Not all Hackers are Evil - ask Johnny Long #BlackHatBy Sean Kerner | July 31, 2009
LAS VEGAS. For many, the term 'Hacker' is something to be feared.
But after sitting through Johnny 'I hack stuff' Long's Black Hat session titled, "From Me to We' - the definition of hacker needs to be redefined.
Long told the capacity crowd that he quit his job and moved to the African nation of Uganda in order to support an effort known as Hackers for Charity.
He's currently living on donations, from fellow hackers.
In his talk, Long detailed his rise to fame as one of he most prominent hackers on Earth thanks to his book, "Google Hacking." Yet even with all his fame, he wasn't happy he want to do something useful and make a difference and that's what he's doing now - helping the under-privileged in Africa to live better (and more connected) lives.
Long noted that his skills as a hacker were developed in part by his participation in the hacker community.
"I didn't have a single o-day to may name, I didn't invent anything but I ended up with a dozen book projects," Long said.
Long book's are part of his charity effort. Long's book 'No Tech Hacking' which he packaged as part of his 2007 Black Hat session had all of its net proceeds going to charity.
Beyond just living in Africa, he has successfully solicited the help of the hacker community, with fellow hackers donated money, time and skills. There is also an effort called the informer project, where hackers give paying/donating member pre-releases of stuff.
"There is darkness in our community there is evil here,but that's the minority," Long said. "The majority of us are just curious.
But the work hacker is applied and that's a word for criminal."
Long is no criminal in my view, he's a missionary and that's his message now too.
"The message is to get involved in something bigger than yourself, make a difference," Long said.
Picture: Johnny Long Credit: Sean M. Kerner
Hackers: Uncle Sam (still) wants you! #BlackHatBy Sean Kerner | July 30, 2009
LAS VEGAS. Last year, US Government made a plea to hackers at Black Hat to join the government.
Did it work?
Marcus Sachs, executive director of government affairs and national security policy at Verizon and a former government employee argued that the DHS has created a disincentive environment to keep people in DHS.
It's a position that the current government employees don't agree with.
"As we grow, we do have career paths for many of you," US-CERT's Mischel Kwon said. "We have open positions and we welcome you to come and join us.
Yes it does take a while to get in and we're looking to fix that."
Col. Mike Convertino of the Air Force Cyber Command said that Black Hat and DEFCON have been tremendous recruiting efforts for them. Convertino said that last year the Air Force hired 60 people it met at Black Hat.
"So it is possible for agencies to populate themselves but it takes effort and certain good events like this one to move things forward."
Picture: US-CERT's Mischel Kwon Credit: Sean M Kerner
Does the US Government pay for zero-day exploits? #BlackHatBy Sean Kerner | July 30, 2009
From the 'I've always wondered' files:
LAS VEGAS. I'm in the super mega Feds vs Ex-Feds panel now at Black Hat and already I've learned something I didn't know.
There is a divergence of opinion in the security industry about whether or not people should buy zero-day exploits. Tipping Points has a whole business model built around it and it seems to work for them - but what about the government?
Does the US Government buy zero-day exploits?
"I don't buy zero days," US-CERT director Mischel Kwon said.
Kwon is just one branch of the government.
The NSA had a less specific answer.
"I can tell you we have a policy but I'm not going to tell you what it is," NSA agent Richard Marshall said.
PIC: Richard Marshall Credit: Sean M. Kerner
San Francisco Parking meter system hacked #BlackHatBy Sean Kerner | July 30, 2009
From the 'they told us so' files:
Last month Joe Grand explained that there were flaws in parking meter systems. Today at Black Hat he explained how he found those flaws and what he was able to do with them.
In a nutshell Grand was able to reverse engineer the Smart Cards used in San Francisco such that he could trick the meter into thinking the card had an arbitrary value.
The answer to the problem in San Francisco and potentially elsewhere is a simple one according to Grand. He noted that the meters should have anti-tampering mechanisms and they should have accessible serial ports on them.
