Time Warner loses Missouri muni fiber fight

"Time Warner this week lost an appeal aimed at blocking the city of North Kansas City, Mo., from extending its fiber optic network to residents and local businesses.

A federal judge rejected the argument, that, under state law, the city could not offer cable television service without first getting voters' approval, and pointed out that although the city was moving forward with plans to provide high-speed Internet access (to which the state law does not apply), it had no plans to offer cable.

Time Warner's lawsuit was dismissedthis spring, and this week's ruling by a three-judge panel in the 8Th Circuit upheld that dismissal.

The city broke ground on the construction of the network on Dec. 8. and expects to begin offering services this spring. Extending the fiber optic network that already connects municipal buildings, the city hopes to offer five tiers of broadband service to nearly all of its 2500 homes and 900 businesses. Speeds will range between a 256 kb/s service for $15 per month to a 30 Mb/s for $160 per month. The standard offering will be a symmetrical 5-Mb/s service for $35 per month."

http://telephonyonline.com/home/news/time_warner_municipal_123005/

Is the Firefox honeymoon over? | George Ou | ZDNet.com

"Is the Firefox honeymoon over? Posted by George Ou @ 2:13 am

Note:
It's always difficult to know how much of someone else's work to quote, but this is important. I don't think Firefox is any more vulnerable than Explorer, but it's being downloaded by a lot of people who think it's invulnerable. Whatever browser you choose you will have to patch and upgrade. You'll have to be vigilant and informed, because software's not perfect, isn't likely to ever be perfect, and only informed users can exert the pressure to make any software better. Ignorance means someone else controls and owns your computer. You're just the one who paid for it.

Be informed. Don't keep paying in time, anguish or money.
Sermon ends here.
Alfred Ingram

[Updated: 9/16/2005 7:22PM] Now that Firefox has become the first viable contender to Microsoft Internet Explorer in years, its popularity has brought with it some unwanted attention. Last week's premature disclosure of a zero-day Firefox exploit came a few weeks after a zero-day exploit for Internet Explorer appeared on the Internet. Firefox not only has more vulnerabilities per month than Internet Explorer, but it is now surpassing Internet Explorer for the number of exploits available for public download in recent months.
Update: A lot of people have complained that I didn't list the number of actual 'in-the-wild' attacks against the two browser platforms. The problem with this theory is that they either didn't read the entire article or they don't understand what I meant by 'published exploits' in the second chart in this blog. When I say published exploit, I mean a downloadable script or source code that can be used to attack real live browsers in the wild. These are not simple advisories that talk about certain theoretical exploits. Published exploits are basically freebies for professional hackers and script kiddies to use in the wild.… "

Here is a break down of recent vulnerabilities:

Month	Firefox 1.x Vulnerabilities	IE 6.x Vulnerabilities
Sept 2005	1	0
Aug 2005	0	4
July 2005	10	1
June 2005	2	1
May 2005	3	1
Apr 2005	9	3
Mar 2005	15	0
Total	40	10

Note that this is not a count of the number of advisories because advisories can contain multiple vulnerabilities. This is a count of the actual number of vulnerabilities.

Here is a break down of recent published exploits:

Month	Firefox Exploits	IE Exploits
Sept 2005	1	0
Aug 2005	0	3
July 2005	4	1
June 2005	0	0
May 2005	4	0
April 2005	2	2
Total	11	6

http://blogs.zdnet.com/Ou/?p=103&tag=nl.e550

http://blogs.zdnet.com/Ou/wp-trackback.php?p=1

Podcast for Ransom, as Easy as 1 2 3

Update: Podcast 'Hijacker' Says Business as Usual

December 6, 2005
Things are a bit more complicated than they originally seemed.

In fact, ther may be no villain here.

“According to George Lambert, creator of the Podkey redirection service that allegedly hijacked a Podcast and held it for ransom, the alleged victim registered with his service to begin with and the "ransom" simply represents fees that would be required to do the custom coding the Podcaster has demanded.

The alleged victim, Podcaster Erik Marcus, recently found that Apple Computer Inc.'s iTunes and Yahoo Inc. were using a URL and RSS feed that were not his in order to direct traffic to Marcus' Podcast: Vegan.com's "Erik's Diner" show.

Yahoo's Podcast page gives an RSS feed belonging, not to Vegan.com, but to Lambert's Podkeyword.com.

Marcus contacted Lambert to ask that his listing be removed. Lambert did so. This, however, caused Marcus' listenership to crash by some 75 percent, he claimed. Marcus then asked that his listing temporarily be reinstated on Podkeyword while he worked to fix things with Apple Computer Inc.'s iTunes.

Lambert responded that it would be reinstated only if Marcus provided an unspecified payment or agreed permanently to his terms—a description that sounds like hijacking and extortion and that has resulted in Lambert's being harassed around the clock by profane e-mail and phone calls.

However, as Lambert told Ziff Davis Internet News and also explained on a Podcast by David Lawrence, the request for reimbursement was simply to compensate him for the custom coding that Marcus reportedly demanded.

Specifically, Marcus reportedly requested that Lambert allow individuals to find his feed via keyword but not to allow OPML directories to have the feed any longer.

"He wanted me to make sure no other directory services got the information from me, but I can't tell who are directory services, because we're not submitting anything," Lambert said. "People are coming to look at our list. I have a choice: I remove it from anywhere or I [don't] remove it. You can't restrict who comes to look at your Podcast. So his request wasn't technically practical.

"If you want me to come up with a solution, I can try, but that's consulting," he told Ziff Davis Internet News. "That doesn't fall within the bounds of a free service—one that's there to make people's lives better. Is that extortion?"

"I met his [original] request immediately and without reservation," Lambert said. "I said I'd reinstate it for free if he met my terms. If you're asking me to do something custom, you have to pay me to do [it]. That's not unreasonable, and that's not extortion."

…

While Marcus is seeking legal redress for what he refers to as a new form of Internet extortion, Podcasters happy with the redirection service provided by Podkey aren't hesitating to come to its defense.

One such comment demonstrates the possibility of a user having registered with Podkey and then forgotten about it: "From my own experience, I have to say, my dealings with George have always been on the up and up," Podcaster Kevin Devin wrote on Lambert's blog.

"I too had created a Podkeyword for my Podcast WAY back in late 2004. Interestingly, I had actually forgotten about Podkey until iTunes hit with their Podcast directory, which ended up including two different listings for my feed. The Podkey one, and my actual."

…

As it is, Lambert runs the service free of charge, on funds that flow out of his own pocket. "I went and did something, I was volunteering," he said. "They took my free service and now they called it extortion, hijacking. And to be threatened to be sued, and harassed … why would I ever want to do something for people on the Internet again?"

Beyond the profane response to Lambert's alleged wrongs, calmer minds are pointing out that the heart of the problem is this: Once the wrong RSS feed gets into a directory, it's extremely difficult to find out and to fix it.

"I have that problem with one Podcast where some of the listings point to a staging server and not the real server," wrote Dan Bricklin, well-known blogger and the developer of VisiCalc.

"I think in the early days someone subscribed to the staging server while I tested out the Podcast series and some list picked that up and other lists copy from each other.

"This is a big problem. It's not like Google where things are somewhat self-correcting as people point to the one the owner points to," Bricklin wrote. "Once this points wrong it just perpetuates itself and you can't fix it. In this case, the RSS feed owner [Podcaster] got into a bad situation."

http://www.eweek.com/article2/0,1895,1896434,00.asp”

“The manner in which the purported hijacking occurred exemplifies the fact that RSS feeds are far more vulnerable to squatters than Web site domains. The method doesn't require stolen passwords or other overtly illegal methods.

Rather, it merely involves finding a target Podcast and creating a unique URL for it on a Web site that the hijacker can control. The hijacker then points his URL to the RSS feed of the target Podcast.

Next, the hijacker does whatever it takes to ensure that, as new Podcast engines come to market, the page each engine creates for the target Podcast points to the hijacker's URL instead of to the Podcast creator's official URL. ”

Podcast Hijacked, Held for Ransom from eWEEK

By Lisa Vaas

“In an assault reminiscent of the early days of the Internet, Podcaster Erik Marcus recently found that his RSS feed had been inexplicably redirected.

