Wednesday, December 31, 2003

An Unrepentant Spammer Considers the Risks:
"Alan Ralsky, according to experts in the field, has long been one of the most prolific senders of junk e-mail messages in the world. But he has not sent a single message over the Internet in the last few weeks.

He stopped sending e-mail offers for everything from debt repayment schemes to time-share vacations even before President Bush, on Dec. 16, signed the new Can Spam Act, a law meant to crack down on marketers like Mr. Ralsky.

He plans to resume in January, he said, after he overcomes some computer problems, and only after he changes his practices to include in his messages a return address and other information required by the law, the title of which stands for Controlling the Assault of Non-Solicited Pornography and Marketing. "

That is quite a switch for Mr. Ralsky, who has earned a reputation as a master of cyberdisguise. By his own admission, he once produced more than 70 million messages a day from domains registered with fake names, largely by way of foreign countries - or sometimes even by way of hijacked computers - so that the recipients could not trace the mail back to him.

Most experts in junk e-mail, known as spam, have dismissed the new federal law as largely ineffectual. And many high-volume e-mailers say the law may even improve the situation for them because it wipes away a handful of tougher state laws.

But Mr. Ralsky, who lives in a Detroit suburb, says the law's potential penalties - fines of up to $6 million and up to five years in jail - are making him rethink his business.

"Of course I'm worried about it," he said after the law was signed. "You would have to be stupid to try to violate this law."

No one is saying that e-mail in-boxes will be clean of spam any time soon. But the world is getting to be a much more hostile place for spammers, particularly those who send some of the most offensive messages. The biggest threat is not so much the new law, though it is expected to play a role in stepped-up enforcement, as the increased willingness of prosecutors to go after spammers.

http://www.nytimes.com/2003/12/30/technology/30spam.html?pagewanted=all&position=

Monday, December 29, 2003

Download details: Security Update for Windows XP (KB823980):
"This update addresses the vulnerability addressed in Microsoft Security Bulletin 03-026. Find out about more recent critical updates in the Overview section."

http://www.microsoft.com/downloads/details.aspx?FamilyID=2354406c-c5b6-44ac-9532-3de40f69c074&displaylang=en
Revamping the Security Bulletin Release Process:
"Security Bulletins Expanded and Summarized by Product

Tools & Resources

The most significant change that the new security bulletin process will introduce for customers will be in the number and timing of security patches. Consequently, customers may need to revisit some of the processes they use for deploying patches. The following tools and resources will help customers evaluate, plan, manage and deploy security patches:"

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/revsbwp.asp
Security Bulletin Search:
"Microsoft Releases Enhanced Security Bulletin Search Tool"

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/current.asp

Saturday, December 27, 2003

The Best Products of 2003
"PC Magazine's Best Products List is out."

• Desktops & Notebooks
• Processors
• Digital Imaging
• Printers
• Productivity Software
• Utilities
• Audio
• Video
• Peripherals
• Home Entertainment
• Mobile Devices & Services
• Open-Source Tools
• Networking
• Development Tools
• Games
• Education & Reference

http://www.pcmag.com/article2/0,4149,1421871,00.asp
InformIT.com : Design & Creative Media > Web Design:
"Web Design Reference Guide"

The Guide is broken into several sections, as follows:

  • Web Design Reference Guide

  • Articles and sample chapters

  • Books and e-books

  • Online resources



The Web Design Reference Guide is continuously updated. Each
week, you can expect new content with the latest news and information from the
world of Web design.

Table of Contents
http://www.informit.com/isapi/guide~webdesign/seq_id~3/guide/content.asp

http://www.informit.com/topics/index.asp?guide=webdesign

Friday, December 26, 2003

The Law of War in the War on Terror:
"What are the boundaries of the Bush administration's 'war on terrorism?' The recent battles fought against the Afghan and Iraqi governments were classic wars between organized military forces. But President George W. Bush has suggested that his campaign against terrorism goes beyond such conflicts; he said on September 29, 2001, 'Our war on terror will be much broader than the battlefields and beachheads of the past. The war will be fought wherever terrorists hide, or run, or plan.'

This language stretches the meaning of the word 'war.' If Washington means 'war' metaphorically, as when it speaks about a 'war' on drugs, the rhetoric would be uncontroversial, a mere hortatory device intended to rally support for an important cause. Bush, however, seems to think of the war on terrorism quite literally -- as a real war -- and this concept has worrisome implications. The rules that bind governments are much looser during wartime than in times of peace. The Bush administration has used war rhetoric precisely to give itself the extraordinary powers enjoyed by a wartime government to detain or even kill suspects without trial. In the process, the administration may have made it easier for itself to detain or eliminate suspects. But it has also threatened the most basic due process rights."

http://www.nytimes.com/cfr/international/20040101faessay_v83n1_roth.html?pagewanted=all&position=
ZDNet AnchorDesk: Greatest hits: The top columns of 2003

http://reviews-zdnet.com.com/4520-7298-5114689.html
Of Dying Viruses and Dangerous Xmas Cards:
"While antivirus vendors have reported several new viruses and malicious attackers in the past week, we have not seen any new large scale outbreaks. However, the ghosts of virus past are still with us -- Klez, Blaster, Swen, Bugbear, Dumaru, Mimail, and Welchia\Nachi all haunt the top ten. According to virus analysts, the Welchia\Nachi worm has only another week or so to live, as it is supposed to remove itself in 2004. Despite this fact, it is still infecting at a good rate…"

2003 may go down in history as the year of the spammer, as there has been more spam sent and received than in any other year. eWeek reported Monday Dec 15th that a judge in California ruled to allow pop up spammers to continue to operate for the time being. One spammer, in particular, was sending Windows Messenger Service popups to PCs that were not running a firewall or had the service turned on (it's on by default in Windows XP/2000). The ruling may trigger more spammers to try their hand at that kind of advertising.…

http://www.pcmag.com/print_article/0,3048,a=115069,00.asp

Wednesday, December 24, 2003

Microsoft Security FAQ :
"TOP Frequently Asked Questions

Note that this is NOT a complete list of all the questions answered in the FAQ.
Chances are, your question has probably already been answered. If your question is not listed below, you may want to see the complete table of contents at: http://securityadmin.info/faq.htm#contents "

http://securityadmin.info/faq.asp
Top Ten Web Design Mistakes of 2003 (Jakob Nielsen's Alertbox):
"Sites are getting better at using minimalist design, maintaining archives, and offering comprehensive services. However, these advances entail their own usability problems, as several prominent mistakes from 2003 show. "

http://www.useit.com/alertbox/20031222.html
Rapid Application Development with Mozilla: Navigation. Pt. 1 - WebReference.com -:
"This chapter is from the book 'Rapid Application Development with Mozilla' Nigel McFarlane. (ISBN 0131423436). "

http://www.webreference.com/programming/mozilla/

Tuesday, December 23, 2003

Threat From Sober Variant Grows:
"A variant of the Sober mass-mailing worm appears to be gaining more traction as leading security vendors increase their threat levels.

Increasing prevalence of the W32/Sober.C worm prompted Network Associates Inc. on Sunday to raise its risk assessment to medium from low. Sober.C is most active in Germany, where e-mail security vendor MessageLabs Inc. said 83 percent of samples had originated."

Other security vendors all have rated Sober.C's threat as low or medium. F-Secure Corp. tagged it a medium threat, ranking it a level 2 threat out of three. Symantec Corp. rated it as a level 2 threat out of five, or a low threat. MessageLabs also consider the risk "low," while saying that it has intercepted a "significant number of copies" of the worm.

Sober.C first appeared on Saturday, and New York-based MessageLabs reported its highest number of interceptions of the worm on Sunday.

Sober.C, once activated, e-mails itself to a user's Microsoft Outlook address book and sends outgoing messages through its own SMTP engine, said Network Associates, of Santa Clara, Calif. Along with e-mail, Sober.C can spread through peer-to-peer filing sharing networks.…

Sober.C, written in Visual Basic, can infect systems running Windows 2000, Windows 95, Windows 98, Windows NT and Windows Server 2003.

http://www.eweek.com/article2/0,4149,1420314,00.asp
In 1998, President Clinton noted that "information technology now accounts for more than a third of our economic growth, and government should follow one guiding principle: First, do no harm."

News: New threat to Net's future?:
"In complex political systems, the objective of an action can be honorable, but the impact of an action can be completely at odds with the objective. This is largely because the tools we use to encourage behavior in such systems are often crude and imprecise.