Researcher Jacob Applebaum who joined Grand on the stage commented that actually interfacing with the San Francisco meters wasn't hard. He said no one asked him what he was doing -- and if they did he would have said it was an 'art project.'
Picture: Joe Grand (left), Jacob Applebaum (right). Credit: Sean M. Kerner
Firefox nears 1 billion downloadsBy Sean Kerner | July 30, 2009
Mozilla's Firefox is nearing a major milestone - 1 Billion downloads. That's BILLION with a B.
Now that's not a billion users, mind you it's downloads and hey who among us hasn't downloaded Firefox more than once?
It's a major milestone for sure.
In terms of how many actual users Firefox has that number is somewhat smaller. In May, Mozilla reported 270 million active users.
US falling behind on catching up with Cyber security #BlackHatBy Sean Kerner | July 30, 2009
LAS VEGAS. Robert Lentz Deputy Assistant Secretary of Defense in both the Bush and Obama administrations and the first Senior Information Assurance Official for the Department of Defense serving since Nov 2000 took the Black Hat stage this AM talking about US cybersecurity.
In Lentz's view the US needs a Cyber-Czar of cyber identity in order to raise awareness and get the US on track.
"You have to think of cyberspace as a global commons, " Lentz said. "Security the global commons is a shared responsibility. Should be our number one priority everything we do is about preserving the internet that is driving the information economy."
Lentz also noted that While the US has made great strides in security Lentz said there is still much to do.
"The reality is we've fallen further behind on catching up," Letnz said. "Security has been in a race and we are moving the entire Dod and it relies on the internet for everything we do. For us in the DoD the race is real and it's daunting and we have a lot of significant challenges in front of us."
Lentz also spoke about the need to understand how to keep trust zones small and manageable. In his view over the last 20 years directory services have been an issue.
"We need to have physical and logical worlds converge in the identity areas," Lentz said.
Fundamentally the move that the US needs to take is to be more agile in responding and reacting to cyber risks.
"No defense is perfect. We have illusion we can prevent adversaries for coming into our network," Lentz said. "We have to base decisions on reality and have to be able to fight through a cyber-degraded network."
PIC: Robert Lentz Credit: Sean M. Kerner
Apple iPhone SMS attacked by researchers #BlackHatBy Sean Kerner | July 30, 2009
LAS VEGAS. Between 11:15 and 12:30 AM PT today, security researchers Charlie Miller and Collin Mulliner will publicly show off a highly exploitable SMS flaw in Apple iPhone (at least it is at the time of this blog post).
Going a little deeper the flaw isn't just an iPhone issue and in fact there are two seperate sessions at Black Hat this morning talking about SMS flaws in general.
"We (will) present techniques which allow a researcher to inject SMS messages into iPhone and Windows Mobile devices," Miller's states in his talk abstract.
I'll see it for myself in a few hours along with hundreds of other people that are likely to back the session hall. What Miller will demonstrate is how fuzzing - which is a technique that basically throws garbage input at a process - can be used to generate a fuzzed SMS message that triggers the flaw.
SSL under attack (again) #BlackHatBy Sean Kerner | July 29, 2009
LAS VEGAS. Earlier this year security researcher Moxie Marlinspike turned the world of SSL security on its head with a presentation at Black Hat DC. Here in Vegas, he's expanding his tool SSLstrip with a series of improvement that will make the tool even more powerful.
"On the web SSL is not usually encountered directly," Marlinspike said. "It's usually a redirect where someone types in bankofamerica.com (or any other site) and then they get forwarded to an SSL page."
What the original SSLstip tool did was to take advantage of that fact to trick browser into thinking an HTTP connection was actually an SSL connection. Marlinspike noted that its an automated process to get a regular SSL certificate.
The way the process works by first getting a whois lookup to admin contact.
"They only look for the root of the domain.the don't give a shit about subdomains," Marlinspike said.
