

Spoiler

http://www.dailymail.co.uk/news/article-1082402/Tax-website-shut-memory-stick-secret-personal-data-12million-pub-car-park.html
http://news.cnet.com/8301-1009_3-10081737-83.html
A memory stick found in a pub car park contating the tax details of 12 million people has forced the british goverment to shut down a taxation-related website.

Ministers have been forced to order an emergency shutdown of a key Government computer system to protect millions of people's private details.

The action was taken after a memory stick was found in a pub car park containing confidential passcodes to the online Government Gateway system, which covers everything from tax returns to parking tickets.

An urgent investigation is now under way into how the stick, belonging to the company which runs the flagship system, came to be lost.

12. WPA Wi-Fi Encryption is Cracked

Spoiler

http://www.itworld.com/security/57285/once-thought-safe-wpa-wi-fi-encryption-cracked
http://news.cnet.com/8301-10789_3-10083861-57.html
WPA has taken a huge security hit as attackers use a protocol weakness and a mathematical breakthrough to break TKIP keys in order to read and/or forge data being sent from an access point to a client machine.

Security researchers say they've developed a way to partially crack the Wi-Fi Protected Access (WPA) encryption standard used to protect data on many wireless networks.

The attack, described as the first practical attack on WPA, will be discussed at the PacSec conference in Tokyo next week. There, researcher Erik Tews will show how he was able to crack WPA encryption, in order to read data being sent from a router to a laptop computer. The attack could also be used to send bogus information to a client connected to the router.

13. Porn Breath Tests for PCs Heralds 'stop and Scan'

Spoiler

http://www.theregister.co.uk/2008/11/05/smut_tests_for_pcs/
New software developed by an Australian University will allow officials to quickly identify illicit images on PCs.

Technology that claims to pick up traces of illicit images on PCs has attracted the interest of Australian cops. The software, developed in an Australian University, might eventually be used to screen PCs for pr0n during border inspections.

Compared to breath test tools used by the police in a different context, the software - developed at Perth's Edith Cowan University in association with local police from Western Australia - is undergoing beta testing.

14. Hackers Jailbreak T-Mobile's Googlephone

Spoiler

http://www.theregister.co.uk/2008/11/05/google_android_jailbreak/
The Googlephone has already been broken by a hacker who determined you can acquire root privileges in Android by telneting to the device.

Hackers have managed to jailbreak T-Mobile's new G1 phone by exploiting a gaping loophole in Android, the open source operating system supplied by Google.

The hack, which was posted to this XDA-Developers forum, is a straight-forward process that allows Linux geeks to gain root access in about one minute. It involves using the widely available PTerminal application to telnet to the device's IP address. Presto, you now have root.

15. Fake Site Punts Trojanised WordPress

Spoiler

http://www.theregister.co.uk/2008/11/06/trojanised_wordpress/
Wordpress hacker are at it again with a website offering an upgrade to the software which includes a Trojan. The website has spread via a vulnerability in older Wordpress versions which allows an attacker to redirect visitors to another website.

Fraudsters have set up a fake site featuring a backdoored version of the WordPress blogging application as part of a sophisticated malware-based attack.

The fake Wordpresz.org site offered up what purports to be version 2.6.4 of the open source blogging tool. In reality all but one of the files are identical to the latest pukka (2.6.3) version of WordPress.

16. National ID Cards Compulsory for U.K. Airport Staff

Spoiler

http://news.cnet.com/8301-1009_3-10083732-83.html
Airport staff in the U.K. will be required to carry one of the new National Identity cards at two airports trialing the new system.

A pilot program of the U.K.'s national identity card plan will be compulsory at one of the two participating airports.

Workers will be required to enroll in the program at London city airport, the Home Office said Thursday. The move comes despite repeated assurances from the Home Office that U.K. citizens will not be compelled to have an ID card or enter their biometric details onto the National Identity Register.

Also on Thursday, the government said that retailers, post offices, and banks can apply to become biometrics enrollment sites for the cards.

17. Remote Buffer Overflow Bug Bites Linux Kernel

Spoiler

http://blogs.zdnet.com/security/?p=2121
A buffer overflow vulnerability in a common Linux Kernel wireless driver could permit an attacker to remotely execute code with Kernel privileges, or cause a denial of service condition.

A remote buffer overflow vulnerability in the Linux Kernel could be exploited by attackers to execute code or cripple affected systems, according to a Gentoo bug report that just became public.

The flaw could allow malicious hackers to launch arbitrary code with kernel-level privileges.  This could lead to complete system compromise or, in some cases if an exploit fails, result in denial-of-service attacks.

18. EndNote Reverse-engineering Case Looks Headed to Courtroom

Spoiler

http://arstechnica.com/news.ars/post/20081104-endnote-reverse-engineering-case-looks-headed-to-courtroom.html
EndNote has accused the open source Firefox extension Zotero of illegally reverse engineering their proprietary .ens file format.

As anyone who works in academia knows, writing and publishing papers involves frequently citing the existing literature. When you're working on a paper with 30 or more references, keeping track of them all can be a downright pain, which is where reference-managing software like Thomson Reuters' EndNote comes in. EndNote is the market leader in this field, but recently it has been facing competition from the open source Zotero, which is a Firefox plugin that lets you manage your bibliographic library and insert references into papers. Right now though, EndNote and Zotero are locked in a legal battle over claims by Thomson Reuters that the developers of Zotero have illegally reverse-engineered aspects of EndNote.

19. FCC White Spaces Decision Kicks Off the Next Wireless Revolution

Spoiler

http://blog.wired.com/gadgets/2008/11/fccs-decision-t.html
The FCC will permit transmissions over unused "white space" spectrum which will allow cheaper wireless.

The Federal Communications Commission's decision to open up the 'white spaces' spectrum to unlicensed devices could usher in a new telecom revolution, say analysts.

Like WiFi, the availability of free, unregulated spectrum could create new technologies and new markets, bringing superfast wireless connectivity to the masses. Unlike WiFi, it could also put pressure on wireless carriers.

"All the PR spin and FUD (fear, uncertainty and doubt) failed in the face of physics and the ground reality of engineering," says Sascha Meinrath, research director of the wireless future program at the New America Foundation, a non-partisan public policy think-tank.

20. Firefox Hits 20% Browser Share Worldwide (yay!)

Spoiler

http://www.webmonkey.com/blog/Firefox_Hits_20PERC_Browser_Share_Worldwide
Adoption of Mozilla's Firefox browser has hit 20% across the globe.

Mozilla is reporting that Firefox topped 20% of the worldwide market share for web browsers for the first time ever in October, 2008. Firefox broke the 20% mark twice last month, once during the week of October 5, and once again during the week of October 26. During the other two weeks, its share was around 19.8%, putting the average for the month just above below the 20% mark at 19.9%

Ehtyar.