On Oct. 6, the 9th U.S. Circuit Court of Appeals issued an opinion in the case of Brand X Internet v. the Federal Communications Commission that has the potential to delay the progress of the Internet in the United States by certainly years and potentially decades. Through its actions, the 9th Circuit has 'invited' the 50 independent and natural bureaucratic state-based public utility commissions directly into the fold of the Internet. "

How the 9th Circuit accomplished this feat is both curious and confusing. The case in question deals with whether cable lines that deliver Internet service can be considered a "telecommunications service." This wording is critical, because Congress and the FCC have made it clear that states can regulate "telecommunications services," but must keep their hands off "information services."

In 1998, the same year Clinton made his declaration, the city of Portland mandated that AT&T, as a requirement for approval of its acquisition of TCI, open up its broadband lines to competitive carriers. Ruling on this in 2000, the 9th Circuit stated that the city of Portland could not mandate this behavior, as its jurisdiction was over cable franchises, and these broadband connections did not technically represent a cable franchise.

But the 9th Circuit did not stop there. It made one more historical but seemingly unnecessary step. It declared cable modem service a "telecommunications service."

The FCC was compelled to react to the 9th Circuit Court's assertion, as it flew in the face of the FCC position on this matter, as well as the clear intent of Congress and the Executive Branch. (Both had echoed a desire to keep the Internet unregulated.) In 2002, in an effort to clarify and correct the decision in Portland, the FCC ruled that cable modem services are "interstate information services" and not "telecommunication services." Seven different petitions for review of the FCC's "information services" ruling were filed in the 3rd, 9th and D.C. Circuits. Under the multicircuit rules, a judicial lottery was held, and the 9th Circuit was ironically elected to rule on the FCC's ruling.


http://zdnet.com.com/2100-1107_2-5130490.html
SecurityFocus HOME Infocus: Firewall Evolution - Deep Packet Inspection:
"Deep Packet Inspection is a term used to describe the capabilities of a firewall or an Intrusion Detection System (IDS) to look within the application payload of a packet or traffic stream and make decisions on the significance of that data based on the content of that data. The engine that drives deep packet inspection typically includes a combination of signature-matching technology along with heuristic analysis of the data in order to determine the impact of that communication stream. While the concept of deep packet inspection sounds very nice it is not so simple to achieve in practice. The inspection engine must use a combination of signature-based analysis techniques as well as statistical, or anomaly analysis, techniques. Both of these are borrowed directly from intrusion detection technologies. In order to identify traffic at the speeds necessary to provide sufficient performance newer ASICs will have to be incorporated into existing firewall designs. These ASICs, or Network Processors Units (NPUs), provide for fast discrimination of content within packets while also allowing for data classification. Deep Packet Inspection capable firewalls must not only maintain the state of the underlying network connection but also the state of the application utilizing that communication channel."

http://www.securityfocus.com/infocus/1716
FAQ: Firewall Forensics (What am I seeing?):
"This document explains what you see in firewall logs, especially what port numbers means. You can use this information to help figure out what hackers are up to.

This document is intended for both security-experts maintaining corporate firewalls as well as home users of personal firewalls. "

http://www.secinf.net/firewalls_and_VPN/FAQ_Firewall_Forensics_What_am_I_seeing_.html
News: IE fix mends flawed open-source patch:
"A Web site that published a third-party patch to fix a security hole in Microsoft's Internet Explorer has had to reissue the patch, after the original was found to be flawed.

Openwares.org published the second patch Saturday, after the first was found to contain a buffer overflow exploit. This exploit, which allowed an attacker to take control of the patched PC, might have been far more damaging than the flaw the patch aimed to fix."

The IE vulnerability, which was first reported in late November, allows a browser to display one URL in the address bar while the page that's being viewed is actually hosted elsewhere, making the user more susceptible to ruses like "phishing," in which spoof e-mails direct people to fake Web sites that seem to belong to legitimate companies. However, Openwares' first fix, which worked by filtering out any URLs containing suspicious characters, would work only with addresses that had less than 256 bytes. Larger addresses produced a buffer overflow.

Openwares' administrator said: "The new version has been rewritten and tested by dozens of users who helped out. If you're unsure, look at the new source code for yourself."

By early morning Monday, there had been 2,500 downloads of the new patch. However, this is a minute fraction of IE users, who make up more than 90 percent of the Internet population.

Microsoft has still not released a fix for the IE problem or given any indication as to when one might be available. In October, the Redmond, Wash., software maker adopted a policy of releasing only one patch each month, but it has already announced that it will be skipping its December release; IE is expected to remain vulnerable until at least mid-January.

Earlier in December, weeks after the IE flaw was discovered, Iain Mulholland, a security program manager at Microsoft, said the company was putting heavy emphasis on increasing the quality of its patches and that the approach has had an effect on the timing of releases.…

http://zdnet.com.com/2100-1105_2-5130708.html

Monday, December 22, 2003

Op-Ed Contributors: Good Nukes, Bad Nukes:
"The Nuclear Nonproliferation Treaty is arguably the most popular treaty in history: except for five states, every nation in the world is part of it. For more than three decades, it has helped curb the spread of nuclear weapons.

Since 9/11, however, and especially in the last several months, the viability of the treaty has been called into question. Some say it is obsolete. Others say it is merely ineffective. In support of its argument each side cites the situation in Iran, which has been able to advance a nuclear weapons program despite being a member of the treaty."
Early Word on Amazon ‘Stores’:
"AS in other recent holiday seasons, Amazon.com Inc. this year has successfully peddled the staples - books, music and videos - of online gift shoppers. But how about those alligator tenderloins, Callaway drivers and Mikimoto pearls? Amazon.com is wrapping up its first holiday season in which it has featured such goods and others in distinct 'stores,' or categories. Since September it has opened four stores: gourmet food, sporting goods, jewelry and watches, and (just last week) health and personal care. Retailers who are participating in the new stores and analysts who have watched them closely said Amazon.com's sales in those categories had shown promise."

"We're hearing that sales are good, not great," said Carrie A. Johnson, an analyst with Forrester Research, a technology consulting firm. "But they're good enough, and that's the key for retailers who've spent a lot of time integrating with Amazon."

Amazon.com's new stores collect items from other merchants, occasionally alongside goods already sold by Amazon. For instance, the jewelry-and-watches store features items from Mondera, Fortunoff and Ross-Simons, with pearl necklaces and other goods stocked and sold by Amazon.com.

When customers make purchases on Amazon.com from another merchant, Amazon.com sends the order to the merchant, which then ships the items. In exchange for offering their goods to Amazon.com's shoppers - more than 15 million visitors a week during the holiday season, according to Media Metrix - merchants typically pay Amazon.com a commission of 7 percent to 15 percent on each sale, according to Forrester. If an item fails to satisfy a customer, it is the responsibility of the merchant that shipped the product to receive the customer service call.

Amazon.com's senior vice president for worldwide retail, Diego Piacentini, would not disclose sales goals for the new stores. But the merchants that have joined Amazon.com have high hopes, if not for sales directly from the partnership, then for increased awareness and acceptance of their goods among mainstream shoppers. The gourmet food category may stand to benefit most from Amazon.com's participation.

"Beyond the big names like Harry & David or Omaha Steaks, this category is incredibly fragmented by small mom-and-pop businesses," Ms. Johnson of Forrester said. "Now the small players have the opportunity to reach many more customers online, and customers can find all of them in one place."

http://www.nytimes.com/2003/12/22/technology/22ecom.html?pagewanted=all&position=
New Economy: Offshore Jobs in Technology: Opportunity or a Threat?:
"The United States economy is finally getting stronger, but there seems to be one unsettling weakness: the apparent wholesale flight of technology jobs like computer programming and technical support to lower-cost nations, led by India.

The trend is typically described in ungainly terms - as 'offshore outsourcing' or 'offshoring.' But that rhetorical hurdle has done nothing to lessen the recent public debate and expressions of angst over this kind of job migration. There are some early signs of political reaction. Last month, for example, the State of Indiana pulled out of a $15 million contract with an Indian company to provide technology services. And a proposed bill in New Jersey would restrict the use of offshore workers by companies doing work for the state."

Forrester Research, a technology consulting firm, published a report this month pointing out that the movement abroad is only gradual. The firm bemoaned "the rising tide of offshore hype." Yet Forrester itself played a significant role in framing the debate on offshore outsourcing, as well as stirring fears, with a report last year. That report, published in November 2002, predicted that 3.3 million services jobs in America would move offshore by 2015, and added that the information technology industry will "lead the initial overseas exodus."

So what is really happening? Is the offshore outsourcing of technology jobs a cataclysmic jolt or a natural evolution of the economy?

The short answer is that the trend is real, irreversible and another step in the globalization of the American economy. It does present a challenge to industry, government and individual workers. But the shifting of some technology jobs abroad fits into a well-worn historical pattern of economic change and adjustment in the United States.

