Tech News Weekly: Edition 36-09

[Ehtyar]

The Weekly Tech News

Hi all. Sorry for the lateness, was on a snow trip with work. Also, tech news has sucked pretty hard lately...sorry about that, I hope it picks up soon As usual, you can find last week's news here.

1. Firefox to Warn Users of Insecure Adobe Flash

Spoiler

http://www.theregister.co.uk/2009/09/04/firefox_adobe_security_warning/
Starting with the next Firefox update, the browser will warn users when they're using an outdated version of Adobe Flas, since apparently Adobe can't manage that...

Upcoming versions of Mozilla's Firefox browser will automatically warn users running versions of Adobe's Flash Media Player that contain known security bugs, according to a published report.

The check will be invoked each time the popular open-source browser is updated, according to the report which was published Thursday by The H. Users who have out-of-date versions of the Adobe application will be notified in the "What's New" browser page that automatically opens each time an update is installed.

2. Microsoft Overturns Word Sale Ban

Spoiler

http://news.bbc.co.uk/2/hi/technology/8237497.stm
As anyone may have guessed, Microsoft have managed to keep MS Word on the shelves after a court ruled last week that Microsoft must stop selling copies of the program in Texas.

The block was imposed by a Texan court following a ruling that its use of formatting language XML in Word 2003 and 2005 infringed patents.

Under the ruling Microsoft was ordered to pay Canadian patent owner i4i $290m (£177m) damages and also told to stop sales of the relevant versions of Word.

The ban on sales was due to come in to force in mid-October.

3. $32M Louis Vuitton Judgment Shows Limits of ISP Safe Harbors

Spoiler

http://arstechnica.com/tech-policy/news/2009/09/32m-louis-vuitton-judgment-shows-limits-of-isp-safe-harbors.ars
A US ISP has copped a $32 million damages bill from Louis Vuitton for knowingly hosting a site pedaling fake Vuitton merchandise.

The best feature of the much-maligned Digital Millennium Copyright Act (DMCA) is its "safe harbor" for Internet service providers, who can't be held liable for what customers do using their networks. Mostly. There are limits, and Louis Vuitton found them this week in a federal court. The luxury goods maker won $32 million from two ISPs and the man who ran them after proving to a jury that the ISPs had full knowledge that they hosted mainly websites for counterfeit goods—and refused to take action.

The two ISPs are Akanoc and Managed Solutions Group, both run out of Fremont, California by one Steven Chen. According to Louis Vuitton's July 2008 complaint, Chen's companies "were formed for and exist primarily to facilitate the promotion and advertisement of offers for counterfeit and infringing merchandise." The ISPs hosted a huge array of sites offering fake Vuitton purses, wallets, and bags—sites like Luxury2us.com, Louis-vuitton-bags.org and HandBagSell.com.

4. Diebold Impeaches E-voting Unit, Sells It Off for $5 Million

Spoiler

http://arstechnica.com/tech-policy/news/2009/09/diebold-elects-to-get-out-of-the-voting-machine-business.ars
Diebold, makers of the infamous E-Voting machines found across the United States have sold their entire voting machine division Election Systems & Software.

Diebold announced on Thursday that it has sold its voting machine division to Election Systems & Software (ES&S), a former competitor. Diebold's unceremonious departure from the electronic voting machine business will be welcomed by critics of the company's controversial direct-recording electronic voting products.

Diebold, which is primarily an ATM maker, decided to unload its voting machine subsidiary—Premier Election Solutions—for roughly $5 million and change. As a consequence of the deal, the company expects to report a loss of over $45 million. According to a statement issued by Diebold, the company has been looking for a way out of the voting machine racket ("pursuing strategic alternatives to ownership") since 2006 when it realized that the whole endeavor was intractably dysfunctional ("identified its US elections systems business as non-core to its operations").

5. New IIS Attacks (greatly) Expand Number of Vulnerable Servers

Spoiler

http://www.theregister.co.uk/2009/09/04/microsoft_iis_attacks_go_wild/
Microsoft IIS installations have come under attack this week after a new vulnerability was revealed which could allow an attacker with write privileges to an FTP server to execute code on the remote server, and can crash servers that don't permit write operations.

Attackers have begun actively targeting an unpatched hole in Microsoft's Internet Information Services webserver using new exploit code that greatly expands the number of systems that are vulnerable to the bug.

In an updated advisory published Friday, Microsoft researchers said they are seeing "limited attacks" exploiting the vulnerability, which resides in a file transfer protocol component of IIS. Exploit code publicly released in the past 24 hours is now able to cause vulnerable servers to crash even when users don't have the ability to create their own directories.

6. Month of Facebook Flaws Gets Underway

Spoiler

http://www.theregister.co.uk/2009/09/04/month_facebook_flaws/
STOP USING FACEBOOK APPS!! *ahem* Due to the high level of insecurity in many Facebook apps, 'theharmonyguy' will be revealing one new Facebook app vulnerability each day this month in order to generate awareness.

A security researcher has vowed to reveal technical details of a series of cross-site scripting vulnerabilities involving Facebook applications during September.

theharmonyguy plans to give developers 24 hours' advance notice about flaws involving their web applications before exposing them publicly. The project takes its cue from July's Month of Twitter Bug project, during which security researcher Aviv Raff applied a similar idea to the disclosure of security flaws involving Twitter and associated services.