According to Marcus, rather than fully cooperate to address the situation, the cyber-squatter is demanding payment or permanent agreement to terms, and Marcus is seeking legal redress for this new form of Internet extortion.

Marcus publishes Vegan.com and the "Erik's Diner" Podcasts.

Over the course of the past year, Marcus has built his listenership from 100 people per show up to some 1,500. Over the past few weeks, he noticed that Yahoo Inc. had created an entry for his show on its beta site, Podcasts.yahoo.com.

The page had an RSS feed belonging not to Vegan.com, however, but to a site named Podkeyword.com.…

Marcus e-mailed Podkeyword directly in order to "nip this problem in the bud rather than let it grow," he said in his letter to his lawyer, Colette Vogele.

Podkeyword honored his request, Marcus said, after which his listener numbers abruptly collapsed. Marcus came to find that Apple Computer Inc.'s iTunes service, which shields RSS information from its users, had also picked up the Podkeyword URL.

"This has cost me more than 1,000 listeners per show," Marcus wrote in the letter.…

The manner in which the purported hijacking occurred exemplifies the fact that RSS feeds are far more vulnerable to squatters than Web site domains. The method doesn't require stolen passwords or other overtly illegal methods.

Rather, it merely involves finding a target Podcast and creating a unique URL for it on a Web site that the hijacker can control. The hijacker then points his URL to the RSS feed of the target Podcast.

Next, the hijacker does whatever it takes to ensure that, as new Podcast engines come to market, the page each engine creates for the target Podcast points to the hijacker's URL instead of to the Podcast creator's official URL.

Vogele, a non-residential fellow at Stanford University's Center for Internet and Society and head of the firm Vogele & Associates, told Ziff Davis Internet News that she is mulling over a number of approaches to determine which laws might pertain in the case, including claims of unfair competition, trademark infringement/dilution, computer fraud and abuse, trespass, right of publicity and misappropriation.…

Marcus suggested that Podcasters can protect themselves from hijacking by checking to make sure that all Podcast directories and search engines list RSS feeds that point to their official URLs/RSS feeds.

Also, if Podcasters learn of a hijacking, they can write to the hijacker and demand that they cease and desist. Hijacked Podcasters should also write to the Podcast directories and search engines to point out the misconduct.

Those who posted responses to Vogele's Weblog entry on the matter suggested other defensive strategies. One is to rename Podcast audio files on occasion and point to the new names in the legitimate RSS feed, thus causing the malicious site's RSS feed to stop working and hence to cease gaining popularity.

Another tactic is to look at the referrer's tags for Podcast downloads in a Podcaster's Web server logs. Names of malicious sites that point to a Podcast will come up in the logs, and a large number of off-site listener referrals should raise flags.

Another tactic proposed on Vogele's blog is to mention the site and feed URL in each Podcast. Those who take the time to notice what URL they're using may notice that the URL is in fact not the official one. ”

http://www.eweek.com/article2/0,1895,1894827,00.asp

1 Million Digitized Images Now Available Online from The Library of Congress

“Long before The Library of Congress (LC) made the announcement last week about planning a World Digital Library (WDL), they've been digitizing material of all types for many years along with cataloging books (as you might expect) and offering MANY other services.

One searchable digitized collection from LC that you should know about is a catalog of imagery from the The Library of Congress Prints & Photographs Division. As of today, 1 million digitized images are now available via the catalog. Access to the catalog is free.

It's possible to search the entire collection or individual collections one at a time. It's also possible to browse some of the collections. Finally, most of the images have been given subject access using the Thesaurus for Graphic Materials that now includes hyperlinked subjects for many images. I've also blogged about this thesaurus in the past. For the latest on what's happening at the Prints & Photographs Division, check out this 'What's New' page.”

From the SearchEngineWatch blog Posted by Gary Price

http://blog.searchenginewatch.com/blog/051128-205524:

Google Base Raises Features Bar Well Above Craigslist

from Poynter Online - E-Media Tidbits:
Posted by Steve Outing on Thursday, November 17, 2005 at 3:19:11 PM

“Google Base obviously is a BIG deal. (See Peter M. Zollman's blog item here yesterday for the basics.) There's no shortage of coverage, analysis, and opinion about it on news sites and on blogs.

Base is many things, it seems, not just a new (and, to newspapers, threatening) classifieds player. A number of observers have called its classifieds function 'Craigslist on steroids.' ”

http://www.poynter.org/column.asp?id=31&aid=92357

Danger! Will Robinson that Does Not Reprint!

In his article on searchEngine Watch “Indexing Versus Caching & How Google Print Doesn't Reprint” Danny Sullivan takes a serios look at the controversy over Google’s moves to index libraries.

His points are well taken.
Here are more in from the Sullivan Webliography.

Author Wants To Be In Google Print, But Publisher Says No

Google Print Press Review & Just A Bit About Search Inside the Book

Google Print "Only" Interfaces Now Available For More Countries

Stay Current With New Free Full Text Books With RSS Feed from the Online Books Page

Great Google Print Controversy Bibliography & Google Scholar Citing Issues

Is Google Print Headed for Congressional Hearings?

Google Gears Up to Resume Book Scanning

Google Print Now Publishing Out-Of-Copyright Works Gained Through Library Scanning Program

Google Print Is Google's Ninth Most Popular Service

Upcoming Google Print Debates

Google Print--Is it Time to Change Copyright Laws?

And highly recommended to read:

The Difference Between Google Print & Google Library

Common Sense for a Change

Rafe Needleman's c|net article Works for Me: Killing the killer app - CNET reviews provides an often missing balance to the hype about the web being all we need.

As rich and useful as Web 2.0 apps are, today we still need both local and remote applications on a daily basis.

Reports of Microsoft's End are Greatly Exaggerated, Way Premature, and Wishful Thinking

This article: Microsoft's 'big bang' could be its last - page 2 | Tech News on ZDNet is long on schadenfreude and short on reality.

Something like this comes out every time Microsoft announces a ship date (and they should be called slipped dates) for a new product or service. It ignores the one important fact, which is that Microsoft's biggest competitive problem is other Microsoft products.

Isn't it funny how those new capabilities eventually become a competitive necessity? They aren't the Borg, but resistance is futile, we will be upgraded.

Office 12 makeover takes on 'feature creep' | Tech News on ZDNet

“For years, Microsoft has been trying to add features to Office without them getting in the way of people who already know their way around the software.

Unfortunately, the company was a little too successful at making its innovations unobtrusive. In user testing, Microsoft found that nine out of every 10 features that customers wanted to see added to Office were already in the program.

'They simply don't know it's there,' Chris Capossela, a Microsoft vice president, told a developer crowd last week. 'It's just too hard to find it.'

Indeed, Office has become a case study for feature creep--the phenomenon in which a simple technology becomes complicated and unmanageable through the addition of new features. Office, which once had 100 commands neatly organized into menus, ballooned to contain some 1,500 commands located in scores of menus, toolbars and dialog boxes.

Having sensed that the software has reached the limits of functionality, Microsoft has been preparing its most radical overhaul ever for Word, Excel and friends. With Office 12, due next year, the company plans to do away with a system that depends on people remembering which series of menus lead to a particular command. Instead, users will see a 'ribbon' of different commands above their document, with the options changing depending on the task. Microsoft previewed the new look for Office at last week's Professional Developer Conference in Los Angeles.

The move could help Microsoft in its perennial quest to come up with enough reasons to prompt current Office users to upgrade, and might also stem some defections to rivals, such as OpenOffice. At the same time, it risks alienating some loyalists, as well as prompting some businesses to question the cost of retraining those accusaccustomed to the current Office.”

I don't see how a ‘ribbon’ is going to solve the problem. Features will still be hidden from users.

I don't believe the problem has ever been features people want to use all the time, but, features used rarely that usually come up when there's a deadline, leaving you barely enough time to do the task. Never enough time for the luxury of searching documentation online or off for the function you need.