"To be competitive and to maintain and improve American living standards, we have to move up the technology food chain," said Craig R. Barrett, the chief executive of Intel.

That may seem like easy advice from someone perched at the top of the food chain, but Intel represents a good example of a company that successfully navigated an earlier round of threats from international competition, from Japan in the 1980's.

In the early 1980's, Japanese chip makers appeared to be taking the semiconductor industry by storm, supported by their banks and their government. The Japanese were focused on the market for memory chips, which store data. At the time, Intel was getting battered and still received much of its revenues from memory chips. It made a bet-the-company decision, abandoned the memory-chip business and focused on microprocessors, the bit-processing engines in personal computers.

The bet, of course, paid off as the personal computer business blossomed. In retrospect, Intel's triumph might seem to be a foregone conclusion. But it did not necessarily look that way back then. Remember, those were the days when the term Japan Inc. struck fear in corporate boardrooms across America, and there was a resonant ring to the bleak prognosis of the nation's economic future by the former vice president, Walter F. Mondale: "What are our kids supposed to do? Sweep up around Japanese computers and sell McDonald's hamburgers the rest of their lives?"

It did not quite work out that way, did it? Today, the overseas challenge in technology services comes from linking nations with strong education systems like China, India and Russia with the global economy. The Internet is a big part of the phenomenon. The spread of high-speed Internet connections in the last few years has meant that Indian programmers are a mouse-click away from American corporations that are eager to cut their software development costs.

The salary comparisons are striking. A programmer in the United States would earn about $80,000 a year on average, compared with $20,000 or less in India. But analysts say the actual cost savings on a development project are not proportionate. Whole stages of a project - analysis, design and deployment - typically require face-to-face meetings. Communications and cultural differences add to costs and sometimes reduce effectiveness.

On a typical corporate software project, employing 40 programmers for a year, the savings from offshore outsourcing in India would be more in the range of 20 to 40 percent less than employing higher priced labor in the United States, estimates Joseph Feiman, an analyst at Gartner Inc., a research firm. Sometimes, American services firms with special expertise are the preferred choice, despite higher labor costs.

"The math of looking only at salaries is just wrong," Mr. Feiman said. "And it is a prevalent misconception."

http://www.nytimes.com/2003/12/22/technology/22neco.html?pagewanted=all&position=

Saturday, December 20, 2003

Electronic Voting:

"Electronic voting has garnered significant attention in recent months. Controversy abounds over whether e-voting machines are secure and reliable, while strong movements toward expanding their use have arisen. India, for instance, announced in July 2003 that it would use exclusively electronic polls in its future elections. This trend and its associated security risks are examined in this Topic in Depth."

The NSDL Scout Report for Mathematics Engineering and Technology-- Volume 2, Number 25 Topic in Depth

1. The Free E-Democracy Project


http://www.free-project.org/learn/


2. Caltech-MIT/Voting Technology Project [pdf, RealOne Player]


http://web.mit.edu/voting/


3. Electronic Voting and Counting [pdf]


http://www.elections.act.gov.au/Elecvote.html


4. The Open Voting Consortium


http://www.openvotingconsortium.org/


5. Election Reform and Electronic Voting Systems (DREs): Analysis of Security Issues [pdf]


http://www.epic.org/privacy/voting/crsreport.pdf


6. Electronic Voting: What You Need to Know


http://www.truthout.org/docs_03/102003A.shtml


7. Can Voting Machines Be Trusted?


http://www.cbsnews.com/stories/2003/11/11/politics/main583042.shtml


From The NSDL Scout Report for Math, Engineering, & Technology, Copyright Internet Scout Project 1994-2003. http://www.scout.wisc.edu/

http://scout.wisc.edu/Reports/NSDL/MET/2003/met-031219-topicindepth.php#1
Deep Content: Guide to Effective Searching of the Internet:
"Your ability to find the information you seek on the Internet is a function of how precise your queries are and how effectively you use search services. Poor queries return poor results; good queries return great results. Contrary to the hype surrounding 'intelligent agents' and 'artificial intelligence,' the fact remains that search results are only as good as the query you pose and how you search. There is no silver bullet.

There are very effective ways to 'structure' a query and use special operators to target the results you seek. Absent these techniques, you will spend endless hours looking at useless documents that do not contain the information you want. Or you will give up in frustration after search-click-download-reviewing long lists of documents before you find what you want."

This outstanding website is, without question, one of the most comprehensive online resources for learning efficient Internet search techniques. The guide begins with some fairly non-technical background about the Internet and explains why searching such a massive amount of information is more complex than it seems. The general process used by search engines to rank webpages is described. After covering the fundamentals of search engine operation, the guide discusses some best practices to use when conducting a search. Keyword selection, phrasing, and Boolean operators are just a few of the concepts discussed to help users make their searching more effective. The guide also compares many top search engines, noting the supported features, coverage, and type of indexing associated with each. From The NSDL Scout Report for Math, Engineering, & Technology, Copyright Internet Scout Project 1994-2003. http://www.scout.wisc.edu/

http://scout.wisc.edu/Reports/NSDL/MET/2003/met-031219-printable.html#12

http://www.brightplanet.com/deepcontent/tutorials/search/index.asp

Friday, December 19, 2003

Record Industry May Not Subpoena Online Providers:
The industry's argument that the subpoena power could be applied to an Internet service provider "regardless of what function it performs," even if songs are only momentarily passing through its data pipes, "borders upon the silly."

"The recording industry cannot compel an Internet service provider to give up the names of customers who trade music online without judicial review, a federal appeals court in Washington ruled today.

The sharply worded ruling, which dismissed one industry argument by saying that it 'borders on the silly,' is a blow to the music companies in the online music wars. It overturns a decision in federal district court that favored the industry and ordered Verizon Communications to disclose the identity of a subscriber based on simple subpoenas submitted to a court clerk. "

The music industry has been struggling to counter an army of downloaders tens of millions strong who, beginning with the advent of Napster in the 1990's, have swapped songs online on so-called "peer-to-peer" networks without regard to the property rights of artists, composers and the companies that make the music.

In September, the industry began suing large-scale file swappers. In doing so, it used a controversial provision of the Digital Millennium Copyright Act of 1998, section 512 (h), to demand that the service providers reveal the identities of customers whose activities could otherwise be linked by the industry only to an identifier known as an Internet Protocol number.

The opinion, written by Chief Judge Douglas H. Ginsburg of the United States Court of Appeals for the District of Columbia Circuit, did not strike down the new provisions of the copyright act on constitutional grounds. Instead, it said that the statute was applied incorrectly by the recording industry.

Under the terms of the law, the court said, subpoenas that the industry sent to Verizon demanding the identity of the file trader and the removal of infringing files could not be applied to the company when its customers were trading files on a peer-to-peer network. As an Internet service provider, or I.S.P., Verizon was "acting merely as a conduit" for the music files and did not store the data on its own computer network, Judge Ginsburg wrote. "A subpoena may be issued only to an I.S.P. engaged in storing on its servers material that is infringing or the subject of infringing activity."

Since the law requires a "takedown notice" that identifies the material that must be removed from the Internet, and since the material in question is not on the Internet service provider's own servers, "the R.I.A.A.'s notification identifies absolutely no material Verizon could remove or access to which it could disable," Judge Ginsburg wrote.

Although the recording industry argued that an Internet service provider can, in fact, remove the offending material by cutting off the subscriber's account, Judge Ginsburg wrote that "this argument is undone by the terms of the act," which clearly distinguished between blocking access to copyrighted files and cutting off the accounts of infringing users.

The industry's argument that the subpoena power could be applied to an Internet service provider "regardless of what function it performs," even if songs are only momentarily passing through its data pipes, "borders upon the silly," the judge wrote.

Such attempts by the industry to broaden the definition and role of Internet service provider, Judge Ginsburg wrote, must fail under the harsh light of careful statutory analysis. "Define all the world as an I.S.P. if you like, the validity of a 512(h) subpoena still depends upon the copyright holder having given the I.S.P., however defined, a notification" that is effective under other crucial provisions of the law, he wrote.…

http://www.nytimes.com/2003/12/19/technology/19CND-MUSI.html?pagewanted=all&position=
ZDNet AnchorDesk: The safe way to move your data to a new PC:
"This column is about something that every reasonably advanced PC user faces at one time or another, an exercise that's fraught with peril. "

Specifically: How do you make sure your PC is safe to hand down to someone else or perhaps to sell on eBay for a dollar or two? By "safe," I mean that all your personal data has been safely removed.

Real paranoiacs will remove the hard drive, run it past a demagnetizer, smash it with a 20-pound sledge hammer, and then soak the remains in circuit board etching solution before they pass along a PC. If you should actually catch somebody doing this, however, do us all a favor and notify Tom Ridge immediately.