7. Wiretapping Skype Calls: Virus Eavesdrops On VoIP (Thanks 40hz)

Spoiler

http://www.modbee.com/business/story/839467.html
I find this less than impressive, but it has generated a lot of press this past week. Apparently, Skype users were laboring under the delusion that Skype's heavy use of encryption made it impervious to bugging. They all got a rude wakeup call when Ruben Unteregger, a Swiss programmer, released the source code for a "virus" which bypasses Skype's encryption by hooking the Windows audio subsystem and directly recording the audio stream to MP3.

Some computer viruses have a crude but scary ability to spy on people by logging every keystroke they type. Now hackers and potentially law enforcement have another weapon: a virus that can eavesdrop on voice conversations that go over computers instead of a regular phone line.

The capability has been shown in a new "Trojan horse" virus that records Voice over Internet Protocol (VoIP) calls through the popular Skype service. Skype calls are free or low cost and can work between two computers or between one computer and a phone.

8. Big Fish, Little Fish, Cardboard Box

Spoiler

http://www.youtube.com/watch?v=Zdasg6oQV0g
And just to make sure this week's news *really* sucks, here's Bob the Builder teaching us how to dance!!

Ehtyar.

[tomos]

as a low-tech user I'm happy about #1 -
I know I occasionally get notice to upgrade but I never keep track - well, every now & again I go to Secunia's site and get them to check.
Java then leaves the older versions (JavaRa is a godsend to tidy up), cant remember does adobe do the same with flash..


hmm hmmmph hmmmm . . . big fish LITTLE fish . .    

[f0dder]

#1 is a very good idea - they should add it for JVM as well.

#4 - perhaps the .us can finally get secure voting machines?

[Ehtyar]

I'm very pleased that Mozilla has taken up the mantle of keeping Flash up-to-date, as Adobe apparently can't manage that themselves, despite Flash being one of most vulnerable and widely deployed pieces of software on the planet. +1 for JVM support.

Ehtyar.

[jgpaiva]

I hope that flash warning won't work under linux.. Ubuntu systematically keeps outdated packages, but updates them automatically. I wouldn't like firefox to warn me I have flash outdated when I don't have any new version in the repository.

Still, for windows, I think it's a good improvement - that will probably cause a headache for those users who don't know how to update stuff. My father and mother are constantly annoyed by java and hp stuff when they turn their computer on.

[Ehtyar]

With any luck, this kind of behavior will be enough to drive those unwilling to learn how to update their machines to do just that. Those are the kind of people most at risk from a vulnerability in an outdated version of flash...

Ehtyar.

[jgpaiva]

Ehtyar: In my opinion, this shouldn't be the solution.
I continue to think that an update manager integrated in windows would make sooo much more sense.
I know I love it in linux, it's keeping me from using windows anymore, and I've always been a windows fan.

[f0dder]

jgpaiva: it would be nice, but kinda infeasible I'm afraid.

[Eóin]

Perhaps if developers could add their owns applications to the Microsoft Update infrastructure already there? But then who would take on the burden of managing it, especially from the point of security.

[jgpaiva]

f0dder: not unfeasible for this large corporations, I think..
The same way some publishers have signed code, microsoft could also provide an update and install service.
If the ease-fullness of install of applications was as good as in linux, it would be a major selling point for these big corporations.

[f0dder]

jgpaiva: I think it's pretty impossible. Who'd keep the service up to date? Eóin already mentioned security. The Windows ecosystem is vastly bigger than the opensource one, good luck getting everybody to join the program. Then there's the issue of how the updates are done, and where they're stored (3rd party servers? Super good idea for security (not!), central at MS servers? Wow, major capacity required, etc). Everybody would have to move to a unified installer type (yeah, that's so going to happen), et cetera

[Edvard]

#6: Finally a REALLY good excuse to END my facebook account.


#8: Oscar. Metro. Golf.
At first I was like
And then I was like

[Ehtyar]

Ehtyar: In my opinion, this shouldn't be the solution.
I continue to think that an update manager integrated in windows would make sooo much more sense.
I know I love it in linux, it's keeping me from using windows anymore, and I've always been a windows fan.

-jgpaiva (September 09, 2009, 08:33 AM)

So why aren't your poarent using Linux? I presume because Linux package management is not quite as a simple and easy to use as it sounds...

Perhaps if developers could add their owns applications to the Microsoft Update infrastructure already there? But then who would take on the burden of managing it, especially from the point of security.

-Eóin (September 09, 2009, 09:04 AM)

Precisely...

#8: Oscar. Metro. Golf.
At first I was like
And then I was like

-Edvard (September 09, 2009, 12:13 PM)

@ your post, first I was like WTF?, then I was like

Ehtyar.

[f0dder]

#6: Finally a REALLY good excuse to END my facebook account.

-Edvard (September 09, 2009, 12:13 PM)

Just set reasonable privacy settings, limit the information you share, and don't install crap apps? Problem solved

[Edvard]

#6: Finally a REALLY good excuse to END my facebook account.

-Edvard (September 09, 2009, 12:13 PM)

Just set reasonable privacy settings, limit the information you share, and don't install crap apps? Problem solved

-f0dder (September 09, 2009, 05:45 PM)

Trust me. I'm VERY conservative with my privacy settings, don't even have a picture of myself as my profile photo and I don't use ANY apps.
I'm talking about old friends from high school I added who have more time on their hands than I do as well as polar-opposite political views and social habits constantly posting crap, spamming up my profile view.  
Why is it folks I actually WANT to hear from never post?