Tech News Weekly: Edition 46-09

[Ehtyar]

The Weekly Tech News

Hi all. Enjoy As usual, you can find last week's news here.

1. Truly Malicious IPhone Malware Now Out in the Wild

Spoiler

http://arstechnica.com/apple/news/2009/11/truly-malicious-iphone-malware-now-out-in-the-wild.ars
No doubt the first of many. Earlier this last week an Iphone "virus" was tracked in Australia, targeting jailbroken iPhones with ssh enabled using the default root password. It would change the background to a picture of Rick Astley, then shut down sshd to prevent reinfection. Someone apparently cottoned on, and has launched a variant that sends private data (contacts, emails, SMSs etc) back to the machine running the control app.

If you didn't heed previous warnings to secure your jailbroken iPhone, you may be in for some serious trouble. Computer security firm Intego has identified the first known truly malicious code which targets jailbroken iPhones with default root passwords.

The latest in a string of recent attacks, iPhone/Privacy.A uses a technique similar to previous hacks. The malware scans for phones on a given network with an open SSH port, then attempts to log in using the default root password that is the same on all iPhones. Unlike the previous versions, which merely replaced the wallpaper image to alert users that they have been cracked, the new version silently copies personal data—"e-mail, contacts, SMSs, calendars, photos, music files, videos, as well as any data recorded by any iPhone app." It then sends the data back to the machine running the software.

2. SPDY: Google Wants to Speed Up the Web by Ditching HTTP

Spoiler

http://arstechnica.com/web/news/2009/11/spdy-google-wants-to-speed-up-the-web-by-ditching-http.ars
Some really interesting stuff here from Google. In their never-ending quest for improved web performance and security (so that they, and only they, can harvest your dataz), Google has concocted a replacement for HTTP over TCP called SPDY (read: speedy) which will be built into a future version of Chrome and hopefully other browsers.

On the Chromium blog, Mike Belshe and Roberto Peon write about an early-stage research project called SPDY ("speedy"). Unhappy with the performance of the venerable hypertext transfer protocol (HTTP), researchers at Google think they can do better.

The main problem with HTTP is that today, it's used in a way that it wasn't designed to be used. HTTP is very efficient at transferring an individual file. But it wasn't designed to transfer a large number of small files efficiently, and this is exactly what the protocol is called upon to do with today's websites. Pages with 60 or more images, CSS files, and external JavaScript are not unusual for high-profile Web destinations. Loading all those individual files mostly takes time because of all the overhead of separately requesting them and waiting for the TCP sessions HTTP runs over to probe the network capacity and ramp up their transmission speed. Browsers can either send requests to the same server over one session, in which case small files can get stuck behind big ones, or set up parallel HTTP/TCP sessions where each must ramp up from minimum speed individually. With all the extra features and cookies, an HTTP request is often almost a kilobyte in size, and takes precious dozens of milliseconds to transmit.

3. Intel and AMD Bury the Hatchet Under $1.25 Billion in Cash

Spoiler

http://arstechnica.com/business/news/2009/11/intel-and-amd-bury-the-hatchet-under-125-billion-in-cash.ars
Intel and AMD have called it quits on all legal battlefronts, with Intel paying AMD $1.5 billion in cash and agreeing to change unspecified business practices.

Intel and AMD are fierce competitors in the world of chipmaking, but in recent years they've taken the fight to the courtroom. AMD has sued Intel for antitrust violations (allegations that have been picked up by a number of governments), while Intel fired back by claiming that AMD had violated a licensing agreement for x86 technology. This morning, however, the two companies made a surprise announcement: they've reached an agreement that settles all legal issues between them.

The statement is short on information; both companies will flesh out the details during press/analyst calls later this morning. However, it does have a few eye-popping details, first and foremost among them a cash payment: Intel will be handing $1.25 billion over to AMD. The agreement also includes limits on Intel's business practices; these aren't specified in the statement, but undoubtedly limit the rebates and bulk buying agreements that Intel has used in the past to keep OEMs from jumping ship to AMD.

4. Wikipedia Sued for Publishing Convicted Murderer's Name

Spoiler

http://www.theregister.co.uk/2009/11/12/wikipedia_sued_by_convicted_murderer/
A German man is suing Wikipedia in an attempt to have them remove his name from every article pertaining to his murder of a man in 1999. According to German law, he should no longer be associated with the crime 10 years after it was committed. The question is, does this right apply to the entire Internet? The German wikipedia is already in full compliance with the law.

A man who served 15 years for the gruesome murder of a famous German actor is taking legal action against Wikipedia for reporting the conviction.