If you'd rather preserve the drive, and don't care about the apps and operating system, there are a number of utilities that will completely wipe the drive. If you have a copy of Norton SystemWorks, for example, you can boot from the CD and use it to wipe the machine's hard drive.

Not all data wiping programs are created equal, however. Whatever app you use, try to make sure it makes three or more passes of the hard drive, replacing the old data with random characters each time. Such a hard drive will be clean enough for the Defense Department's purposes, whatever those might be.

BUT SUPPOSE you want to leave most or all of the applications and operating system in a condition that someone else could still use. And (to be even more realistic), let's say you'd also like to migrate all your data and settings from the old machine to one you've just purchased or received as a holiday present.…

http://reviews-zdnet.com.com/AnchorDesk/4520-7298_16-5114407.html?tag=adss

Thursday, December 18, 2003

No MS Security Issues In December? Think Again!:
"Mozilla not immune.

…there's is a particular problem in Internet Explorer which allows a malicious coder to make it appear as if the user is viewing a different Web site than they actually are viewing. The bug involved the use of a feature of Uniform Resource Identifiers (browser addresses) that is more often abused than used legitimately used: the '@' character.

When an '@' is part of the domain in a Web address, the browser treats the string to the left of it as a user name to fill in any userid prompts, and everything on the right side as the domain name. This is perfectly legitimate syntax. Click here for the actual standard document about URIs.

Malicious coders, such as phishers, often will use this technique to obscure the actual address of the site they send you to. For example, they might send you a message that appears to be from Paypal and include a link that looks something like this:

http://www.paypal.com@64.225.264.128/accounts/validate.htm (The IP address I used is illegal for the same reason they use 555 phone numbers on TV shows.)
Notice, the numeric string to the right of the '@' mark. This link will not take you to www.paypal.com, but to 64.225.264.128. But most unsophisticated users won't notice the difference. Still, all of this monkey business is perfectly legal (if immoral) under the URI standard.

The latest bug adds a twist: If you put ASCII 00 and 01 characters (designated as %00%01 in the spec.) just prior to the '@' character, then Internet Explorer won't display the rest of the URL when the user views the page. In Javascript you must use just the %01 character and also decode the string with the unescape() function..

There are many variations of this particular scheme, and surprisingly some of them partially work on Mozilla as well.

The anchor link version of this vulnerability also results in the partial, incorrect address being displayed in the status line as the user hovers the mouse over the link. Versions of Mozilla I tested (Versions 1.0 and 1.5) also showed the partial address in the status line, although they displayed the full address in the address bar. Just for fun, I tried Netscape 4.7 as well. Despite being one of worst programs ever written, it handled this situation properly, displaying the full URL in the address and status lines. "

http://www.eweek.com/print_article/0,3048,a=114456,00.asp

Wednesday, December 17, 2003

ASP 101 - Using the Google APIs to Spell Check:
"The Developers at Google have been kind enough to offer a web API for developers using the SOAP protocol. When you do a search using Google, you may have noticed that you are prompted with possible alternatives to any words you may have misspelled.

The Google web API 'spell check' allows you to send a string of text and receive alternatives for misspelled words. The power in this web API is that the Google dictionary includes technology words that are used in website searches, but may not have been included in a Standard English dictionary. "

Setting up the Google SDK on your server is as simple as downloading the API from http://www.google.com/apis/. You'll need to register with the website which will give you your own key. You'll need the key for Google to accept SOAP connections from your server.

There are some limitations to be mentioned as well. The Google web API allows 10 words to be sent at a time and a limit of 1000 connections per key per day. The following script works around the 10 word limit, however is still limited by the 1000 connections.…

http://www.asp101.com/articles/jeremy/googlespell/default.asp
PCMag.com Shareware Library: Freeware and Shareware Downloads:
"This one's for everyone who complained about being forced to pay $5 a month (or $20 a year) to get award-winning PC Magazine Utilities.

…an extensive (and I mean extensive) shareware library full of thousands of programs you can download and try -- without spending a dime! Utilities, music, multimedia, programming, business, and more "

http://shareware.pcmag.com/welcome.php?&SiteID=pcmag
DoS Flaw in SOAP DTD Parameter:
"Technology heavyweights IBM and Microsoft have released fixes for a potentially serious vulnerability in various Web Services products that could be exploited to trigger denial-of-service attacks (define).

In separate alerts, the companies said the vulnerability was caused by an error in the XML parser when parsing the DTD (Document Type Definition) part of XML documents. Independent security researcher Secunia has tagged the flaw with a 'moderately critical' rating."

Affected software include the IBM WebSphere 5.0.0 and Microsoft ASP.NET Web Services (.NET framework 1.0, .NET framework 1.1).

According to IBM, the security patch fixes a flaw that could be exploited by sending a specially crafted SOAP request. "This can cause the WebSphere XML Parser to consume an excessive amount of CPU resources," Big Blue warned.

An advisory from Microsoft confirmed the DTD error parsing vulnerability in its Web Services products, included with the .NET Framework 1.1.

Document Type Definition (DTD) provides a way DTDs provide a way to write markup rules that describe the structure of XML documents and can be used to validate the structure of those documents. When the XML 1.0 specification was originally created, the DTD syntax, which is not XML-based, was inherited from earlier markup languages, such as Standard Generalized Markup Language (SGML) and HTML, Microsoft explained.…

http://www.internetnews.com/dev-news/article.php/3289191
W32/Sobig.F-mm is Still a Big Threat:
"On the virus and worm front, not much has changed in the lineup of top threats. W32/Swen.A-mm, W32/Dumaru.A-mm and several Mimail variations are still infecting hundreds worldwide every day. Also on the top list is W32/Sobig.F-mm, a tenacious multi-vector worm that has been around since August. Sobig.F, like Swen.A, spoofed the 'from' address field of e-mail it sent out, to make it look like someone else was sending the infected messages. The worm was very prolific by itself, but it ended up generating more incidental Internet traffic because automated IT antivirus systems were sending virus notifications back to the senders. Unfortunately, many of the apparent senders had nothing to do with the original e-mail message. In the days of slower moving viruses, the notifications were helpful, but with fast moving worms, it had to be scrapped. In a recent newsletter, ThreatFocus estimated that 'Spam from PC's hijacked by the Sobig virus now accounts for more than half of all email sent across the Internet.' "

First discovered in August 2003, mass mailing worm W32/Sobig.F-mm caused a lot of grief in a short amount of time, and is still in the top 10 viruses plaguing users. W32/Sobig.F-mm was supposed to terminate its propagation on September 10th, 2003, and was downgraded in threat level by several antivirus companies. Though "deactivated", it is still listed as one of the top infectors, and it is attributed to spreading spam across the Internet. After the deactivation date, it can still be used to propagate spam and update itself, making it important to remove the infection.

One of the fastest moving viruses, Sobig.F usually spreads as an e-mail attachment (usually a PIF or SCR file), though it also attempts to spread through network shares, leaving open the possibility of re-infection even if the original infected machines have been cleaned. For a user to catch Sobig.F, they must run or view the e-mail attachment. Once running, Sobig.F will send copies of itself out using its own SMTP engine to addresses harvested from text, database, html and e-mail files on the victim's machine. The virus also uses the harvested addresses to spoof the "From" field to disguise the origin of the e-mail. This feature caused major headaches, as many innocent users were being blamed for sending out infected traffic, and the bounced back e-mail in itself clogged the Internet.

Once running, the virus will attempt get the current date and time through one of several Network Timer Protocol (NTP) servers. If the time is between 19:00 and 22:00 UTC (Universal Time Code) or 8pm – 11pm UK time, on a Friday or Sunday, it sends a UDP packet to a remote server on port 8998. It is suspected that it is being used to download an update file, which is a behavior shown by earlier versions of Sobig. Blocking outgoing UDP connections on port 8998 with a firewall is recommended as a workaround for this feature.

When a user runs an infected attachment, Sobig creates a copy of itself called winppr32.exe in the Windows folder (C:\Windows or C:\Winnt). It then adds the value "TrayX"="%Windir%\winppr32.exe /sinc" to the following registry keys, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run . This means that the virus will run when the machine is booted. Sobig also creates a file called winstt32.dat in the Windows folder (%windir% is the Windows folder as noted above), which is used to store e-mail addresses gathered from the victim's machine.