Barring a breakthrough in A.I. combined with a telepathic program, I don't see how this is going to work. I think they're assuming a general familiarity with program features most users just don't have. Most people I deal with are only familiar with the specific features they use to accomplish their daily tasks.

Alfred Ingram

http://news.zdnet.com/2100-3513_22-5873597.html?tag=nl.e589

Court Unseals Files on Apple 'Asteroid' Probe

"A California appeals court has agreed with the Electronic Frontier Foundation's request to unseal documents relating to Apple Computer Inc.'s legal campaign to force reporters for three Web sites to reveal their sources for articles that disclosed details about Apple's 'Asteroid' audio product.

A redacted version of the documents, which the California 6th District Court of Appeals ordered unsealed last week, is available on the EFF Web page that covers the history of the case: O'Grady et al v. Superior Court, also known as 'Apple v. Does.'

Three sites—PowerPage.org, ThinkSecret.com and AppleInsider.com—posted articles outlining details about an Apple product code-named Asteroid, which is a FireWire-based audio interface unit that will work with GarageBand, Apple's music composition application.

The EFF said that the documents show that Apple did not exhaust other avenues of investigation, as required by law, before seeking subpoenas against the three sites, which published information about the product before it was released. The EFF is one of the organizations providing legal representation for AppleInsider.com and PowerPage.org.The documents are declarations from two of Apple's security personnel who described the measures they took in investigating the source of the leak of the Asteroid information. They described tracking who had access to the documents and who accessed files on a secure internal serrver. "At a minimum," Opsahl said, "[Apple] should have asked for depositions or
testimony under oath from employees under suspicion.

"While they're willing to seek subpoenas for people without associations with Apple, they failed to review laptops or e-mails," Opsahl said. He added that no investigations were made as to whether confidential information was sent via a Web-based e-mail client or copied to a physical medium.

Apple has claimed that publication of the Asteroid information, and complicity in the leaking of the information, constituted a violation of the Uniform Trade Secrets Act as defined in California Civil Code 3426.1. The act states that if a company takes reasonable measures to protect information and this information has value in being kept secret, California courts should rule that such information should be afforded protection as a trade secret.

When contacted for comment on the court's decision to unseal the documents, an Apple spokesperson simply restated the company's reasons for filing the complaint. "Apple has filed a civil complaint against unnamed individuals who we believe stole our trade secrets and posted detailed information about an unannounced Apple product on the Internet," the spokesperson said. "

http://www.eweek.com/article2/0,1895,1859271,00.asp?kc=ewnws091505dtx1k0000599

Threats Spread Thick

Top 5 vulnerabilities as reported by ThreatFocus for Monday, August 22nd, 2005

Date	Title	Severity
8/19/2005	Microsoft [Security Advisory: A COM Object (Msdds.dll) Could Cause Internet Explorer to Unexpectedly Exit]	High
8/17/2005	Adobe [Acrobat / Reader Plug-in Buffer Overflow Vulnerability]	High
8/16/2005	Apple [Security Update 2005-007]	High
8/19/2005	Red Hat [php security update]	High
8/17/2005	Debian [New Mozilla packages fix frame injection spoofing vulnerability]	High

http://www.pcmag.com/article2/0,1895,1850852,00.asp

Worm Could Squirm on Windows XP

"It is important to note that Simple File and Print Sharing is only available on Windows XP machines that are not part of a Windows Active Directory Domain. However, configuring a Windows XP SP1 host to share network resources prior to joining an Active Directory Domain will leave it in the vulnerable state even after the Domain is joined," the company warned.

By Ryan Naraine
“Microsoft late Tuesday warned that the Zotob worm could start squirming through certain configurations of Windows XP SP1 (Service Pack 1).

The worm, which squirms through a flaw in the Windows PnP (Plug and Play) service, has wreaked havoc on unpatched Windows 2000 machines, but new information suggests some Windows XP users could also be at risk.

Late Tuesday, Microsoft Corp. issued a new advisory that confirmed the expanded threat and recommended that users implement workarounds to thwart a new worm outbreak.

Users of Windows XP SP2 are not vulnerable to remote attacks.…”

http://www.eweek.com/article2/0,1895,1851908,00.asp?kc=ewnws082505dtx1k0000599

8 Out Of 10 Enterprise PCs Spyware Infected

The number of malicious sites hosting spyware has quadrupled since the start of the year, said Richard Stiennon, Webroot's director of threat research, and now number over 300,000 URLs.

By Gregg Keizer, TechWeb News
“On average, enterprise PCs have 27 pieces of spyware on their hard drives, a 19 percent increase in the last quarter alone, while a whopping 80 percent of corporate computers host at least one instance of unwanted software, whether that's adware, spyware, or a Trojan horse.

Worse, said Stiennon, evidence is accumulating that spyware is becoming more malicious than ever.

"The actual maliciousness of it is increasing," he noted. "There's simply more malicious activity per piece of spyware. They're not satisfied with making their seven cents a click by flooding systems with adware; now they're focusing on identity theft, sometimes from within an organization. Spyware's being used by insiders to, in essence, hack their employer or boss."

Instances of such activity during the second quarter included a scandal in Israel and a stymied multi-million dollar bank robbery in the U.K. that was based on spyware.

Part of the bump-up in spyware infection rates and most of the reason behind its increasing nastiness is due to pressure on spyware-as-a-business, Webroot claimed.

"There's an underlying principle that often gets overlooked: spyware's a business like any other," said C. David Moll, the chief executive of Boulder, Colo.-based Webroot. "Like any business, spyware developers are committed to increasing their profit margins by expanding their distribution channels, utilizing new products, and entering new markets.…" ”

http://www.crn.com/nl/crnupdate/showArticle.jhtml?articleId=169600391

Zotob Proves Patching 'Window' Non-existent

By Gregg Keizer, TechWeb News
“Although the initial attack on Windows 2000 PCs by bot worms exploiting a week-old vulnerability hasn't grabbed much traction, the way hackers jumped on the bug is proof that the patching "window" is virtually non-existent, said security experts Tuesday.

"The last week showed once more that there is no more patch window," wrote Johannes Ullrich, chief research officer at the SANS Internet Storm Center, in the group's daily alert. "Defense in depth is your only chance to survive the early release of malware."

Exploits were circulating within three days of Microsoft disclosing the Plug and Play vulnerability and offering up a patch, and within five days, several bot worms -- notably Zotob.a and Zotob.b -- were attacking systems.

"Microsoft must be fuming that virus writers are exploiting security holes in their software so quickly," said Graham Cluley, senior technology consultant for security vendor Sophos, in a statement. "It's not only embarrassing for the software giant, but a real headache for businesses who need to move quickly to roll out security patches."

The reason for the fast hacker turn-around, said Ullrich, is that attackers are sharing more and more information. "Malware can only develop as fast as it is developing in this case because of extensive code sharing in the underground," Ullrich said. "The only way we can keep up with this development is by sharing information as efficiently.

"We need to outshare the attackers.…" ”

http://www.crn.com/nl/security/showArticle.jhtml?articleId=168602090

Spyware Researchers Discover ID Theft Ring

“Sunbelt Software Inc., makers of the enterprise-grade CounterSpy spyware protection product, made the discovery during an audit of "CoolWebSearch," a program that routinely hijacks Web searchers, browser home pages and other Internet Explorer settings.

During the research, Sunbelt researcher Patrick Jordan deliberately installed the "CoolWebSearch application on a machine and immediately noticed that the infected system became a spam zombie that was placing callbacks to a remote server.

When Jordan visited the remote server, he was shocked to find that it was being used to distribute sensitive personal information from millions of PC users infected by the spyware application.

"We found the keylogger transcript files that are being uploaded to the servers. We're talking real spyware stuff…chat sessions, usernames, passwords, bank account information, full names, addresses," said Sunbelt president Alex Eckelberry.

…Eckelberry said the sophistication of the operation suggests it's the work of a "massive identity theft ring" that used keystroke loggers to grab confidential information that could be used to create fake online identities.