As such a person could get a certificate for a null domain like *0\.attackersite.bankname.com that would validate. He commented that such a wildcard gives SSLstrip great power, providing what looks like a real certificate.
To make matters worse he's now also built in a technique to prevent the wildcard certificate from being revoked by the certificate authority as well.
"In short, we've got your passwords, your communications and control over the software that runs on your computer," Marlinspike said.
There is however a solution. In response to a question from the audience Marlinspike noted that all the SSL vendors would have to do is validate the whole domain, not just the last bit of it.
Picture: Moxie Marlinspike Credit: Sean M Kerner
Sniffing passwords with Laser beams #BlackHatBy Sean Kerner | July 29, 2009
LAS VEGAS. There are all kinds of ways that attackers can 'sniff' a users password, but laser beams and power cords?
No it's not Science Fiction, it's Black Hat.
Security researchers Andrea Barisani and Daniele Bianco gave a tremendously entertaining and informative talk here about how good old PS/2 keyboard leak though power lines and oh yeaah the lasers.
But first the keyboards.
attacked PS2 keyboards and they have multiple cables inside of it,"
Barisani said. "The wires are close to each other and poorly shielded
so there is a leak of information from the data wire to the ground
Barisani noted that the signal from the
ground wire would also permeate to other electrical outlets in close
proximity. The two researcher showed some demo screens of what the
electrical wires actually showed - at this stage they were able to make
out letters. They didn't demo any kind of larger tool that could
actually turn all the letters into numbers and words, though they said
it was possible.
"We're confident that more expensive equipment can lead to more precise
measurements," Barisani said. "We're two idiots and we did this in one week."
the laser beams is another story. The general idea is that the laser is
used as an acoustic microphone that could be used to remotely pick up
the sound vibration from a users keyboard. Somehow you can match that
acoustic vibration to words/numbers, but frankly I didn't understand
how that actually worked.
But it is something remarkable and according to their preliminary research very real too.
So how do you defend against these attacks? Tin hats of course
LORCON2 Wi-Fi hacking coming to Metasploit #BlackHatBy Sean Kerner | July 29, 2009
LAS VEGAS. Security researcher Mike Kershaw is on the verge of getting
LORCON2 (acronym for Loss Of Radio CONnectivity) into Metapsploit. Lorcon is an open source network tool for Wi-Fi injection.
"It will figure out which driver a user is using and then for each packet do some fun stuff," Kershaw said.
In his view many of the same attacks that worked 5 years ago are still valid today,and users aren't protecting themselves. Kershaw is employed by Wireless vendor Aruba Networks and his research should leads to more secure wireless gear in my opinion.
Though LORCON2 is not available right now,he did state that the Metasploit module is not vaporware and that the full code should be committed to Metasploit in the coming weeks.
Picture: Mike Kershaw Credit: Sean M. Kerner
We calculate security ROI wrong #BlackHatBy Sean Kerner | July 29, 2009
LAS VEGAS. Douglas Merrill former president of record label EMI has a few thoughts on what's wrong with security today. He shared those thoughts in a keynote presentation at the Black Hat security conference.
"CEO's are terrified of security and as a result they are writing more checks, Merrill said. "But the downside is they don't know what they are paying for."
Merrill argued that the problem is that we compute ROI on avoiding downside, but that's the wrong thing to do. He commented that we should make security decisions based on positive feedback and not negative.
Merrill knows what he's talking about - he used to be CIO at Google. In his view the right thing to do is to try and make sure that security is not a problem.
Instead of concentrating security knowledge in one area, it should be embedded across an enterprise.
"We have to make it so security is not a problem," Merill said. "At Google, we didn't control what environment our engineers worked it because we thought it would remove their ability to innovate.
So we built security into the infrastructure and made it untrusting. We didn't have AV on the end points we had it on the mail server."
