IT News
Adobe Flash Ads Launching Clipboard Hijack Attacks
bullyBEEF writes “Malicious hackers are using booby-trapped Flash banner ads to hijack clipboards for use in rogue security software attacks. In the Web attacks, which affect Mac, Windows, and Linux users running Firefox, IE, and Safari, bad guys are seizing control of the machine’s clipboard (probably using the Flash command setClipboard) and inserting a hard-to-delete URL that points to a fake anti-virus program. A number of legitimate sites have been seen to host acs carrying the attack — including Newsweek, Digg, and MSNBC.com. Researcher Aviv Raff offers a harmless demo of how it’s done.”
Read more of this story at Slashdot.
Judge Rules Man Cannot Be Forced To Decrypt HD
I Don’t Believe in Imaginary Property writes “In Vermont, US Magistrate Judge Jerome Niedermeier has ruled that forcing someone to divulge the password to decrypt their hard drive violates the 5th Amendment. Border guards testify that they saw child pornography on the defendant’s laptop when the PC was on, but they made the mistake of turning it off and were unable to access it again because the drive was protected by PGP. Although prosecutors offered many ways to get around the 5th Amendment protections, the Judge would have none of that and quashed the grand jury subpoena requesting the defendant’s PGP passphrase. A conviction is still likely because prosecutors have the testimony of the two border guards who saw the drive while it was open.” The article stresses the potential importance of this ruling (which was issued last November but went unnoticed until now): “Especially if this ruling is appealed, US v. Boucher could become a landmark case. The question of whether a criminal defendant can be legally compelled to cough up his encryption passphrase remains an unsettled one, with law review articles for the last decade arguing the merits of either approach.” Update: 08/19 23:49 GMT by KD : Several readers have pointed out that this story in fact did not go unnoticed.
Read more of this story at Slashdot.
MIT Students’ Gag Order Lifted
mytrip and several other readers let us know that a judge in Boston has lifted the gag order — actually let it expire — against three MIT students who discovered flaws in the security of the local transit system, the MBTA. We’ve discussed the case over the last 10 days. “Judge O’Toole said he disagreed with the basic premise of the MBTA’s argument: That the students’ presentation was a likely violation of the Computer Fraud and Abuse Act, a 1986 federal law meant to protect computers from malicious attacks such as worms and viruses. Many had expected Tuesday’s hearing to hinge on First Amendment issues and what amounts to responsible disclosure on the part of computer security researchers. Instead, O’Toole based his ruling on the narrow grounds of what constitutes a violation of the CFAA. On that basis, he said MBTA lawyers failed to convince him on two points: The students’ presentation was meant to be delivered to people, and was not a computer-to-computer ‘transmission.’ Second, the MBTA couldn’t prove the students had caused at least $5,000 damage to the transit system.”
Read more of this story at Slashdot.
A Good Reason To Go Full-Time SSL For Gmail
Ashik Ratnani writes with this snippet from Hungry Hackers: “A tool that automatically steals IDs of non-encrypted sessions and breaks into Google Mail accounts has been presented at the Defcon hackers’ conference in Las Vegas. Last week, Google introduced a new feature in Gmail that allows users to permanently switch on SSL and use it for every action involving Gmail, not just authentication. Users who did not turn it on now have a serious reason to do so, as Mike Perry, the reverse engineer from San Francisco who developed the tool, is planning to release it in two weeks.”
Read more of this story at Slashdot.
Can You Build a Fiber Test Kit On a Budget?
An anonymous reader writes “Have any Slashdot readers hacked together cheap test kits for fiber optic cable? More and more IT infrastructure is using multimode and single mode fiber optic cabling. Commercial test equipment is extremely expensive, running the gamut from a few hundred dollars for a basic light source, to tens of thousands for an OTDR. What equipment do you consider essential to your fiber kit? Is there a way to save costs when it comes to fiber test equipment? It is worth it to do so?”
Read more of this story at Slashdot.
OLPC Physics Game Jam For an XO
Brian Jordan writes “For 48 hours during the weekend of August 29-31 at the OLPC Physics Game Jam Boston, game developers will compete in teams of 2-4 to design and implement a physics-based game for the One Laptop per Child XO laptop. There are prize categories for indie, professional, and remote developers (Ludum Dare style). In addition to OLPC/Jam-related swag for all participants, one team will win an XO laptop. Participants should have some game development experience, but we’ll be going over the development process during the event — read below for details. If you’ll be in the Boston area this weekend, or want to participate remotely, sign up before August 22. If you’re a graphic artist, sound designer, musician in the Boston area, or want to be a volunteer, get in touch.” Click the magic link for details of the crash course in game programming being offered.
Read more of this story at Slashdot.
Why One-time Passwords Suck For MITM Attacks
whitehartstag writes “Black Hat 08 disclosed several SSL VPN and DNS vulnerabilities that caused several people to sit up and take notice. Some of these new exploits performed a brilliant Man-In-The-Middle attack on SSL VPN tunnels. This article walks you through how using certificates, instead of OTP tokens, for second-factor authentication can increase the security of your SSL VPN against these new types of attacks.”
Read more of this story at Slashdot.
Boost 1.36 Released
AndrewStephens writes “Good news for C++ programmers: Boost 1.36 has been released with 4 new libraries (including very useful exception templates) and a host of updates. In particular, boost.asio (the cross platform AsyncIO library) has seen major additions and now supports asynchronous disk operations on Windows. Almost every modern C++ codebase uses Boost somewhere, and many of its features find their way into the official language specifications.”
Read more of this story at Slashdot.