Attorneys took the action on behalf of Wolfgang Werlé, one of two men to receive a life sentence for the 1990 murder of Walter Sedlmayr. In a letter sent late last month to Wikipedia officials, they didn't dispute their client was found guilty, but they nonetheless demanded Wikipedia's English language biography of the Bavarian star suppress the convicted murder's name because he is considered a private individual under German law.

5. Attackers Conceal Exploit Sites With Twitter API

Spoiler

http://www.theregister.co.uk/2009/11/12/attackers_use_twitter_command/
I loves me a unique virus design!! Malicious scripts being used to cause drive-by downloads on infected websites are generating their destination domain names from the second character of each of the top-30 trending twitter topics. This ensures that the resulting domains cannot be calculated in advance, making it very difficult to lock out the necessary domains, as was the approach with the well known Conficker virus.

Drive-by exploit writers have been spotted using a popular Twitter command to send web surfers to malicious sites, a technique that helps conceal the devious deed.

The microblogging site makes application programming interfaces (APIs) such as this one available so legitimate websites can easily plug into the top topics being tweeted. As the concerns and opinions of Twitter users change over time, so too will the so-called top 30 trending topics.

6. Microsoft Defends Hotmail's Cookie Requirement

Spoiler

http://www.theregister.co.uk/2009/11/13/hotmail_cookies/
Whoops. Microsoft is now requring Hotmail users to accept 3rd-party cookies in order to log out of their accounts. They're claiming it "improves security", though how that is the case is anyone's guess.

Microsoft has said its new policy of requiring users to accept third party cookies to log out of Hotmail improves security.

Some readers who contacted El Reg said it raises the risk that accounts will be compromised on public machines, while others who do not allow third party cookies simply found the error message when they tried to log out irritating.

7. MS Forensics Tool Leaks Onto the Web

Spoiler

http://www.theregister.co.uk/2009/11/10/ms_forensics_tool_leak/
Another whoops. Microsoft's "Computer Online Forensic Evidence Extractor" has leaked onto the Internet via BitTorrent, letting anyone see the innards of a controversial tool designed to automagically extract evidence from computers seized by police.

Microsoft's point-and-click "computer forensics for cops" tool has leaked onto the web.

COFEE (Computer Online Forensic Evidence Extractor) is designed to allow law enforcement officers to collect digital evidence from a suspect's PC without requiring any particular expertise. Using the technology - which recovers a list of processes running on an active computer at the scene of an investigation - involves inserting a specially adapted USB stick into a computer.

Grabbing data from a PC without interfering with the machine is no substitute for a detailed examination by experts where something amiss is discovered, but still attractive to the computer crime authorities. It allows police to search a computer's internet history, analyse systems and data stored and even decrypt passwords, without having to transport the machine to a lab. It does this in a fraction of the time the process would normally require.

8. Using Photosynthesis to Power Hydrogen Production

Spoiler

http://arstechnica.com/science/news/2009/11/photosynthesis-proves-to-be-a-powerful-source-for-hydrogen.ars
This is just too cool!! Why are there no hydrogen cards available to the public!!!

The processes we use to obtain fuel, from pumping fossil fuels up from beneath the ocean to harvesting crops to turn into ethanol, create many environmental and practical concerns. These types of fuel work fine with the current generation of cars, but hydrogen has sometimes been touted as the fuel of the future. A publication in Nature Nanotechnology describes how researchers have found a way to use the photosynthetic machinery of a bacteria to produce the hydrogen equivalent of up to 79 gallons of gas per-acre, per-day. Their technique involved capturing the electrons produced during photosynthesis and binding them to some strategically placed protons.

The production of fuel has accelerated lately, from waiting millions of years for fossil fuels to waiting a few days or weeks for biomass-derived fuels such as ethanol. However, biomass fuels still present some difficulties: the fuel produced relative to the land area required is pretty small (the equivalent of a little more than a gallon of gas per acre), the conversion to ethanol requires a distilling period, and all the materials for making the fuel must be harvested, handled, and transported, all of which requires a significant energy expenditure.

9. Christopher Walken Performs Lady Gaga's Poker Face

Spoiler

http://www.youtube.com/watch?v=A2guQYivZ6w
You just gotta love Christopher Walken. Be sure to check out the awesome mashup with the real song here.

Ehtyar.

[40hz]

#7 - Nice to see Microsoft has developed their very own backdoor exploit for Windows.