PIC: Doug Merill Credit: Sean M. Kerner
Microsoft explains why killbits are needed #BlackHatBy Sean Kerner | July 29, 2009
Yesterday Microsoft put out an out of band release to deal with a killbit issue that will be discussed today at the Black Hat security conference in Las Vegas.
I caught up with Mike Reavey Director of the Microsoft Security Response Center (in a hallway in Caesars Palace where Black Hat is being held) to talk about how Microsoft deals with security research - and how he sees the whole kill bit issue. I've got a three minute slice of the full interview below, and I've also pulled out what I see as the really noteworthy quotes as well.
"The killbit is still a very important security function when you're dealing with ActiveX controls," Reavey told me. "The right way to fix software problems is in the code itself, so the same practices we have around secure development will help to mitigate threats beyond just using the killbit."
That does make good sense, but wait...Reavey has more insights to share.
"The other thing is you can't eliminate all possible vulnerabilities in all possible parts of software," Reavey said. "You can work to mitigate them."
In the clip below, in addition to killbit, (the latter part of the video), Reavey also explains how Microsoft works with security researchers (including those that helped to disclose the killbit issue).
BIND 9 DNS under attack - time to updateBy Sean Kerner | July 29, 2009
It was about a year ago that security researcher Dan Kaminsky reported his DNS flaw that affected many vendors and the internet itself. DNS - particularly BIND 9 is now at risk from another flaw for which an exploit is already available.
BIND 9 is a popular open source DNS server, and arguably the most deployed DNS server in use today. So even though this is a flaw in one DNS server (as opposed to DNS itself which was Kaminsky's flaw), it is highly critical.
According to an advisory from the ISC (Internet Systems Consortium) that is the lead sponsor behind BIND:
Receipt of a specially-crafted dynamic update message to a zone for which the server is the master
may cause BIND 9 servers to exit. Testing indicates that the attack packet has to be formulated against
a zone for which that machine is a master. Launching the attack against slave zones does not trigger
The end result is a denial of service attack. ISC has an update out now and is urging users to upgrade. So do yourself a favor and upgrade to the patched versions 9.4.3-P3, 9.5.1-P3 or 9.6.1-P1.
IBM gets static app testing vendor OunceBy Sean Kerner | July 28, 2009
IBM has been busy today - they acquired metrics vendor SPSS for $1.2 billion - and oh yeah they also bought Ounce Labs.
Financial terms of the deal have not been disclosed - Ounce is privately held.
Ounce is a static analysis vendor and will fill in a key part of IBM's Rational portfolio in my opinion.
Back in 2007, IBM acquired Watchfire and their AppScan web application security technology. As far as I know, AppScan does not do static analysis and I don't think that static analysis is something that IBM Rational has ever been known for.
Static analysis is a critical type of software testing that looks at code level software defects. Static code analysis, typically involves a data-flow
analysis that looks for defects along a code path.
Some of the competitive vendors (again my view) in the static spare are Coverity who just recently helped to plug a Linux kernel vulnerability thanks to static analysis. Other vendors include Klocwork and Fortify.
The plan is to integrate Ounce into the IBM Rational AppScan product family which will now give IBM a more robust code to production, portfolio of software development, analysis and security solutions. It's a tall order but with all the assets that IBM now has, there can be little (if any) doubt that IBM is very serious about the business of security at all stages of IT.
Novell Brings Linux Appliances to the Studio (not Hyper-V)By Sean Kerner | July 28, 2009
Novell has been talking about its Linux appliance program for over a year and now it's ready to show off the fruit of their labor.
Today, Novell is officially making its SUSE Studio online appliance building tool available as part of the SUSE Appliance Program. The Appliance program is Novell's effort to gain share in the Linux market by way of providing a route to market and deployment for software vendors.
"This program is really about making life easier for the ISV (independent software vendor), creating and updating the appliance and remotely configuring the appliance and then getting it to market," Matt Richards senior program manager at Novell told InternetNews.com
A software appliance is a software application bundled together with an operating system on a single image. A software appliance can be booted up on a LiveCD, run as a virtualized image or even used as the basis for a hardware appliance.