…"This is the most repulsive thing I've ever seen. It's very painful to see what's in these log files that are being uploaded in real time. We're seeing a lot of bank information and usernames and passwords to get in," Eckelberry said.

The log files included logins to one business bank account with more than $350,000 and another small company in California with over $11,000, readily accessible.

"There are lots of eBay account information and names and addresses of the people owning those accounts. Names, passwords, all matched up," Eckelberry added

He said the server, which is hosted out of a data center in Texas, was effectively a "massive repository of stolen data" that was being replenished in real time.

"As the [log] file gets to a certain size, it gets taken down and a new file starts generating. This goes on nonstop. We've been watching it for a few days while trying to get to the FBI, and it just keeps growing and growing."

While the site is being hosted in the United States, Eckelberry said the domain name is registered to an offshore company. The huge size of the log files is a clear indication that thousands of machines are pinging back daily.

Where users appeared to be at immediate risk of losing a considerable amount of money, Sunbelt has contacted the affected individuals.

Eckelberry said the "CoolWebSearch" payload included a typical adware download that immediately scanned the infected machine for e-mails to use for spam runs. It then sets up a "very intelligent keylogger" that looks for very specific information, noting that the keystroke logger was able to pick up identity-related data for delivery to the remote server.

Anti-virus vendor Trend Micro Inc. provides a free online scanning tool that detects and deletes the "CoolWebSearch" application. ”

http://www.eweek.com/article2/0,1895,1845248,00.asp?kc=ewnws080905dtx1k0000599

Effective professional blogging

“TechRepublic VP Bob Artner explains what it takes to be an effective professional blogger. He advises avoiding the mistakesof many personal blogs, which he says Bloviate and are Loud,Obnoxious and Gabby.”



http://ct.zdnet.com.com/clicks?c=354577-56849759&brand=zdnet&ds=5&fs=0

Spyware Costs

“A survey of more than 1,000 IT managers and end users reveals that spyware and other unsanctioned downloads are resulting in average monthly costs of $130,000 to IT enterprises. The survey also found that spyware incursions appear to be growing at a rate twice that of computer virus incidents.

…applications that are downloaded and installed on end user PCs without IT sanction, are increasingly represented by instant messaging. "Within the next six months, virtually all end users will have deployed some type of greynet application," the report states. "Based on stated intentions, this number will rise to 93 percent in the next six months."

…Noting that in addition to instant messaging, greynet applications can include P2P file sharing, Web conferencing, Web mail, adware/spyware, and VoIP applications such as Skype, the study found that even among IT managers who have installed perimeter security measures, 77 percent of them had a spyware incident in the past six months. Most of the IT managers said spyware incidents are occurring at the same or greater frequency as six months ago.… ”

http://www.crn.com/nl/security/showArticle.jhtml?articleId=167100251

Not Sure About that Phish? Throw It Back

Recommended Action: If you receive an e-mail from your bank asking you to sign in to verify or update your account then follow these steps:

1. close the email
2. open a new browser window
3. go to the banks web site using your regular bookmark or by typing in the address
4. log in there to see if there are any problems.

http://www.pcmag.com/article2/0,1895,1842338,00.asp

Next Explorer to fail Acid test | Tech News on ZDNet

"'We will not pass this test when IE7 ships,' Chris Wilson, lead program manager for the Web platform in IE, wrote in the IE blog. 'We fully recognize that IE is behind the game today in CSS support. We've dug through the Acid2 test and analyzed IE's problems with the test in some great detail, and we've made sure the bugs and features are on our list--however, there are some fairly large and difficult features to implement, and they will not all sort to the top of the stack in IE7.'

Standards advocates and Web developers have criticized Microsoft for letting Internet Explorer go without a significant upgrade for years. This spring it became clear that Microsoft would finally address long-standing standards-compliance issues in its planned version 7 upgrade.

Microsoft last week came out with a test, or 'beta' version, of its Windows Vista operating system and IE 7.

Wilson said the broad range of Acid2's demands made it more of a 'wish list' than a 'compliance test.'

'As a wish list, it is really important and useful to my team, but it isn't even intended, in my understanding, as our priority list for IE7,' Wilson wrote.

The Web Standards Project responded positively to the announcement, hailing Microsoft's standards to-do list and its openness in acknowledging the test."

http://news.zdnet.com/2100-9588_22-5813897.html?tag=nl.e539

Weekend Project: Get your hard drive back in the fast lane - CNET reviews

If your PC isn't the speedster it used to be, chances are a bloated hard drive is to blame. Steer clear of PC bottlenecks by making the most of Windows' built-in maintenance tools. Just mouse over to your System Tools folder and get ready to fine-tune your PC.

http://reviews.cnet.com/4520-10163_7-5555103-1.html?tag=nl.e501

Is the XP SP2 firewall getting a raw deal?

A current report on a new denial of service vulnerability involving Windows RDP (Remote Desktop Protocol) blaming the Windows XP SP2 (Service Pack 2) firewall has touched off firestorm of inaccurate coverage fthat gets "blindly regurgitated in the forums." George Ou sets us straight.

“A recent report on a new denial of service vulnerability involving Windows RDP (Remote Desktop Protocol) blaming the Windows XP SP2 (Service Pack 2) firewall has touched off a rash of sensationalism from other media outlets that gets blindly regurgitated in the forums. This has caused some unwarranted confusion and fear in the IT industry. The original story incorrectly blamed the XP SP2 firewall for failing to protect against the RDP flaw. This was a false characterization of the XP SP2 firewall which has a history of being mischaracterized as something that breaks a lot of applications or is somehow unreliable. This has resulted in some harm to the general public because too many windows users are refusing to protect themselves with Windows XP SP2. Larry Seltzer did a wonderfully accurate and educational assessment on XP SP2 but is drowned out by all the doom and gloom sensationalism.

When Microsoft first came out with XP SP2 last year, its new firewall feature was incorrectly blamed for breaking hundreds of applications when in fact any personal firewall installed without the proper holes drilled would have caused the exact same issues. This latest story on the RDP vulnerability seems to be yet another slam on the SP2 firewall with the incorrect accusation that it fails to protect against this new RDP denial of service vulnerability. While it's technically true that a SP2 firewall with port TCP 3389 (used by RDP) opened to anyone will result in a successful denial of service attack to an unpatched windows machine, this is the normal behavior of any stateful packet inspection firewall.… ”

You can protect all the PCs in your office or home by simply implementing a router with a basic firewall or just NAT (Network Address Translation) capability. A router for the home with a built-in switch can be purchased for less than $40. Not only does the router protect you from a vast array of attacks, it also acts as an Internet sharing device. Another easy thing to do is to turn on the Windows XP SP2 firewall make sure that the RDP service is either entirely blocked or only permitted to enter from trusted network sources. You can find more in-depth information here to turn off the RDP service entirely or configure the XP SP2 firewall. One of the nicest features of the XP SP2 firewall besides the fact that it's free with Windows is that it can easily be managed from a central location. This can be done from a legacy Windows NT 4.0 domain environment using a script or better yet from a group policy in a Windows 2000/2003 Active Directory. This allows a Microsoft network administrator to quickly configure every single windows XP computer in the company with a single login script or a single group policy.

http://blogs.zdnet.com/Ou/index.php?p=81&tag=nl.e539

Domain Hijacking

“Domain-name hijacking occurs when someone fraudulently takes control of a domain name, often by masquerading as the legitimate administrative contact for a domain name.

The e-mail addresses of administrative contacts, widely available in the WHOIS database of domain registrations, are used to verify domain-name holders.

The domain-name hijacking report, available here as a PDF, came from ICANN's Security and Stability Advisory Committee.

The report, announced Wednesday during an international meeting of the ICANN (Internet Corporation for Assigned Names and Numbers) in Luxembourg, followed at least two high-profile incidents this year of what is known as domain-name hijacking—one hitting New York-based ISP Panix and another affecting e-mail provider Hushmail Communications Corp.

The committee advises the domain-name system overseer's board of directors and constituents such as the registrars that sell domain names to individuals and business and the registries that manage domains such as .com and .net.