I know I'll sleep better at night knowing such a thing exists. Especially since it will only be made available to duly authorized members of the law enforcement community - whom experience has shown we can completely trust to never abuse such technologies.

I'm sure the Chinese government will be among the first in line to buy an unlimited institutional license for this puppy.

Hoo-wah Microsoft!!!  Way to go!

[gexecuter]

love the Walken-GaGa mashup   thanks a lot

[tomos]

"You just gotta love Christopher Walken."
yes yes that was a great mashup too

I remember seeing Christopher Walken on Johnathon Ross years ago (same show) reading some fairytale (cant remember which). I just remember him being so totally deadpan but at the same time giving it such character - he's just great!

[4wd]

2. Given Google's penchant for catching everything, (data-wise), I think the more appropriate interpretation of SPDY should be SPiDeY Web.

[Ehtyar]

Hahaha, Rafe Needleman from CNET is calling it that. He mentioned it a few episodes ago on BOL, but I think that may have been just because he thought it sounded better.

Still, I don't quite see how this will help Google harvest our infoz (except for the sheeple that will adopt Chrome just to use it). Provided the other browsers catch on early enough (how long will it before someone decides the SSL requirement isn't necessary?), this should be a good thing IMHO.

Ehtyar.

[f0dder]

#7 - Nice to see Microsoft has developed their very own backdoor exploit for Windows.

I know I'll sleep better at night knowing such a thing exists. Especially since it will only be made available to duly authorized members of the law enforcement community - whom experience has shown we can completely trust to never abuse such technologies.

-40hz (November 15, 2009, 03:52 PM)

From what I heard from people who took a look at this, it's mostly a collection of SysInternals tools and a frontend - big f'ing deal. Haven't bothered to look at it myself though (considering that I don't exactly have legitimate access to it), so it could be worse.

#5 is nice - thumbs up to anything giving twitter a bad name

[Ehtyar]

#7 - Nice to see Microsoft has developed their very own backdoor exploit for Windows.

I know I'll sleep better at night knowing such a thing exists. Especially since it will only be made available to duly authorized members of the law enforcement community - whom experience has shown we can completely trust to never abuse such technologies.

-40hz (November 15, 2009, 03:52 PM)

From what I heard from people who took a look at this, it's mostly a collection of SysInternals tools and a frontend - big f'ing deal. Haven't bothered to look at it myself though (considering that I don't exactly have legitimate access to it), so it could be worse.

-f0dder (November 16, 2009, 05:20 PM)

Sorry Hertz Man, I must have missed your post. F0d Man is indeed correct, it is basically a collection of freely available tools with a front-end so that some cop who can barely operate a computer can collect "forensic" evidence in the field and cart it back to someone who knows what the f they're doing. Really very disappointing

#5 is nice - thumbs up to anything giving twitter a bad name

-f0dder (November 16, 2009, 05:20 PM)

I don't know that I'd go that far, but definitely a thumbs-up to anything that highlights Twitter's security holes.

Ehtyar.

[40hz]

F0d Man is indeed correct, it is basically a collection of freely available tools with a front-end so that some cop who can barely operate a computer can collect "forensic" evidence in the field and cart it back to someone who knows what the f they're doing. Really very disappointing

-Ehtyar (November 16, 2009, 05:48 PM)

Regardless of the level of sophistication present in the technology, it still speaks volumes about the mindset and motivations of the company behind it - and the overall attitude of society in general.

Tools, by their very existence, beg to be used. And the lack of knowledge on the part of the tool user poses its own set of problems. Hand a baby a hammer and everything "starts to look like a nail" as the saying goes.

Frankly, I'm amazed that the same people who get so vocal about DRM (and RIAA enforcement actions) have so few problems with something like this. Then again, maybe I shouldn't be.

I will agree on one point however, even if I do so for entirely different reasons: It really is very disappointing.

[Ehtyar]

Although I can understand what you're saying Hertz Man, I can't agree. Whether some total drongo cop has access to the information this tool can present, or only the NSA does, the simple fact is that this information can be gotten.

The fact that the information exists, and can be gotten is what bothers me, not how or by whom it can be retried.

Ehtyar.

[40hz]

Although I can understand what you're saying Hertz Man, I can't agree. Whether some total drongo cop has access to the information this tool can present, or only the NSA does, the simple fact is that this information can be gotten.

The fact that the information exists, and can be gotten is what bothers me, not how or by whom it can be retried.

Ehtyar.

-Ehtyar (November 16, 2009, 07:50 PM)

Hiya Dr. E!