The virus will also look for any accessible network shares for which the PC has write access. Symantec reports though that due to a bug in the code, Sobig cannot copy over network shares. Sobig.F can download arbitrary files from server addresses stored in the virus, and execute them. Also according to the Symantec, "The author of the worm has used this functionality to steal confidential system information and to set up spam relay servers on infected computers". This is in line with ThreatFocus's estimate that over 50% of the spam on the web comes from Sobig infected zombie computers. It is suspected that Sobig.F attempts to contact a master server that its author controls and downloads a URL where it goes to download a Trojan to run on the local PC.…

Full article (printable version) at http://www.pcmag.com/print_article/0,3048,a=114580,00.asp

http://www.pcmag.com/article2/0,4149,1414899,00.asp
Judge OKs Internet Company's Pop-Up Ads:
"A federal judge ruled Monday that a California company can send 'pop-up' Internet ads that regulators have called 'high-tech extortion"—at least until the matter is decided at trial.

U.S. District Judge Andre Davis said there was insufficient evidence for him to grant a preliminary injunction sought by the Federal Trade Commission. Regulators wanted to stop San Diego-based D-Squared Solutions LLC from selling its ad-blocking software."

"It's not clear to me ... if there's substantial injury to consumers," said Davis, who set a trial for March 8. "The case had the odor of extortion as it was originally prosecuted ... but it certainly doesn't look like extortion to me."

The FTC said D-Squared improperly used a technology built into most versions of Microsoft's Windows operating software to display intrusive messages on computer screens.

The messages offered software to block the same types of ads the company was sending. The FTC said D-Squared unlawfully exploited Microsoft's Windows Messenger Service feature by sending the unwanted ads to Internet users as frequently as once every 10 minutes.

FTC attorney Mona Spivack said D-Squared's advertisements caused "substantial injury" to consumers, citing lost data, crashed computers, frustration, annoyance and harassment.

"They clearly knew that this practice was in fact causing consumers' computers to crash," Spivack said. "The defendant's own marketing material said this."

http://www.eweek.com/article2/0,4149,1414497,00.asp?kc=EWNWS121603DTX1K0000599

Monday, December 15, 2003

News: Google delivers parcel search:
"Google has introduced a new search feature that turns up shipping information from Federal Express and United Parcel Service, the company's latest move to expand beyond keyword searches.

Google takes people directly to the FedEx or UPS Web page containing the location of a particular package when they type in their parcel tracking number into its search site. The new 'Search by Number' feature, announced Friday, also brings up information linked to other kinds of numbers, such as patent numbers, equipment identification numbers issued by the Federal Communications Commission, and airplane registration numbers from the Federal Aviation Administration.… "

Google also has tweaked the way it displays search results for specific products for sale on the Web. A search for "Hulk Hands," for instance, will display the top listings from Google's online shopping guide, Froogle, above its regular search results.…

http://zdnet.com.com/2100-1104_2-5121824.html
ZDNet AnchorDesk: How to stop spam? Don't look to legislation:
"After months of debate, Congress has approved an antispam bill, known as the Controlling the Assault of Non-Solicited Pornography and Marketing Act, or the CAN-SPAM Act of 2003. President Bush has indicated he will sign it before the end of the year. That sounds like good news for anyone who uses e-mail. But once you look beyond the spin, you'll find there's much less here than meets the eye. "

IN A NUTSHELL, CAN-SPAM prohibits the use of fraudulent e-mail headers, the use of robotic means to collect e-mail addresses from Web sites, and the sending of unsolicited adult advertising. It requires e-mail marketers to provide a working URL in messages so recipients can remove themselves from any future mailings.

Down the road, the law also calls for the creation of a federal Do Not Spam list, much like the FTC's Do Not Call list, which gives you the ability to remove your phone number from telemarketers' databases. The law also prohibits unwanted commercial messages via mobile services on mobile phones and PDAs.…

SO WHY DID the attorneys general from California, Kansas, Maryland, Nevada, Texas, Vermont, and Washington urge the House of Representatives to vote against the act? Because CAN-SPAM ignores and supercedes any existing or pending junk e-mail laws in 30 states--including the toughest, California's--with a decidedly weaker federal law.

The state laws, which are now obsolete, were more stringent than the federal one in several ways. For example, the laws in Utah and California would allow recipients to sue spammers who use false e-mail headers. One provision of a California law would even use the penalties claimed from such cases to help fund the state's high-tech crime task forces. However, under CAN-SPAM, while recipients can still sue spammers, the burden of proof has been extended beyond showing that the e-mail header was false and now requires that plaintiffs show the sender also knew it was false.

It's the opinion of several state attorneys general that this is a much higher standard of proof than other consumer protection laws, and that spam recipients will now tie up the legal system with new cases without being able to stop unsolicited e-mails in the meantime. That is what the direct-marketing associations wanted: judicial gridlock.

ANOTHER SHORTCOMING of the law: According to Spamhaus.org, an antispam clearinghouse, CAN-SPAM allows 23 million U.S. businesses to spam U.S. e-mail addresses legally as long as they also provide a means for users to opt-out of future mailings.

It turns out the direct marketers got their way this time around. With telemarketing restricted by the Do Not Call list, direct-marketing associations now see e-mail advertising as their last and best option, since automatically sending hundreds of thousands of e-mails is much cheaper than maintaining call centers. These groups made the rounds in Washington D.C. and managed to get this muted federal antispam bill passed quickly. For the legislators in Congress, CAN-SPAM allows them to say, "Look, we did something about spam," when, in reality, the act does little to actually solve the problem.…

http://reviews-zdnet.com.com/AnchorDesk/4520-7297_16-5113118.html?tag=ns

Saturday, December 13, 2003

Security Troubleshoot and Maintain:
Find what you need to respond to current security issues.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/Default.asp
Security Pipeline | News | Spam-Virus Marriage Seen As Leading 2004 Internet Threat:
"The use of viruses to commandeer personal computers on the Internet for relaying spam is a trend that started this year and is expected to escalate in 2004, an e-mail security company said Friday.

In the last six months, MessageLabs Inc. has seen a steady rise in the use of spam and virus techniques in sending out junk e-mail hawking drugs, pornography and sexual enhancements. "

The Minneapolis-based company, which filters corporate e-mail for spam and viruses, intercepts about 27 spam messages a second today, up from two per second at the same time last year. Sixty-six percent of those messages are generated from PCs that have been taken over by spammers without the knowledge of the computers' owners, Mark Sunner, chief technology officer for MessageLabs, said.

The number of PCs commandeered by spammers is expected to increase next year. "Spammers are taking advantage of the flaw in traditional anti-virus software people are running on their desktops today," Sunner said.

Traditional anti-virus software requires users to download code capable of detecting a virus after it's released on the Internet.

Until this year, people seeking a thrill from the chaos they could cause on the Internet accounted for most of the viruses. The malevolent code is hidden in an e-mail attachment that the sender tries to trick a person into opening by pretending the message is from a legitimate vendor or someone who can be trusted, like a friend.

Spammers are now using the same techniques to get PC users to unknowingly install applications that allow the machines to be used later to relay spam. The pre-eminent example of this kind of malevolent code was the Sobig.F virus, which had such an effective mass-mailing engine that it managed to shut down some corporate and government networks.

"The authors behind Sobig were definitely spammers using the virus to harvest lots of machines to blast spam," Sunner said.

Relaying spam through other computers enables spammers to remain anonymous and avoid law enforcement agencies. In addition, by hiding the original source of the mass-mailings, spammers can avoid black lists used by filtering software to separate spam from legitimate messages.…

http://informationweek.securitypipeline.com/news/showArticle.jhtml;jsessionid=F1K3ID3UJ3UQIQSNDBCSKHQ?articleId=16600263
Windows XP Professional File Sharing:
"The file system in Windows XP is based on Windows NT and Windows 2000, so many of its features are new to users of Windows 95, 98, and Me. "

In Windows 95/98/Me, you can assign a password to a shared disk or folder, so that only people who know the password can gain access. That works well in a small home network where, for example, Mom and Dad know the password to the family's financial data, but Junior doesn't. But it isn't practical in a large corporate network, where Windows XP Professional is likely to be used. It's hard to keep a password secret in a large company, and changing to a new password requires giving it to everyone who needs to use it.

Windows XP Professional replaces password-based security with two alternatives:


  • Simple File Sharing is enabled by default on Windows
    XP Professional systems that are members of a workgroup (typically
    used in small networks) rather than a domain (typically used in
    large corporate networks).  For full details, see our article
    on Simple
    File Sharing
    . There are no passwords or access restrictions
    and, with one exception described in the article, everything that's
    shared is accessible by everyone on the network.  Simple File
    Sharing is the only type of sharing available in Windows XP Home
    Edition.