While the Panix and Hushmail cases were widely reported, the ICANN committee report also cited a dozen other examples of stolen domain names. The hijacks hit such high-profile names as wifi.com, commericials.com, nike.com and ebay.de.

Committee members expressed optimism that the report will lead to swift action, but it was still unclear as of late Wednesday whether ICANN's board planned to address the report's findings and recommendations at its meeting later this week.”

http://www.eweek.com/article2/0,1895,1836820,00.asp?kc=ewnws071505dtx1k0000599

Hollingsworth Rambles

“Not a Podcast?
Latlely I've been hearing a lot of chatter on the podoshpere ragging on conventional broadcasters who make their shows available as podcasts. The line of reasoning seems to be that when Mr. and Ms. Big Broadcaster post their conventional broadcasts on the Internet as downloadable mp3s, they're just posers jumping on the bandwagon.

Agreed, professional broadcasts lack the home-made charm of many current podcasts. That's probably more of a threat to the podcast producers than the podcast listeners.… ”

http://hollingsworthrambles.blogspot.com/2005/06/not-podcast.html

Does OS matter anymore for security?

by George Ou
“…It's usually taken as gospel in many IT circles to assume that Windows Security is an oxymoron; anyone who dares to suggest using Microsoft IIS 6.0 for a public web server faces serious ridicule. To see if there was any truth to this presumption that Windows Server is fundamentally insecure, I looked up these hacking statistics from www.zone-h.org for 2003 to 2004. Not only did it not show that Windows was hacked more often, but just the opposite. The Linux servers were actually getting hacked and defaced far more often than the Windows server and Apache was also being hacked and defaced more than Microsoft IIS.

While most security research comparing various operating systems and applications focus on statistics for the number of vulnerabilities and their criticality, zone-h takes a completely different approach by looking at actual server compromises. Even more significant is that these are not theoretical hacks in the laboratory but actual website defacements that were confirmed by the public. Zone-h is essentially a centralized "score board" for hackers who want bragging rights for their handy work. While the source of the data is highly despicable, there is no denying the value of such data being collected regardless of the source because of its accuracy. When a website is hacked and defaced, there is little room for interpretation for what has transpired because the proof is in the humiliating public defacement. While these particular defacements are often the work of recreational hackers who hack for sport and not the work of a professional criminal who hacks for financial gain, the techniques uses to compromise the servers are usually identical.…

At the end of the zone-h report for 2003-2004, the author concludes (accurately, in my experience) that the argument about which OS is more secure is totally irrelevant since most modern exploits are against applications and not the operating system hosting them. This is true because servers are rarely deployed wide open on the Internet without a firewall. A properly configured firewall minimizes the vulnerability footprint to only permit the ports necessary for a specific application to work, which means the application is the only thing exposed to the hacker. The zone-h report doesn't actually prove which OS is more secure, only that the OS is mostly irrelevant and the Windows server security jokes are more myth than fact.”

http://blogs.zdnet.com/Ou/?p=77&part=rss&tag=feed&subj=zdblog

PCs Have 50-50 Shot At Infection In Just 12 Minutes

By Gregg Keizer, TechWeb News
6:04 PM EDT Wed. Jul. 06, 2005

Sophos estimated that a new PC stands a 50-50 chance of being infected by a worm within 12 minutes of being connected to the Internet. (Other analysts, such as the Internet Storm Center, put the current average survival time at around 34 minutes.)

“The number of new viruses, worms, and Trojans are up nearly 60 percent in the first half of 2005, a U.K.-based security company said Wednesday, while the length of time an unprotected PC survives on the Internet has shrunk to a measly dozen minutes.

Sophos reported that it had pinpointed 7,944 new pieces of malicious software in the first six months of the year, an increase of 59 percent compared to the first half of 2004.

The firm's researchers tracked an even larger spike in the number of keylogging Trojan horses. According to Sophos, that category has tripled in number.

"We are seeing a large amount of new Trojan horses on a daily basis, representing what may be the most significant development in malware writing," said Gregg Mastoras, a Sophos senior security analyst, in a statement.”

http://www.crn.com/nl/security/showArticle.jhtml?articleId=165700440

Sell It on eBay: the Web Site Why not add a Buy It Now?

"Want to use a Reserve Price...why not add a Buy It Now?

eBay Live is off and running and I just picked up a terrific tip in a session taught by Janelle Elms, eBay University instructor and author of eBay Your Business.

It is common knowledge the buyers are very put off by Reserve Price auctions. Buyers understand that sellers need to protect their bottom line, but the hide-and-seek of figuring out what someone's reserve price is can be awfully frustrating."

why not simply add the Buy It Now feature to any reserve price auction as well. If you set the Buy It Now amount to be the same as your reserve, potential buyers examining your auction can snap up your item immediately, at the price you want.

http://sellitonebay.blogspot.com/

VARBusiness | It's a Microsoft World...Where Do You Fit In?

“Taken as a whole, the sheer size of the Microsoft platform broadens the opportunity for consulting services and custom-development engagements for partners, many of whom are increasingly buying into the all-Microsoft mantra. In fact, studies reveal that devoted loyalists are growing by a staggering number, even by Microsoft's standards. That's despite the company's late attempt to catch Google in search, its ongoing struggles to meet its own product deadlines involving Longhorn and other wares, its never-ending battle with hackers--anyone not know someone impacted by spyware?--and its ever-growing complexity when it comes to licensing, its product portfolio or even its basic value proposition. Despite these challenges, the number of people, companies and initiatives that depend on Microsoft technology are simply jaw-dropping… ”

http://www.varbusiness.com/nl/insider/showArticle.jhtml?articleId=164303410

Down to the Wire

Thomas Bleha
From Foreign Affairs, May/June 2005

“In the first three years of the Bush administration, the United States dropped from 4th to 13th place in global rankings of broadband Internet usage. Today, most U.S. homes can access only "basic" broadband, among the slowest, most expensive, and least reliable in the developed world, and the United States has fallen even further behind in mobile-phone-based Internet access. The lag is arguably the result of the Bush administration's failure to make a priority of developing these networks. In fact, the United States is the only industrialized state without an explicit national policy for promoting broadband.

It did not have to be this way. Until recently, the United States led the world in Internet development. In the late 1960s and 1970s, the Department of Defense's Advanced Research Projects Agency conceived of and then funded the Internet. In the 1980s, the National Science Foundation partially underwrote the university and college networks -- and the high-speed lines supporting them -- that extended the Internet across the nation. After the World Wide Web and mouse-driven browsers were developed in the early 1990s, the Internet was ready to take off. President Bill Clinton and Vice President Al Gore showed the way by promoting the Internet's commercialization, the National Infrastructure Initiative, the Telecommunications Act of 1996, and remarkable e-commerce, e-government, and e-education programs. The private sector did the work, but the government offered a clear vision and strong leadership that created a competitive playing field for early broadband providers. Even though these policies had their share of detractors -- who claimed that excessive hype was used to sell wasteful projects and even blamed the Clinton administration for the dot-com bust -- they kept the United States in the forefront of Internet innovation and deployment through the 1990s.

Things changed when the Bush administration took over in 2001 and set new priorities for the country: tax cuts, missile defense, and, months later, the war on terrorism. In the administration's first three years, President George W. Bush mentioned broadband just twice and only in passing. The Federal Communications Commission (FCC) showed little interest in opening home telephone lines to outside competitors to drive down broadband prices and increase demand.

When the United States dropped the Internet leadership baton, Japan picked it up. In 2001, Japan was well behind the United States in the broadband race. But thanks to top-level political leadership and ambitious goals, it soon began to move ahead. By May 2003, a higher percentage of homes in Japan than in the United States had broadband, and Japan had moved well beyond the basic connections still in use in the United States. Today, nearly all Japanese have access to "high-speed" broadband, with an average connection speed 16 times faster than in the United States -- for only about $22 a month. Even faster "ultra-high-speed" broadband, which runs through fiber-optic cable, is scheduled to be available throughout the country for $30 to $40 a month by the end of 2005. And that is to say nothing of Internet access through mobile phones, an area in which Japan is even further ahead of the United States.