Though Novell is a key partner of Microsoft, Novell's SUSE Studio today (at least as far as Richards told me) does not support Microsoft's Hyper-V. Novell is supporting Xen and VMware as well as Amazon EC2 at this stage.
Considering all the hype surrounding Microsoft code contribution for Hyper-V last week, isn't it just a *little* surprising that Microsoft's primary Linux partner doesn't have Hyper-V as part of its appliance go to market strategy?
Black Hat Las Vegas 2009: Prepare to be empowered.By Sean Kerner | July 28, 2009
Feeling more insecure than usual?
Seeing a few more stories this week about IT security than normal? Don't worry it's not the apocalypse ��� it's just time for the Black Hat Las Vegas security conference.
Lots going on this year (as usual), the toughest thing for me about Black Hat is always about choosing which session to go to. This year Black Hat has 8 concurrent session each running about 70 minutes.
Metasploit gets a whole track of its own on day one, if this were any other conference that would have been enough. Metapsloit is an open source vulnerability testing framework.the neat thing about it is takes bug/exploits and 'weaponizes' them such a bug is actually an exploit. There are three key Metasploit sessions I'll be in - one about attacking macs, the other on Oracle. The third is about how to detect if you've been probed/attacked with Metasploit.
HP's SPI dynamics guys are going to be talking about a browser darknet ��� a way to create hidden internet with browsers.
SSL gets a thorough examination again. At the Black Hat DC event earlier this year, Moxie Marlinspike released a tool to thwart SSL, he back for Vegas with more.
While there are a lot of software related talks for convention PCs, servers and software application there are also some really interesting hardware'ish hacking too.
Mozilla Firefox 4 - Tabs on top?By Sean Kerner | July 27, 2009
Firefox 3.5 is now out, Firefox 3.6 is rapidly approaching its first official alpha milestone - and Firefox 4 is now getting mock ups?
First off, you cannot judge a book - or in this case - a browser - by its cover. Firefox 4, whenever it appears won't just look different, it will be different, in terms of the underlying Gecko/Mozilla platform.
Mozilla now has a wiki page , with theme mockups for Firefox 4 that show what next gen Firefox might look like. Among the concepts being floated by Mozilla is a 'tabs on top' concept that to me looks very, very similar to Google Chrome.
All the mock-ups currently posted are also missing the search box that Firefox has had since Firefox 2.x. Instead it looks to me like search could migrate to the location bar -- again something that Chrome already does.
Microsoft reduces exploitability by being 'open'By Sean Kerner | July 27, 2009
Microsoft today is releasing a pair of new security efforts that are all about being more open when it comes to security.
Project Quant is a new open community effort that is tasked with developing an update management cost model while the Microsoft Office Visualization Tool (OffVis) are about ensuring you don't get Rick Rolled (i.e hit by a an office borne virus).
Both of those are good new ideas though the biggest thing that Microsoft has done in recent years to improve exploitabilty in my opinion has been to actually define exploitability.
A year ago, Microsoft rolled out its Microsoft Exploitability Index and the Microsoft Active Protections
Program (MAPP) as efforts to provide new visibility into security
vulnerabilities that affect Microsoft products.
What that has meant to me, is that when I write about a particular Microsoft vulnerability, I've got an official Microsoft metric on how likely it is that the issue could be exploitable. This is a very valuable thing, since there are a seemingly endless number of bugs in all software - not all of them lead directly to immediately exploitable software.
Are IT security journalists -- insecure?By Sean Kerner | July 24, 2009
With Black Hat coming, I get a lot of 'interesting' pitches from PR people. One particularly interesting one I received is alleging that media professionals and organizations are vulnerable to IT security attacks.