  • By disabling Simple File Sharing, you can specify an Access
    Control List
    (ACL) for each shared
    disk or folder.  The ACL specifies which users are allowed to
    have access.



http://www.practicallynetworked.com/sharing/xp_filesharing/index.htm

Thursday, December 11, 2003

Eureka! Mac's Are Not Invulnerable:
"The truth is that the Mac OS is just as vulnerable as Microsoft Windows. Overall, maybe OS X is better than Windows, but that's not the point. Panther, for example, is a great OS, but it's also complex, and complexity leaves room for gaps—some small, some not.

OS X 10.x may not be as widely used as Windows (let's face it, it isn't) but some of its devotees seem far more fanatical than Windows users. Those who toil in Windows—me, for instance—care about their OS to a certain degree, but hardly feel the need to jump to its defense or come up with ridiculous conspiracy theories to explain why, say, Bob bombed or Windows Me stank."

When Microsoft released Windows 95 three years and some months later, for the first time there was a degree of parity between the graphical interfaces. I found things to grumble about, but they were minor. Microsoft's less-than-stellar OS security took a while to become apparent. In fact, the problem wasn't epidemic until a few years after the Internet took off. Windows' market domination makes it a target for the virus authoring community. The OS also bears the burden of user wrath because those who depend on Windows so often feel let down. But nothing drives me crazier than Mac true believers shaking their heads and grinning at me every time another Windows virus hits. This past summer was particularly difficult. As Blaster and SoBig wreaked havoc across the Internet and with millions of Windows PCs, Mac users would tell me with mock sympathy, "This wouldn't happen if we all ran Macs".

We don't, of course, and again, that's the point. The discovery of this OS X security hole will be like a tree falling in a particularly remote forest. So few people actually use Macs (notwithstanding, of course, what you see in the alternate universe of movies, where everyone appears to use them), that I think it's unlikely this problem will have any long-term effect. Hackers are unlikely to exploit this hole the way they have Windows failings.

If the Macintosh OS ever became dominant, the tables would turn, and there would be just as many reports of viruses, security holes, and attacks on it as we currently have with Windows. As one Macophile I spoke with noted, no one has even bothered to exploit this security flaw. I doubt anyone will. Meanwhile, we can already see what happens when Apple has a broadly popular product that cuts across platforms. The Apple iPod is the number one MP3 player, and now that its companion computer utility, iTunes, is available for both the Mac and the PC, it has become a hack target. In fact, Jon Lech Johansen, the same Norwegian who cracked the DVD security code, recently circumvented the iTunes music protection scheme. An event like that occurring makes sense to me, since iTunes' popularity makes it a target worth hacking—and whatever mystical Mac mojo there may be, it didn't go far in protecting a popular Apple product.…

http://www.pcmag.com/article2/0,4149,1408924,00.asp
Don't Let These Security Gotcha's Get Your Database:
"Securing the database is top of mind at most organizations now more than ever. How not? As it is, Slammer slapped us last winter, Microsoft had yet another SQL Server Hotfix patch out as of Friday, and Oracle on Friday put out a high-severity security alert warning of Secure Sockets Layer (SSL) vulnerabilities that require immediate attention."

No matter how locked-down-by-default Oracle 10g gets …, no matter how automated SQL Server security patches get, database administrators and security officers are still making mistakes that can easily be avoided.

http://www.eweek.com/print_article/0,3048,a=114260,00.asp
Secunia - Advisories - Internet Explorer URL Spoofing Vulnerability:
"A vulnerability has been identified in Internet Explorer, which can be exploited by malicious people to display a fake URL in the address and status bars.

The vulnerability is caused due to an input validation error, which can be exploited by including the '%01' and '%00' URL encoded representations after the username and right before the '@' character in an URL.

Successful exploitation allows a malicious person to display an arbitrary FQDN (Fully Qualified Domain Name) in the address and status bars, which is different from the actual location of the page. "

This can be exploited to trick users into divulging sensitive information or download and execute malware on their systems, because they trust the faked domain in the two bars.

Example displaying only "http://www.trusted_site.com" in the two bars when the real domain is "malicious_site.com":
http://www.trusted_site.com%01%00@malicious_site.com/malicious.html

A test is available at:
http://www.secunia.com/internet_explorer_address_bar_spoofing_test/

The vulnerability has been confirmed in version 6.0. However, prior versions may also be affected.…

http://www.secunia.com/advisories/10395
On 'Seamless Computing' and Other Microspeak:
"You can tell a lot about a company by the phrases it coins. And Microsoft continues to mint some telltale ones.

More than a few Microsoft-spawned terms have made their way into the wider tech lexicon. Think 'dogfooding,' 'show stopper,' 'three-finger salute,' etc.

(Hats off to the MicroNews crew, the folks who produce Microsoft's internal company newsletter, for keeping tabs on the latest lingo from Redmond, documenting everything from 'blibbets' to 'Lake Bill.')"

Check a Partial Guide to Microspeak (from MicroNews)

But Microspeak is always morphing. Just this past week, we heard Chairman Bill Gates toss around his seeming new favorite: "Seamless Computing." Gates used the term in both his Comdex keynote and subsequent press interviews, ad nauseum.


Microsoft execs first began talking about seamless computing (no "TM," but Microsoft is using initial caps when referring to the term) back in 2001, when the company rolled out Windows XP.

Microsoft seems to be equating Seamless Computing with interoperability. But Redmond's kind of Seamless Computing isn't focused interoperability among heterogeneous systems and software from different vendors (which is what most folks mean when they talk interoperability). Instead, Seamless Computing, according to Microsoft, is all about interconnecting Windows-based systems, from the Auto PC, to the Media Center PC, to the data-center hub.…

http://www.gisuser.co.nz/pdfs/MicroSpeak.pdf

http://www.microsoft-watch.com/article2/0,4248,1394053,00.asp

Wednesday, December 10, 2003

The Search Engine Report - Number 85:
"In This Issue

+ Search Engine Watch News

+ SES Comes To Chicago Next Week

+ Search Engine Articles By Danny Sullivan

+
SearchDay Articles

+ Search Engine Articles

+ Search Engine Resources

"

http://searchenginewatch.com/sereport/print.php/34721_3115471
News: Developers take Linux attacks to heart:
"During the last four months, unknown intruders have breached the security around servers hosting programs and code published by the Linux kernel development team, the Debian Project, the Gentoo Linux Project and the GNU Project, which manages the development of many important programs used by Linux and other Unix-like systems. The attacks have convinced open-source project leaders to take another look at their security. "

"It is a definite eyebrow raiser that there has been this targeting of open-source servers and core open-source development servers," said Corey Shields, a member of the infrastructure team that overseas the distribution system for Gentoo Linux's code. "The worry is that if someone wanted to be malicious, they could change core software and users could be using corrupted packages."

Although the open-source model has led to immense progress in developing a competing operating system to Microsoft's Windows--long a target of hackers--it now seems to be a magnet for attackers itself. In a sort of backhanded compliment, attackers are aiming at the Linux OS and other open-source applications because of the software's popularity. Even developers who believe they've adequately secured their development systems are looking at the trend with some trepidation.

"It is one of those things where you have to hope you are not next and try to be one step ahead of the bad guys," said Jeremy Allison, co-founder and developer of the Samba Project, the programming effort for the popular open-source file server that seamlessly fits into Windows networks.

On Dec. 1, an attack on Gentoo Linux compromised one of 105 volunteer-run servers that make copies of Gentoo's source code available to users. The attack, however, didn't threaten the main source-code database. Moreover, security software on the targeted server detected the attack quickly and kept a detailed record of it.

The incident followed a November attack on the Linux kernel, which similarly happened because another system--this time a developer's--had been breached and used as a stepping-stone. The attacker used the developer's machine to submit code to a secondary server, code that could have been used by a later attacker to gain access to any systems that installed it. That attack also was detected within 24 hours.

Other incidents in the rash of attacks have been more serious.

Intruders gained access to the GNU Project's development system, Savannah, and in a separate incident, to four Debian Project servers used to manage development and community efforts for that Linux distribution.

Both attacks were similarly executed: An attacker managed to garner a legitimate user's log-in name and password and then used a recently discovered vulnerability in the Linux kernel to gain the rights and privileges of the system's owners. Both Debian and GNU Project leaders continue to keep the systems offline--and inaccessible to developers--until they can ensure they're secure.

The GNU Project said the latest attack, and another one that compromised the project's file transfer servers last March, had prompted its leadership to make changes.…

http://zdnet.com.com/2100-1105_2-5117271.html
EasyRGB - Color harmonies, complements and themes.:
"Search for colors complements to your RGB values.

Create color harmonies, combinations and themes.

From your main (or background) color select trim and accents tones."

http://www.easyrgb.com/harmonies.php

Tuesday, December 09, 2003

CSS Design: Creating Custom Corners & Borders: A List Apart:

We’ve all heard the rap:



“Sites designed with CSS tend to be boxy and hard-edged. Where are the rounded corners?”