It is now clear that Japan and its neighbors will lead the charge in high-speed broadband over the next several years. South Korea already has the world's greatest percentage of broadband users, and last year the absolute number of broadband users in urban China surpassed that in the United States. These countries' progress will have serious economic implications. By dislodging the United States from the lead it commanded not so long ago, Japan and its neighbors have positioned themselves to be the first states to reap the benefits of the broadband era: economic growth, increased productivity, technological innovation, and an improved quality of life.…”

http://www.foreignaffairs.org/20050501faessay84311/thomas-bleha/down-to-the-wire.html

The red herring of data protection | Between the Lines | ZDNet.com

by Eric Norlin
"Set aside for a moment the debate about why, all of a sudden, we're hearing about all of this. Instead, focus on the reasons behind the data loss: physical tapes lost in transit, hackers, malicious insiders, bad network security practices. Notice that the reasons behind the loss are all over the map. We're told the solution is better network security, better encryption, better corporate safeguards, and better 'data protection.' Of course, all of these 'solutions' are a bit specious, as they're always accompanied by the corporate lawyer caveat, 'we cannot guarantee that this won't happen again.'

All of this will ultimately result in some bloated piece of federal legislation around 'data privacy and protection' that will impose new restrictions on corporate security practices and result in a wave of new spending on IT solutions to help solve that problem. But will we have solved it, really? "

I don't think so.

In the end, this "data loss" problem isn't really about data loss, data protection or data safeguarding at all. That, my friends, is a red herring. The real question to be asked is: Why do all of these corporations need to store all of this personal data in the first place? Why does my credit card company need to store my social security number? Why does Amazon need to store my credit card number? Why shouldn't every company store only what I tell them they can store? And why shouldn't the data that they store be as little as they possibly need to conduct business?

Assuming that there's even a smidgen of validity in my line of questioning, the next question becomes how — how do we go about making the possibility behind these questions a reality?

http://blogs.zdnet.com/BTL/index.php?p=1529&tag=nl.e540

New Crypto-Gram Newsletter

“In this issue:

• 2005 Internet Attack Trends
• Stupid People Buy Fake Concert Tickets

  Only an idiot would buy a printout from a scalper, because there's no way to verify that he will only sell it once. This is probably obvious to anyone reading this, but it turns out that it's not obvious to everyone.

• Backscatter X-Ray Technology

  Backscatter X-ray technology is a method of using X rays to see inside objects. The science is complicated, but the upshot is that you can see people naked.

• Crypto-Gram Reprints
• Insider Attacks
• Accuracy of Commercial Data Brokers

  From the press release: "100% of the eleven participants in the study discovered errors in background check reports provided by ChoicePoint. The majority of participants found errors in even the most basic biographical information: name, social security number, address and phone number (in 67% of Acxiom reports, 73% of ChoicePoint reports). Moreover, over 40% of participants did not receive their reports from Acxiom -- and the ones who did had to wait an average of three months from the time they requested their information until they received it."

• News
• Eric Schmidt on Secrecy and Security

  "Schmidt: Transparency is not necessarily the only way you achieve security. For example, part of the encryption algorithms are not typically made available to the open source community, because you don't want people discovering flaws in the encryption."

  Actually, he's wrong. Everything about an encryption algorithm should always be made available to everyone

• U.S. Medical Privacy Law Gutted

  The civil penalties have long been viewed as irrelevant by the healthcare industry. Now the criminal penalties have been gutted. The Justice Department has ruled that the criminal penalties apply to insurers, doctors, hospitals, and other providers -- but not necessarily their employees or outsiders who steal personal health data. This means that if an employee mishandles personal data, he cannot be prosecuted under HIPAA unless his boss told him to do it. And the provider cannot be prosecuted unless it is official organization policy.

• Risks of Cell Phones on Airplanes
• Billions Wasted on Anti-Terrorism Security

  "Among the problems:

  "Radiation monitors at ports and borders that cannot differentiate between radiation emitted by a nuclear bomb and naturally occurring radiation from everyday material like cat litter or ceramic tile.

  "Air-monitoring equipment in major cities that is only marginally effective because not enough detectors were deployed and were sometimes not properly calibrated or installed. They also do not produce results for up to 36 hours -- long after a biological attack would potentially infect thousands of people.

  "Passenger-screening equipment at airports that auditors have found is no more likely than before federal screeners took over to detect whether someone is trying to carry a weapon or a bomb aboard a plane.

  "Postal Service machines that test only a small percentage of mail and look for anthrax but no other biological agents."

  The Washington Post had a series of articles. The first lists some more problems:

  "The contract to hire airport passenger screeners grew to $741 million from $104 million in less than a year. The screeners are failing to detect weapons at roughly the same rate as shortly after the attacks.

  "The contract for airport bomb-detection machines ballooned to at least $1.2 billion from $508 million over 18 months. The machines have been hampered by high false-alarm rates.

  "A contract for a computer network called US-VISIT to screen foreign visitors could cost taxpayers $10 billion. It relies on outdated technology that puts the project at risk.

  "Radiation-detection machines worth a total of a half-billion dollars deployed to screen trucks and cargo containers at ports and borders have trouble distinguishing between highly enriched uranium and common household products. The problem has prompted costly plans to replace the machines.

• Counterpane News
• Attack on the Bluetooth Pairing Process

  According to the Bluetooth specification, PINs can be up to 128 bits long. Unfortunately, most manufacturers have standardized on a four decimal-digit PIN. This attack can crack that 4-digit PIN in less than 0.3 sec on an old Pentium III 450MHz computer, and in 0.06 sec on a Pentium IV 3Ghz HT computer.

  And it's not just the PIN; the entire protocol was badly designed.

  At first glance, this attack isn't a big deal. It only works if you can eavesdrop on the pairing process. Pairing is something that occurs rarely, and generally in the safety of your home or office. But the authors have figured out how to force a pair of Bluetooth devices to repeat the pairing process, allowing them to eavesdrop on it. They pretend to be one of the two devices, and send a message to the other claiming to have forgotten the link key. This prompts the other device to discard the key, and the two then begin a new pairing session.

  Taken together, this is an impressive result. I can't be sure, but I believe it would allow an attacker to take control of someone's Bluetooth devices. Certainly it allows an attacker to eavesdrop on someone's Bluetooth network.

  Combined with the long-range Bluetooth "sniper rifle," Bluetooth has a serious security problem.

• Password Safe 2.11
• Public Disclosure of Personal Data Loss
• Holding Computer Files Hostage
• White Powder Anthrax Hoaxes
• Comments from Readers”

http://www.schneier.com/crypto-gram-0506.html

Encrypted Lockbox Aims to Clean Up Password Clutter

According to Schneier's PasswordSafe documentation, users normally write their passwords on pieces of paper, leaving accounts vulnerable to thieves or internal snoops.

In some cases, users work around the confusion by choosing the same password for different applications, which presents a bigger risk if that password gets hijacked.

PasswordSafe uses the popular Blowfish encryption algorithm and appeals to users with a simple, user-friendly interface.

“Bruce Schneier's PasswordSafe lockbox, which provides a free utility for users to encrypt and manage multiple passwords on a computer, is ready for a new phase of open-source development.

The celebrated cryptographer, who is credited with designing or co-designing several widely used encryption algorithms, announced the release of Version 2.1 of the database utility as a full-fledged open-source project at SourceForge.

In a blog entry, Schneier said the project is now being managed by Rony Shapiro, a British programmer specializing in network security.

Schneier, who is founder and chief technology officer of Counterpane Internet Security Inc., said the tool is perfect for Web users who struggle to remember all their usernames and passwords.

"I have long advocated writing them all down on a piece of paper and putting it in your wallet, [but] I designed PasswordSafe as another solution," he explained.

He said the tool offers "security through simplicity" by encrypting all of a user's passwords using a single passphrase.…”

Schneier on Security

Currently, Password Safe is an open source project at SourceForge, and is run by Rony Shapiro. Thank you to him and to all the other programmers who worked on the project.