"Members of the press are dropping the ball in efforts to protect themselves against online threats, even though they are more aware of and active in covering the subject, according to the results of a poll recently conducted by the BPM Forum and AVG Technologies," the pitch states.
O RLY?? I didn't know I was dropping the ball.
Some of the figures from the survey (and for the record I was not a participant in the survey, nor was I solicited to be one, even though I was solicited on the PR pitch about the news):
- 80 percent of media staff rarely or never inform their network administrator of online security concerns they have
- More than half don't change their passwords, or rely on their company to do it for them
- Nearly 70 percent of press reporters and editors feel threatened by online malware or spyware
Nortel Wireless auction is today - will RIM win?By Sean Kerner | July 24, 2009
A month ago, bankrupt Canadian Telecom giant Nortel announced that it had entered into a 'stalking horse' agreement with Nokia-Siemens to sell off its wireless assets for $650 million. The stalking horse part means that others could emerge to bid for the assets - and that's what has happened.
The official auction of Nortel's wireless assets is set for today,with multiple bidders involved. In addition to Nokia-Siemens, MatlinPatterson ($725-million) and Ericsson ($730-million) are now bidding as well. RIM might be involved too with a bid as high as $1.1 billion as well.
The winner of the auction should be named later today or possibly tomorrow.
The way I see it, with all the noise that RIM has made, if they don't win, I'd bet that they will appeal the outcome to the courts and the Canadian Government as well.
Google Chrome 126.96.36.199 gets Extensions updateBy Sean Kerner | July 23, 2009
Google Chrome doesn't have Extensions support yet does it? Actually it does, if you're running the dev-channel 188.8.131.52 version.
The new release has an auto-update mechanism powered by Google Omaha (similar to how Chrome itself gets updated). Firefox users don't have Omaha, but they have the option of choosing to check (and update) their Add-ons. The Chrome approach will be more transparent and behind the scenes requiring little (if any) user interaction (Firefox users still have to actually click something to update).
Overall, Google notes that it is making progress on Extensions for Chrome though they are not yet complete.
"While the system is not yet complete, we've noticed that a lot of you
have started creating and installing extensions for daily use," Aaron Boodman, Software Engineer blogged. "This is
really encouraging, and it motivates us to quickly finish things up, to
enable extensions by default on all Google Chrome releases."
It also looks like the final extensions release will also have a gallery system showing off all the different extensions as well (which makes sense since how else would you find them all?).
Microsoft takes aim at Red Hat for Patents, IPBy Sean Kerner | July 22, 2009
From the 'can open source and patents get along?' files:
Microsoft made waves this week with their GPLv2 contribution of virtualization code. On the other side of the coin, Microsoft continues to take issue with open source vendors over the issue of patents.
One vendor that has called on Microsoft to be more open is Red Hat. In a blog post, Red Hat's legal team praised Microsoft's code contribution while asking Microsoft to change its stance on patents.
"To win the respect and trust of the Linux community, Microsoft should
unequivocally disavow such conduct and pledge that its patents will
never be used against Linux or other open source developers and users," Red Hat stated.
Microsoft however has a different opinion.
Corporate VP and Deputy General Counsel at Microsoft has blogged his own response to Red Hat's call.
"Some observers question how a company can contribute to open source projects while, at the same time, insisting on respect of its intellectual property rights by its competitors," Gutierrez blogged. " In fact, these two things are not inconsistent, and striking a balance between them is one of the key things every commercial technology company must do in order to compete effectively in a mixed source world.
Microsoft has been consistent in its approach to the issue of IP and open source software. We have shown our openness to licensing our patented inventions on commercially reasonable terms even to our direct competitors."
In my personal opinion, Gutierrez is however missing the point of why so many in the open source community have issues with Microsoft's patent position. First off, to be sure - Microsoft has clearly made tremendous and commendable strides in working with open source vendors and technologies. The patent issue is a little different though.