  First up - apologies to all for me being in a snarly mood when I sarcastically referred to the MS forensic package as a "backdoor exploit." (We all know it's not.) Bad choice of words on my part even if I was making a lame-assed joke when I said it.

Onward...

I don't want to get into a huge debate here (let's start a separate thread if anybody feels that need) but I think you might have missed my point just a bit.

- It's not that the information exists or can be gotten.

- It's not about cops, or the NSA, or anybody else in the government.

- It's not about the fact that comparable tools are available form other sources.

It's all about Microsoft providing such tools.

Why this is an issue for me and not for you might have something to do with the differing ways our respective national governments operate.

In the USA, our government has discovered that it can get around its constitutional "checks and balances" by allowing (possibly encouraging) private entities* to perform actions and collect information the government is not allowed to legally collect on it's own.

I can't speak for how things work in Australia. But over here, there's a very real concern when a large company like Microsoft starts providing tools to get around its own security systems without first being required (by law) to do so. Nor is this concern based on simple paranoia or goofball conspiracy theories. The major US Telcos are still under fire for the illegal and warrant-less wiretaps they performed at the request of the federal government under its previous Administration. They were so concerned about the public outrage that they sought immunity from prosecution. And not because they believed they acted within the law. (They openly acknowledged that they knew they didn't.) They argued that because they were acting at the behest of the government - the government alone should be held solely responsible if any laws were broken. Hmmm...sounds a bit like the "Just following orders" defense doesn't it?

So while this story may seem like no big deal to someone outside the US; it remains a very big deal for many within its borders.

But hey! - maybe that's why this story made the tech news over here in the first place?  

------
* These run the gamut from banks, credit agencies, ISPs, insurance companies and the telcos; all the way over to the shadowy world of 'gray area' businesses like DynCorp, KBR/Haliburton, and Blackwater Worldwide.

[Ehtyar]

In the USA, our government has discovered that it can get around its constitutional "checks and balances" by allowing (possibly encouraging) private entities* to perform actions and collect information the government is not allowed to legally collect on it's own.

-40hz (November 16, 2009, 10:31 PM)

The moment I read that, I understood. Sorry for the confusion Hertz Man.

I usually read stories I come across involving the telco immunity mess in the states. Were I in your position, that would piss me off.

To be perfectly honest, I don't know what the legal implications are in this country of the government attempting to bypass security systems in software. The cynic in me says that given we're even more of a fascist state than the US, they can do whatever they damn-well please, but the realist in me tells me to check before I shoot my mouth off.

At this point, however, I'm not entirely sure where to check. Given that Australia has a populace that could largely be described more as sheeple than people (as justification for this comment, refer to the general apathy displayed regarding the Great Aussie Firewall), our laws are typically not scrutinized nearly as well as yours. If I manage to determine the status of this in the near future, I'll be sure to let you know.

Ehtyar.

[4wd]

To be perfectly honest, I don't know what the legal implications are in this country of the government attempting to bypass security systems in software.

-Ehtyar (November 16, 2009, 10:54 PM)

I would then be hopeful that they, (the government), are then able to be prosecuted under the same laws that prevent us, (the populace), from circumventing software security - the DMCA crap we got foisted with under the supposed FTA.

Under a fair and just legal system this should be the case.......but what country has one of those?

[f0dder]

40hz: I understand where you're coming from, and I do find it troublesome that MS is offering a "forensic tool" at all. But from what I've heard, it really isn't anything I can get my titties in a twist over. If they had used backdoors, undocumented APIs, special drivers, or even firewire DMA memory dumps the situation would have been different.

But basically a GUI frontend for already existing tools? Insert big ol' yawning smiley here

[40hz]

But from what I've heard, it really isn't anything I can get my titties in a twist over.

-f0dder (November 17, 2009, 08:39 AM)

@f0dder- Understood. But again, it's not the what. It's the who and the why that causes me corncern.

If they had used backdoors, undocumented APIs, special drivers, or even firewire DMA memory dumps the situation would have been different.

-f0dder (November 17, 2009, 08:39 AM)

And what's going to discourage them from eventually doing just that if their present action goes completely unchallenged?  How long do you think it will be before some aparatchik decides there should be a law requiring Microsoft to furnish such tools to The Authorities? Especially now that Microsoft has put the bug in all those clueless little political heads.

Spend some time in the US if you get a chance. It's not called The Land of Dreams for nothing. Over here, our dreams have a funny habit of turning into our realities. And recently, the same can also be said for some of our nightmares.

If I'm stifling a yawn these days, it's probably because I've occasionally lost sleep thinking about some of what's been going down around here.