Note that my Password Safe is not the same as this, this, this, or this PasswordSafe. (I should have picked a more obscure name for the program.)

It is the same as this, for the PocketPC.

http://www.schneier.com/blog/archives/2005/06/password_safe.html

http://www.eweek.com/article2/0,1759,1828954,00.asp?kc=ewnws061705dtx1k0000599

Contrary Brin: Networks and Netwar

“This week I'd like to point attention to an interesting article by one of the smartest guys in Santa Monica, California. David Ronfeldt works for the Rand Corporation, the original 'think tank' which ponders many imponderables for the more far seeing (and currently beleaguered) parts of the federal government. It has been posted on rand's website at
http://www.rand.org/publications/RP/RP1169/.

This paper--written in 2002 and now a chapter in a new book (Environmentalism and the Technologies of Tomorrow, Island Press, 2005) -- speculates about the future of the environmental movement as a function of its increasing use of network forms of organization and related strategies and technologies attuned to the information age. The paper does so by nesting the movement's potential in a theoretical framework about social evolution.

This framework holds that people have developed four major forms for organizing their societies: first tribes, then hierarchical institutions, then markets, and now networks. The emergence of a new, network-based realm augurs a major rebalancing in relations among government, market, and civil-society actors. In the near term (years), there will be continuing episodes of social conflict as some environmental groups press their case, often by using netwar and swarming strategies.… ”

Spoofing flaw resurfaces in Mozilla browsers

By Joris Evers, CNET News.com

“A 7-year-old flaw that could let an attacker place malicious content on trusted Web sites has resurfaced in the most recent Firefox browser, Secunia has warned.

The flaw, which also affects some other Mozilla Foundation programs, lies in the way the software handles frames, which are a way of showing Web content in separate parts of the browser window. The applications don't check whether the frames displayed in a single window all originate from the same Web site, Secunia said in an advisory on Monday. Firefox 1.x, Mozilla 1.7.x and Camino 0.x versions are vulnerable to the flaw, the security monitoring company said.

As a result, an attacker could insert content into a frame on a trusted Web site, Secunia said. Account holders who believe they are interacting with a frame belonging to an online bank could be tricked into giving up personal information or downloading malicious code, for example. Secunia rated the issue "moderately critical."

The same "frame injection" vulnerability in Mozilla's browsers was detailed by Secunia in July of last year. At the time, it did not affect the most recent versions of the applications.

For a spoofing attempt to work, a surfer would need to have both the attacker's Web site and a trusted Web site open in different windows. A click on a link on the malicious site would then display the attacker's content in a frame on the trusted Web site, Secunia said. The company advised people not to visit trusted and untrusted Web sites at the same time.…”

The more things change… The more they brag about how secure they are.

CRN Breaking News Firefox Vulnerable To 7-Year-Old Bug

According to Danish security firm Secunia, Mozilla 1.7.x and Firefox 1.x are vulnerable to a frame injection flaw that first surfaced in 1998. Hackers could exploit the bug to insert their own content into the view of a legitimate site, to, for instance, pose as the log-in frame, then collect usernames and passwords to online bank accounts.

"The flaw means that if you are viewing a trusted site in one window (PayPal or your bank) and open a site belonging to a spoofer in another window, the spoofer can insert code in the window showing the trusted site," wrote a moderator on Mozilla's online forum Monday.

http://www.crn.com/nl/crnupdate/showArticle.jhtml?articleId=164300698

http://news.zdnet.com/2100-1009_22-5734121.html?tag=nl.e589

Linux Distro Called 'Puppy'?

By Alexander Wolfe, TechWeb News

“A retired university lecturer in Australia has come up with the latest twist on Linux , fielding a distribution of the operating system that takes little memory and can boot directly off of a USB thumb drive.

Dubbed Puppy Linux, the OS is one of dozens of custom and guerilla variants on Linux circulating throughout the broader software community. (Many are tracked on the Distrowatch open-source Web site.) But Puppy appears to be catching on, attracting recent attention on Slashdot in the wake of the release in May of Puppy Linux version 1.0.2.

‘I think one of the key advantages of Puppy is the simplicity,’ said Barry Kauler, the developer of Puppy Linux, in an e-mail interview. ‘When other distributions start up, you see all these servers loading, but in Puppy it's really basic and bootup is remarkably fast. However, I still managed to stick to the requirement of it all loading into RAM and freeing up the CD drive, on a reference 128MB PC.’

That small-is-beautiful theme is Puppy's raison d'etre, according to Kauler. ‘If I were pressed to list why I think people use Puppy, it would be [that it's] very simple under-the-hood, very easy to use, very fast, highly portable, and easy to install.’ ”

http://www.crn.com/nl/crnupdate/showArticle.jhtml?articleId=163702896

Office Goes XML

From: Between the Lines

“The important revelation, which was expected, is that some Office 12 applications (Word, Excel and Powerpoint) will use Office Open XML as the default file format. Note: Excel and Word already have XML support and related schemas for saving documents with full fidelity as XML files. The formats are industry standard XML 1.0 and the schemas are available on a royalty-free basis. As a result, developers can query what's in a file and extract specific data or write their own compatible applications to view and manipulate the files. User can open the .XML files in any application that can read XML. "Our value is not tied to file format, but to the user experience and quality of the software." Capossela said. Now that's a refreshing point of view, given how in the past Microsoft has often made it difficult for others to parse the file formats.

What's new for Microsoft is compacting the often overweight XML text files using industry standard Zip compression technology to compress and decompress the data within a document–including comments, charts and document metadata–that is segmented and stored in different components. However, OLE objects and images are still stored as binaries.

Using Zip gets around the thorny issue of creating a binary XML to deal with file bloat.…

A preview of Office 12 (not an initial beta, which isn't due until the fall) will be available at www.microsoft.com/office/preview on Monday, June 6. I asked about XML file formats for Macintosh Office, but Capossela wasn' sure–Mac Office is done by a different business group at Microsoft. Nor is a Linux version of Office on the drawing board. We'll also have to wait to hear about other features that will make it into Office 12. The dribbling continues…”

http://blogs.zdnet.com/BTL/index.php?p=1459&tag=nl.e539

ZdNet Whiteboard Video: Beware of ungracious hosts

“Hackers can attack your host's file, rewriting the file to send you to a fraudulent site. Virus writers also use the host's file to block access to anti-virus companies. CNET’s Rob Vamosi says ‘beware.’ ”

Most home users don't even know there is a host file.

AOL and other net access programs tend to drop them in without so much as a mention. Virus scanners may not (usually do not look for changes other than a virus signature.

This short video tells you what you need to know, but assumes you'll know what to do.

http://news.zdnet.com/1607-2-5718931-2.asx?PSDir=ad_msnlivemeeting&videoName=5w0518ungracioushosts&NumClips=1

http://news.zdnet.com/2036-2_22-5718931.html

Stealth virus warning

By Munir Kotadia, ZDNet Australia

Organized criminals are advertising networks of zombie computers for rent on underground newsgroups and Web pages. When they receive an order for a botnet of a certain size, they set about trying to infect computers using infected email attachments or socially-engineered spam with links to malicious Web pages. As soon as they infect enough computers to fulfill the order, they stop using that particular piece of malware.

“Virus authors are choosing not to create global epidemics--such as Melissa or Blaster--because that distracts them from their core business of creating and selling botnets, according to antivirus experts.

Botnets are groups of computers that have been infected by malware that allows the author to control the infected PCs, and then typically use them to send spam or launch DDoS attacks.

Speaking at the AusCERT conference on Australia's Gold Coast on Tuesday, Eugene Kaspersky, founder of Kaspersky Labs, said that the influence of organised crime on the malware industry has led to a change of tactics, echoing comments made in March of this year by Mikko Hyppönen of F-Secure. Instead of trying to create viruses and worms that infect as many computers as possible, malware authors are instead trying to infect 5,000 or 10,000 computers at a time to create personalized zombie armies.