Answer: the rounded corners are right here. In this article, we’ll show how customized borders and corners can be applied to fully fluid and flexible layouts with dynamic
content, using sound and semantically logical markup.



http://www.alistapart.com/articles/customcorners/
News: U.N. confab to see tussle over Net control:
"Leaders from nearly 200 countries will convene in Geneva for the World Summit on the Information Society (WSIS) on Dec. 10-12, an inaugural conference with lofty goals to discuss bridging the digital divide and fostering press freedoms.

But a contentious political move to grant an international governing body such as the U.N.'s International Telecommunication Union (ITU) control over Internet governance issues--from distributing Web site domains to the public to fighting spam--has all but obscured the more virtuous aspects of the event. "

…the Internet has become a thriving global marketplace since being fully turned over to the private business community in the early 1990s.

But many in the developing world believe a new approach is needed as the medium enters its teen years, one that will see poorer countries harness new technologies to improve their competitive stance.

The most recognizable Internet governance body is a California-based nonprofit company, the International Corporation for Assigned Names and Numbers (ICANN). Under the new plan, it has the most to lose. Incorporated in 1998, ICANN oversees management of the Internet's crucial addressing system which matches numerical addresses to familiar Web site addresses such as www.google.com.

While ICANN's oversight has been confined to the decidedly technical matters behind doling out domain names and establishing a system for resolving domain name disputes, the group has been criticized roundly for adopting a probusiness approach that neglects the developing world.

The ITU, a 138-year-old trade body that among other things established country code rules for international telephone dialing, has been put forth by the developing world as the governing body that will best address its needs.…

So far, a change in leadership has been bogged down by fractious discussion with a definitive resolution not expected until 2005 when the second WSIS summit is held in Tunisia.

But many believe the new guard has already arrived.…

http://zdnet.com.com/2100-1104_2-5113744.html?tag=adnews
Fighting Phishing:
"Phishing, e-mail and Web-based efforts by online scammers to hijack personal information from unsuspecting users, faces a new obstacle. A group of global banks and technology companies have joined forces to fight the scams. The group is running a Web site, Anti-Phishing.Org (www.antiphishing.org), where those who have received phishing messages can report them, and personnel will follow up by trying to track down the originators of the scams."

http://www.pcmag.com/article2/0,4149,1407031,00.asp
Could The Bad Guys Win on Spam?: http://eletters.eweek.com/zd1/cts?d=79-356-2-3-13145-42538-1
"Spam and mail-based attacks are coming to dominate Internet e-mail. Nothing seems able to stop them, and some days it's rare to find real mail among the spam. Could it come to the point that it's not worth dealing with e-mail's problems?"

On some days, life in the security business is more depressing than on others. My recent reading about Mimail.L, the latest in a long line of sociopathic worms, tipped me into the blues.

Mimail.L is particularly vile. Here are some of the actions it takes:

  • It arrives as a pornographic e-mail with an attached ZIP file purporting to contain dirty pictures. That file contains a file with a .jpg.exe extension, so if someone runs it to see the picture they actually infect themselves. As always, this subterfuge works far more often than I'd like to think, but so far it's just a run of the mill worm.

  • It scours the hard disk for e-mail addresses and stores them in a file named xu298da.tmp in the Windows folder. It then mails itself out with the same porno message to these addresses.

  • If there's a problem sending that mail, it instead tries to send a different message without the attachment. This fallback message says that the recipient's credit card has been charged for a purchase of child pornography. It directs the reader, if they want to cancel, to contact security@europe.spamhaus.org.

  • The message also lists more than a half a dozen sites as places you can get more kiddy porn, including Disney.go.com, Spamcop.net and Spews.org, and attempts to perform a denial of service attack on these sites..

So, not only is this a particularly offensive worm, but it specifically attacks anti-spam sites! Do the authors of the worm have a particular problem with these groups? Perhaps, or maybe it's just more anti-social behavior. They also attack Register.com, but I doubt they're opposed to domain name registration on principal

After reading about this I'm tempted to agree with a poster on a Slashdot thread on Mimail.L: "They won't stop 'til they've destroyed e-mail." We keep hearing about the ever-increasing percentage of Internet e-mail that is composed of spam. The latest consensus I hear is "over 50 percent," but you can bet your last "F_R_E_E whatever" that the number will continue to climb.…

http://www.eweek.com/article2/0,4149,1403354,00.asp?kc=EWNWS120903DTX1K0000599
News: Worm hits Windows-based ATMs:
"An unknown number of ATMs running Windows XP Embedded were shut down during the spread of the so-called Nachi worm, said executives at Diebold, which made the ATMs and refused to name the customers affected.

The Nachi worm, also dubbed 'Welchia,' was written to clean up after the MSBlast, or Blaster, worm. Instead it crippled or congested networks around the world, including the check-in system at Air Canada. Both worms spread through a hole in Windows XP, 2000, NT and Server 2003. "

"It's a harbinger of things to come," said Bruce Schneier, chief technical officer of network monitoring company Counterpane Internet Security.

"Specific-purpose machines, like microwave ovens and until now ATM machines, never got viruses," said Schneier, author of "Beyond Fear: Thinking Sensibly About Security in an Uncertain World." "Now that they are using a general purpose operating system, Diebold should expect a lot more of this in the future," he said.

John Pescatore, an analyst at Gartner, agreed.

"It's a horrendous security mistake," he said of specific-purpose machines like ATMs running Windows, which is written for general-purpose computers and for which Microsoft releases security fixes on a regular basis. "I'm a lot more worried about my money than I was before this."

Diebold switched from using IBM's OS/2 on its ATMs because banks were requesting Windows, said Steve Grzymkowski, senior product marketing manager at Diebold.

To help prevent future problems Diebold is shipping ATMs with firewall software designed to block out viruses and other attacks, he said.

"As far as it happening again, I wouldn't want to speculate on that," Grzymkowski said.

Schneier and Pescatore said they were worried about the security of other Windows-based Diebold appliances--voting machines, which run Windows CE.…

http://zdnet.com.com/2100-1105_2-5117285.html
Welcome to TechBuilder.org:
"Secure wireless networking can be a reality, but only if you employ some very straightforward techniques."

http://www.techbuilder.org./article.htm?ArticleID=46364

Monday, December 08, 2003

Op-Ed Contributor: A Million Miles From the Green Zone to the Front Lines:
"The other day I told General Petraeus about a young specialist fourth class I had met while waiting for a military flight out of Baghdad. The specialist was a college student from Iowa whose National Guard unit had been called up for the war. He had told me about a prolonged firefight that took place the week before, outside Camp Anaconda on the outskirts of the city of Balad, 40 miles from Baghdad.

'We began taking small arms fire about 8 a.m., from Abu Shakur, the village just north of the base camp's gate,' the specialist told me. 'Our guys responded with small arms and then mortars. Someone on patrol outside the wire got wounded, and they sent Bradley Fighting Vehicles out, and they hit the Bradleys pretty hard, and by 10 a.m., they were firing 155-millimeter howitzers, and attack helicopters were firing missiles into the village, and you could see tracers and smoke everywhere.

'I had just gotten off a night shift, and I was sitting outside my tent about 100 meters from the gate in my pajamas reading a book. Right near me, guys were doing laundry and standing in line for chow. I was sitting there thinking: `Have we had wars like this before? Shouldn't we drop everything and help? I mean, we were spectators! What kind of war is this, sir?' '"

General Petraeus, who graduated from West Point in 1974, just in time to witness the ignominious end to the war in Vietnam, didn't say anything. But slowly, and it seemed, unconsciously, his head began to nod, and his mind seemed far, far away. It seemed clear he knew the answer: yes, specialist, we have had wars like this before.

Commanding generals have had lavishly appointed offices before, as well. My grandfather, Gen. Lucian K. Truscott Jr., occupied the Borghese Palace when his VI Corps swept into Rome in 1943. His aide kept a record of the meals prepared for him by his three Chinese cooks, while every day dozens — and on some days, hundreds — of his soldiers perished on the front lines at Anzio, only a few miles away from his villa on the beach.

So there may be nothing new about this war and the way we are fighting it — with troops on day and night patrols from base camps being hit by a nameless, faceless enemy they cannot see and whose language they do not speak. However, the disconnect between the marbled hallways of the Coalition Provisional Authority palaces in Baghdad and the grubby camp in central Mosul where I spent last week as a guest of Bravo Company, First Battalion, 502nd Infantry Regiment, is profound, and perhaps unprecedented.