Mozilla updates Thunderbird 3, Firefox 3.xBy Sean Kerner | July 22, 2009
Mozilla is updating its Firefox 3.x browser to version 3.0.12 for five critical security vulnerabilities. All of the issues have already been addressed in the latest Firefox 3.5.1 update which came out last week.
There is one particularly interesting fix in the 3.0.12 update dealing with Flash. According to Mozilla's security advisory:
"When a page contains a Flash object which presents a slow script
dialog, and the page is navigated while the dialog is still visible to
the user, the Flash plugin is unloaded resulting in a crash due to a
call to the deleted object. This crash could potentially be used by
an attacker to run arbitrary code on a victim's computer."
So it's a Flash flaw, but one that is something that Mozilla can fix - this is something that is already fixed in Firefox 3.5.1.
While Mozilla is steaming ahead pushing users to update to Firefox 3.5.x -- Mozilla's other big program -- Thunderbird is moving along at a snail's pace.
Blue Coat claims lead in WAN optimization marketBy Sean Kerner | July 21, 2009
WAN optimization and app delivery vendor Blue Coat for the first quarter of 2009 was the leader for global market share in the WAN Application Delivery market. That's no small feat.
It's a claim that Blue Coat stated today in a press release with stats taken from the IDC report, "Worldwide WAN Application Delivery 2008 and 1Q09 Vendor Shares." (I do not have currently have a copy of that report myself).
According to Blue Coat the report pegs Blue Coat as the market leader for the first quarter of 2009 with 29.5 percent market share on $67.4 million in revenue. Considering the competition in the WAN Application Delivery market which included Cisco, Riverbed and Citrix to name just a few, being number one is a big deal in my view.
"Blue Coat established itself as the market leader in the first quarter of 2009," Lucinda (Cindy) Borovick, vp of data center networks, IDC said in a statement. "This leadership results from a differentiated value proposition for the distributed enterprise."
Borovick notes in a different statement that,"... IDC believes that this market will continue its fast-paced, highly competitive spirit as new branch platforms and virtual form factors enter the market."
I completely agree.
Ubuntu Launchpad now open source (finally!)By Sean Kerner | July 21, 2009
One of the biggest tech levers that fuels the Ubuntu community is the Launchpad platform. It's a collaborative platform that integrates with Ubuntu's Bazaar (Bzr) version control system to let developers share and host code.
Ironically, though Launchpad is a system used to help open source developers build applications, Launchpad itself was not open source - until today that is.
Launchpad is now available under the GNU Affero General Public License, version 3. Though Launchpad is now open source, Ubuntu is not providing a packaged version for easy download (yet).
"Since we do new rollouts of Launchpad directly from
Bazaar branches anyway, that's how we distribute the source code to
developers," the Launchpad documentation states. "There are no plans to package Launchpad, its deployment is
It's also currently only available for Ubuntu Linux, so if you wanted
to try and install Launchpad on a different distro - you're on your own.
Symbian signed malware - does signing matter?By Sean Kerner | July 20, 2009
The Symbian mobile OS is used by millions of phones globally and thanks to a (now corrected) oversight they could have potentially installed malware - with Symbian's approval.
Symbian has a program called Symbian Signed - which digitally signs applications that meet the approval of Symbian. That system was thwarted and a piece of mobile malware known as Transmitter.C (aka Sexy Space and Sexy View) was signed. Symbian admitted the signing on Thursday and also provided a fix which demonstrates the power of the signing process.
"As soon as we were notified of that (the following day) we revoked both
the content certificate and the publisher certificate used to sign the
malware," Symbian security chief Craig Heath blogged. "That means that the Symbian software installer will not now
install the malware, providing that revocation checking is turned on."
Ok so Symbian signed a bad piece of code - that's bad - but the signing system does work as it should, doesn't it?
You see with a digital signature or certificate there is always a signing authority. That authority not only signs the app but it is also where browsers (in this case the mobile phone) checks to ensure the authenticity of the signature or certificate. The signing authority can revoke a certificate/signature which is exactly what Symbian is doing in this case.