"Do I need a million computers to send spam? No. To do a DDoS attack, 5,000 or 10,000 PCs is more than enough. That is why virus writers and hackers have changed their tactics of infection--they don't need a global epidemic," said Kaspersky.…”

http://news.zdnet.com/2100-1009_22-5719765.html?tag=nl.e589

Microsoft security guru: Jot down your passwords

By Munir Kotadia, ZDNet Australia

“Companies should not ban employees from writing down their passwords because such bans force people to use the same weak term on many systems, according to a Microsoft security guru.

Speaking on the opening day of a conference hosted by Australia's national Computer Emergency Response Team, or AusCERT, Microsoft's Jesper Johansson said that the security industry has been giving out the wrong advice to users by telling them not to write down their passwords. Johansson is senior program manager for security policy at Microsoft.

"How many have (a) password policy that says under penalty of death you shall not write down your password?" asked Johansson, to which the majority of attendees raised their hands in agreement. "I claim that is absolutely wrong. I claim that password policy should say you should write down your password. I have 68 different passwords. If I am not allowed to write any of them down, guess what I am going to do? I am going to use the same password on every one of them."

According to Johansson, use of the same password reduces overall security.

"Since not all systems allow good passwords, I am going to pick a really crappy one, use it everywhere and never change it," Johansson said. "If I write them down and then protect the piece of paper--or whatever it is I wrote them down on--there is nothing wrong with that. That allows us to remember more passwords and better passwords."

Johansson said the security industry had been giving out the wrong advice about passwords for 20 years.…”

Microsoft security guru wants you to jot down your passwords? by ZDNet's George Ou -- http://blogs.zdnet.com/Ou/wp-trackback.php?p=63

http://news.zdnet.com/2100-1009_22-5716590.html

Windows XP Video Decoder Checkup Utility

“The Windows XP Video Decoder Checkup Utility helps you determine if an MPEG-2 video decoder (also called a DVD decoder) is installed on your Windows XP computer and whether or not the decoder is compatible with Windows Media Player 10 and Windows XP Media Center Edition.

An MPEG-2 decoder is software that allows you to play DVDs and files that contain video content that was encoded in the MPEG-2 format (such as DVR-MS files, MPG files, and some AVI files).

If you encounter a problem while using Windows Media Player 10 to synchronize (copy) recorded TV shows to a Portable Media Center or other device, use this utility to verify that you have a compatible MPEG-2 decoder installed on your computer.

Note: This utility only indicates whether an MPEG-2 decoder is compatible with the synchronization feature of Windows Media Player 10 or whether an MPEG-2 decoder is compatible with the recorded TV playback feature of Windows XP Media Center Edition.

This utility:
• Lists all the MPEG-2 video decoders that appear in your Windows registry (a database that contains information about the hardware and software installed in your computer).
• Indicates whether each decoder listed in the registry is marked as compatible with Windows XP Media Center Edition and whether any decoder listed in the registry is marked as the preferred video decoder.
• Indicates whether each decoder listed in the registry is marked as compatible with the synchronization feature of Windows Media Player 10.
• Lets you designate which installed decoder that you want Windows Media Player 10 to use when synchronizing DVR-MS files to a portable device. This is known as the preferred video decoder.
• Lets you undo any changes the utility makes to your Windows registry.”

http://www.microsoft.com/downloads/details.aspx?FamilyID=de1491ac-0ab6-4990-943d-627e6ade9fcb&displaylang=en

The Characteristics of Spam Email

By Bryan Costales, Marcia Flynt.
“The first step to fighting spam is knowing how to recognize it and, by extension, write code that recognizes it. Unfortunately, spammers realize this and work hard to circumvent detection. This chapter details the many ways that spam filters recognize spam, as well as the ways spammers have gotten around these filters.

It is easy for a person to look at a piece of email and say, "This isn't something I asked for. It looks like an advertisement, and I don't want it, so it must be spam." But although it is easy for humans to recognize spam, it is much harder for software to recognize it. And, after all, the point of spam-blocking software is to eliminate the need for humans to recognize spam.…”

1. Connection Behavior
2. Relaying through MX Servers
3. Falsifying the Envelope Sender Address
4. Disguising the Subject: Header
5. Camouflaging the HTML Body
6. Attempting to Fool Signature Detectors
7. Unnecessary Encoding
8. Grokking the Site
9. Loose Ends
10. Think Like a Spammer

http://www.informit.com/articles/article.asp?p=376874

Apple Patches Widget Malware Hole in Tiger

By Ian Betteridge
“Apple Computer Inc. has quietly patched several security holes in Mac OS X 10.4, also known as "Tiger," including one that allows potentially malicious widgets to be downloaded and installed into Dashboard.

The security patches were released as part of an OS X 10.4.1 update earlier this week, but the company has only just released details of them. The update patches four security holes, the most well-known of which is the problem where widgets—small applications working in the software's Dashboard system—could be downloaded and installed without any specific user confirmation. Under 10.4.1, automatic installation of Widgets is blocked, and users must specifically approve the installation of each Widget.

Although several Web pages appeared that demonstrated how widgets could be installed without user intervention, there have been no reports of malicious widgets being found in the wild. However, because widgets can execute code—including shell scripts—outside the Dashboard environment, the ability for widgets to be downloaded and installed simply by clicking on a Web link looked like a potential route for malware on the platform.…” http://techrepublic.com.com/2100-10595_11-5700982.html
http://concat.blogspot.com/2005/05/mac-malware-door-creaks-open.html

http://www.eweek.com/article2/0,1759,1818272,00.asp

The missing glue in the fight against malware

by ZDNet's David Berlind --
“ …Three years from now, the spyware problem will be worse than it is today and I’ll be writing about one of the reasons that there has been no improvement: the failure of the industry to recognize where technological consensus is needed, and then to build solutions on top of that consensus technology.

So, in the case of spyware, what would that technology be? I’m directing that question rhetorically at the new executive team at Tenebril because it’s simply an extension of the same conversation that I was having with them about personal firewalls while they were at Zone Labs. Personal Firewalls and anti-spyware have quite a bit in common. In some ways, personal firewalls help to solve the spyware problem because they can block spyware from "phoning home" — what happens when malware reports back to its creators or distributors with its findings (eg: logged keystrokes).

But, one reason personal firewalls aren’t always successful in this endeavour is that they often require user inputs. When a personal firewall detects a first time attempt by some process to reach the outside world, it notifies the user that something new is trying to get out and it asks the user if the attempted communication should be permitted. But, as I’ve written before, this allow/disallow inquiry is all too often noticably deficient in the kind of information a user needs to make an informed decision. This is particularly troubling since, regardless of whether it’s trapping malware or legitimate software, the wrong answer might render your software inoperable. "LSASS.EXE is trying to reach 177.24.202.16. Allow Always? Allow this once? Deny?" it asks me. What the heck is LSASS.EXE? What or where is 177.24.202.16? And finally, why isn’t the software answering these questions for me?

The answer to that last question is easy. The software doesn’t know. Nor, considering the number of software components out there (legitimate and not), can it know. For a while, with many personal firewalls, this meant that answering the allow/deny question was guesswork (or, a lot of Googlework). Fortunately, guessing couldn’t get you into too much trouble. Sooner or later, every networked computer loses its connection to its network anyway. When, through a personal firewall, a user denies network access to a particular software component, the net result for that software component is pretty much the same as what happens when the system suddenly loses its network connection for some other reason (the cable get pulled out, the Wi-Fi signal disappears, etc.). If a user mistakenly denies network access to a legitimate software component that needs it, and the system or the software hangs, fixing the problem requires little more than a reboot and a correction to the firewall’s ruleset.

But that’s not how software should work. And when I started dinging Zone Labs and other firewall makers for having this problem, I also recognized that no single firewall developer — not even Symantec — was big enough to develop and maintain the database they’d need in order to provide users with the information required to make an informed decision. How do I know this? Some of them tried. But the information was invariably incomplete. To really do that database right would require the participation of all the software vendors, and for them to participate, it would have to be easy and it would have to be centralized. ”

http://blogs.zdnet.com/BTL/?p=1353