An colonel in Baghdad (who will go nameless here for obvious reasons) told me just after I arrived that senior Army officers feel every order they receive is delivered with next November's election in mind, so there is little doubt at and near the top about who is really being used for what over here. The resentment in the ranks toward the civilian leadership in Baghdad and back in Washington is palpable. Another officer described the two camps, military and civilian, inhabiting the heavily fortified, gold-leafed presidential palace inside the so-called Green Zone in Baghdad, as "a divorced couple who won't leave the house."

Meanwhile in Mosul, the troops of Bravo Company bunker down amid smells of diesel fuel and burning trash and rotting vegetables and dishwater and human waste from open sewers running though the maze of stone and mud alleyways in the Old City across the street. Bravo Company's area of operations would be an assault on the senses even without the nightly rattle of AK-47 fire in the nearby streets, and the two rocket-propelled grenade rounds fired at the soldiers a couple of weeks ago.

It is difficult enough for the 120 or so men of Bravo Company to patrol their overcrowded sector of this city of maybe two million people and keep its streets safe and free of crime. But from the first day they arrived in Mosul, Bravo Company and the rest of the 101st Airborne Division were saddled with dozens of other missions, all of them distinctly nonmilitary, and most of them made necessary by the failure of civilian leaders in Washington and Baghdad to prepare for the occupation of Iraq.

The 101st entered Mosul on April 22 to find the city's businesses, civil ministries and utilities looted and its people rioting in the streets. By May 5, the soldiers had supervised elections for mayor and city council. On May 11, they oversaw the signing of harvest accords and the division of wheat profits among the region's frequently warring factions of Arabs, Kurds, Turkmen and Assyrians. On May 14, a company commander of Alpha Company, Third Battalion, 187th Infantry Regiment of the 101st re-opened the Syrian border for trade, and by May 18, soldiers had largely restored the flow of automobile gas and cooking propane, shortages of which had been causing riots.

Since that time, soldiers from the 101st have overseen tens of millions of dollars worth of reconstruction projects: drilling wells for villages that had never had their own water supply; rebuilding playgrounds and schools; repairing outdated and broken electrical systems; installing satellite equipment needed to get the regional phone system up and running; restoring the city's water works; repairing sewers and in some cases installing sewage systems in neighborhoods that had never had them; policing, cleaning and reorganizing the ancient marketplace in the Old City; setting up a de facto social security system to provide "retirement" pay to the 110,000 former Iraqi soldiers in the area; screening and, in most cases, putting back to work most of the former Baath Party members who fled their jobs at the beginning of the war.

So many civil projects were reported on at a recent battle update briefing I attended that staff officers sometimes sounded more like board members of a multinational corporation than the combat-hardened infantry soldiers they are.…The Coalition Provisional Authority nominally has the job of "rebuilding" Iraq — using $20 billion or so of the $78 billion that recently flew out of America's deficit-plagued coffers. But during the time the 101st has been in Mosul, three regional coalition authority directors have come and gone. Only recently, long after the people of Mosul elected their mayor and city council, was a civilian American governance official sent to the area. And, according to the division leadership, not a nickel of the $20 billion controlled by the provisional authority has reached them.

"First they want a planning contractor to come in here, and even that step takes weeks to get approved," one officer in Mosul complained of the civilian leadership. "The planners were up here for months doing assessments, and then more weeks go by because everything has to be approved by Baghdad. If we sat around waiting for the C.P.A. and its civilian contractors to do it, we still wouldn't have electricity and running water in Mosul, so we just took our own funds and our engineers and infantry muscle and did it ourselves. We didn't have the option of waiting on the guys in the Green Zone."

But the guys in the Green Zone seem to have plenty of time on their hands. The place is something to behold, surrounded on one side by the heavily patrolled Tigris River, and on the three others by a 15-foot-high concrete wall backed by several rows of concertina razor wire and a maze of lesser concrete barriers. There's only one way in and out, through a heavily fortified checkpoint near the Jumhiriya Bridge guarded by tanks and Bradley Fighting Vehicles from the First Armored Division and an invisible array of British commando teams. More tanks guard key intersections inside the walls, machine gun towers line the wide boulevards, snipers man firing positions atop palaces great and small.

In all, hundreds of uniformed soldiers and heavily armed civilian security guards stand watch all day, every day over a display of grim garishness that would have given Liberace nightmares. If you're curious about how your tax dollars are being spent in Baghdad, you should get one of the many colonels strolling about the Green Zone to take you on a tour of the rebuilt duck pond across the road from the marble and gold-leafed palace serving as headquarters of an Army brigade. As I went to sleep one night a couple of weeks ago in the Green Zone, listening to the gurgle of the duck pond fountain and the comforting roar of Black Hawk helicopters patrolling overhead, it occurred to me that it was the safest night I've spent in about 25 years.

Which was a blessing for me, but a curse on the war effort. The super-defended Green Zone is the biggest, most secure American base camp in Iraq, but there is little connection between the troops in the field and the bottomless pit of planners and deciders who live inside the palace. Soldiers from the 101st tell me that they waited months for the Bechtel Corporation to unleash its corporate might in northern Iraq. "Then one of the Bechtel truck convoys got ambushed on the way up here three weeks ago, and one of the security guys got wounded," an infantryman told me. "They abandoned their trucks on the spot and pulled out, and we haven't seen them since."

"It's really not helpful when people down in Baghdad and politicians back in Washington refer to the `disorganized and ineffective' enemy we supposedly face," said one young officer, as we walked out of a battalion battle briefing that had been concerned largely with the tactics of an enemy force that is clearly well organized and very, very effective. After spending more than a week with the soldiers of Bravo Company, I know that they resent not only the inaccuracy of such statements, but the implication that soldiers facing a disorganized and ineffective enemy have an easy job.

No matter what you call this stage of the conflict in Iraq — the soldiers call it a guerrilla war while politicians back home often refer to it misleadingly and inaccurately as part of the amorphous "war on terror" — it is without a doubt a nasty, deadly war. And the people doing the fighting are soldiers, not the civilian employees of Kellogg, Brown & Root, or the officials of the Coalition Provisional Authority, or the visiting bigwigs from the Defense Department.

The troops in Bravo Company don't pay much attention to the rear-guard political wars being waged back in Washington, but they loved President Bush's quick visit to Baghdad on Thanksgiving. While it was clearly a political stunt, they were quick to credit the risks he took. I can confirm that flying in and out of Baghdad — even at night, when it's safest — is not for the faint of heart. A C-130 on approach takes a nervous, dodgy route, banking this way and that, gaining and losing altitude. Hanging onto one of those web-seats by only a seat belt (no shoulder harnesses), you're nearly upside down half the time — it would feel like the ultimate roller-coaster ride, except it's very much for real.

When Bravo Company troops roll out of the rack at 2 a.m. for street patrols, they walk the broad boulevards and narrow alleyways spread out as if they're walking a jungle trail — wheeling to the rear, sideways, back to the front; their eyes searching doorways, alleys, windows, rooftops, passing cars, even donkey carts — trying to keep one another alive for another day, another week, another month, whatever it takes to get home.

Meanwhile, two soldiers armed with M-4 carbines and fearsome M-249 Saws machine guns stand guard inside concrete and sandbag bunkers atop the Bravo Company camp's roof, while squads of soldiers patrol alleys with no names in Mosul's Old City, and everyone prays.

http://www.nytimes.com/2003/12/07/opinion/07TRUS.html?pagewanted=all&position=
IE 6.0 - QuirksMode - for all your browser quirks:
"QuirksMode.org is the personal and professional site of Peter-Paul Koch, freelance web developer in Amsterdam, the Netherlands. It contains more than 150 pages with CSS and JavaScript tips and tricks, and is one of the best sources on the WWW for studying and defeating browser incompatibilities.
It is free of charge and ads, and largely free of copyrights."


This site is quite large. The table of contents mostly leads to other tables of contents.

http://www.quirksmode.org/

Friday, December 05, 2003

Warning: Look Out for the eBay Scam:
"The trick message arrived with a very official looking header featuring eBay's logo. It was signed 'Thank you, Accounts Management.' The text read: 'Dear eBay Member, We at eBay are sorry to inform you that we are having problems with the billing information of your account. We would appreciate it if you would visit our website, eBay Billing Center, and fill out the proper information that we are needing to keep you as an eBay member.' The 'eBay Billing Center' referenced was a link to a Web page asking for a credit card number, a social security number, and more. The message also contained an 'ebay.com' suffix, just as a real message from an eBay employee might."

As is often true in spoof messages and phishing efforts, the trick e-mail contained telltale signs that it did not come from eBay. The subject line of the message read "eBay Member Billing Information Uptade" with the word "update" misspelled. The text string "fill out the proper information that we are needing" also had suspicious syntax.…

http://www.pcmag.com/article2/0,4149,1402431,00.asp