Sun Open-Sources Java UI Toolkit
ruphus13 writes “As the mobile space heats up, Sun has released the source code for Java Lightweight UI Toolkit under the GPL v2 license. ZDNet quotes Sun’s senior director of embedded software saying, ‘By creating LWUIT, Sun is reaffirming its commitment to the mobile development community and by open-sourcing the LWUIT code, we are enabling mobile developers to quickly and easily create rich, portable interfaces for their applications — functionality that they have been requesting for some time.’ Will Adobe follow suit?” Sun is also working on some fixes to holes in their mobile Java platform, which were discovered by a Polish researcher who demanded €20,000 to disclose the information.
Read more of this story at Slashdot.
Outages Leave Google Apps Admins In the Hotseat
snydeq writes “This week’s Google outages left several Google Apps admins in the lurch — and many of them are second-guessing their advocacy for making the switch to hosted apps, InfoWorld reports. The outages, which affected both Gmail and Apps, ‘could serve as a deterrent to some IT and business managers who might not be ready to ditch conventional software packages that are installed on their servers,’ according to the article. ‘If we began to experience a similar outage more than about two or three business hours per quarter, we’d probably make Google Apps and Gmail a backup solution to a locally hosted mail system, if we used it at all,’ said one Apps admin. ‘And it would likely be years before we’d try a cloud-based collaborative system again from any vendor.’ Coupled with recent Apple and Amazon cloud issues, these Google outages are being viewed by some as big wins for Microsoft.”
Read more of this story at Slashdot.
Easy Encryption In Java and Python With Keyczar
rsk writes “Keyczar is an encryption toolkit born out of the Google Security Team and released under the Apache 2 license. Keyczar’s purpose is to make managing encryption of secured data much easier than it has been, with the following features: a simple API; key rotation and versioning; safe default algorithms, modes, and key lengths; automated generation of initialization vectors and ciphertext signatures; Java and Python implementations (C++ coming soon); and international support in Java (Python coming soon). The example on the website is only 2 lines long, and a more fully worked out example is also provided for folks wanting to get started ‘for reals.’”
Read more of this story at Slashdot.
Software Logging Schemes?
MySkippy writes “I’ve been a software engineer for just over 10 years, and I’ve seen a lot of different styles of logging in the applications I’ve worked on. Some were extremely verbose — about 1 logging line for every 2 lines of code. Others were very lacking, with maybe 1 line in 200 devoted to logging. I personally find that writing debug and informational messages about every 2 to 5 lines works well for debugging an issue, but can become cumbersome when reading through a log for analysis. I like to write warning messages when thresholds or limits are being approached — these tend to be infrequent. I log errors whenever I catch one (but I’ve never put a ‘fatal’ message in my code, because if it’s truly a fatal error I probably didn’t catch it). Recently I came across log4j and log4net and have begun using them both. That brings me to my question: how do the coders on Slashdot handle logging in their code?”
Read more of this story at Slashdot.
ECMAScript 4.0 Is Dead
TopSpin writes “Brendan Eich, creator of the JavaScript programming language, has announced that ECMA Technical Committee 39 has abandoned the proposed ECMAScript 4.0 language specification in favor of a more limited specification dubbed ‘Harmony,’ or ECMAScript 3.1. A split has existed among the members of this committee, including Adobe and Microsoft, regarding the future of what most of us know as JavaScript. Adobe had been promulgating their ActionScript 3 language as the next ECMAScript 4.0 proposal. As some point out, the split that has prevented this may be the result of Microsoft’s interests. What does the future hold for Mozilla’s Tamarin Project, based on Adobe’s open source ActionScript virtual machine?”
Read more of this story at Slashdot.
McCain Releases Technology Platform
I Don’t Believe in Imaginary Property writes “John McCain has finally released a technology platform. Most of it is the same old stuff; lower corporate taxes, protect children from porn, and avoid Internet regulation unless ‘necessary.’ Alas, in his view, helping the RIAA’s War on Sharing is necessary to stop the ‘global epidemic’ of piracy, while Net Neutrality is something he ‘does not believe in.’ Ars Technica has a review of McCain’s platform.” A brief analysis is also available from Federal Computer Week. In addition to the technology policy, McCain has also released a paper describing his stance on security and privacy. We’ve previously contrasted his views with those of Barack Obama. Obama’s technology policies are also available online.
Read more of this story at Slashdot.
How Important Is Protecting Streaming Media?
spaj writes “In the ongoing battle with the MPAA and RIAA, there seems to be an ongoing argument about who is to blame. If you leave a $20 bill on the sidewalk, can you report it stolen when someone takes it? Of course you can, but will you be taken seriously by the authorities? When my car was broken into, I was told by the responding police officer that I might have prevented it by keeping my seats and visible areas clear of junk that would entice criminals. So, who is at fault when it comes to users abusing their right to capture streaming media for personal use? According to Applian.com’s Legal FAQ, the RIAA will not come after you if you make a recording for your own personal use. I have often been torn on this issue, and I am looking for input. Adobe recently released a new format of their widely used streaming protocol, RTMP, that includes 128-bit encryption (RTMPE). I can only interpret this as an attempt to prevent capturing of the streaming media content for personal use. However, Applian has already circumvented the RTMPE protection, and you can read about it on Adobe’s forums, where some users seem quite dissatisfied that their content is not protected enough by Adobe’s technology. I think the main question boils down to: Who is to blame? Can you blame Adobe for not making a better encryption? Or do you blame Applian for bypassing such security features? Or do you blame the authors of stolen content for leaving the security of their material in somebody else’s hands?”
Read more of this story at Slashdot.
Share This