The system works (or does it?).
Red Hat on the S&P 500 is a sign of Linux maturityBy Sean Kerner | July 20, 2009
When Red Hat had its IPO in 1999, many (myself included) saw it as the real coming of age of Linux. While there is little doubt that IPO was a big event for Red Hat and Linux, perhaps an even more important one from a milestone point of view will officially occur this Friday.
As of Friday July 24, Red Hat will join the S&P 500 index.
In my opinion this is a major milestone for Red Hat and for Linux.
Red Hat started off on the NASDAQ in 1999 then moved to the NYSE in 2006. Two years later, the NYSE itself moved to Linux as the underlying operating system for trading operations. While financial services are a key vertical for Red Hat, it's not the only one.
In the last several Red Hat earnings calls, analysts keep asking how Red Hat's exposure to financial services is affecting its bottom line. The answer is self-evident. In its first quarter fiscal 2010 earnings, Red Hat showed continued growth despite the global economic downturn.
How did that happen?
Firefox 3.5.1 at risk? Maybe, maybe not.By Sean Kerner | July 20, 2009
Mozilla just patched their Firefox 3.5.x browser last week - but security researchers are already claiming there is yet another security flaw.
Mozilla disputes the claim.
Mike Shaver Mike Shaver VP Engineering at Mozilla is denying the report that Firefox 3.5.1 can be exploited by the new flaw. He is not however denying the fact that for some users, the flaw could lead to a browser crash or denial of service condition (my own quick test with the proof of concept crashed a 3.5.1 browser running on Windows XP SP 3).
"In the last few days, there have been several reports (including one via SANS)
of a bug in Firefox related to handling of certain very long Unicode
strings," Shaver stated on the Mozilla Security Blog. "While these strings can result in crashes of some versions of
Firefox, the reports by press and various security agencies have
incorrectly indicated that this is an exploitable bug. Our analysis
indicates that it is not, and we have seen no example of exploitability."
Bugs that trigger crashes are not uncommon on Firefox and a search through the bugzilla database will find a few of them. The catch in my opinion is always whether or not the flaw is exploitable - a crash, by itself - while annoying - is not necessarily a critical security issue.
Energy Efficient Ethernet hits standards milestoneBy Sean Kerner | July 17, 2009
I've been writing about Energy Efficient Ethernet for over a year now, as the effort to make Ethernet more green, winds its way through the standards bodies.
This week the effort hit a standards milestone with the approval of a draft of the IEEE P802.3az Energy-Efficient Ethernet standard. Now the draft gets forwarded onward to become an IEEE working group ballot. The final standard according to backers is on track for a September 2010 final approval.
The goal of Energy Efficient Ethernet is to reduce Ethernet power consumption by 50 percent or more - which isn't a trivial thing to do.
"This is the first project in the history of Ethernet aimed specifically at reducing energy use," says Michael Bennett, Senior Network Engineer, Lawrence Berkeley National Laboratory and Chair, IEEE P802.3az, Energy Efficient Ethernet Task Force in a statement. "IT managers are faced with ongoing pressures to balance energy use and reduce energy costs. Reaching this milestone is an important step towards providing network designers with additional tools to reduce energy consumption."
So what is it all about? How can Ethernet power consumption be reduced?
Nmap 5 improves open source network security auditingBy Sean Kerner | July 17, 2009
From the 'what's running on your network?' files
When it comes to network scanning, Nmap is a critical open source tool that many (myself included) have relied on for years. This week the biggest update since 1997 is out in the form of Nmap 5.0.
Nmap is a great first step in trying to enumerate a network and see what it's running as well as which ports might be open (or closed). Nmap is also a key tool in the fight against Conficker and can be used to detect an infected node on a network.
The new release is supposed to be faster than prior versions, and in the day that I've been trying it out so far, it sure seems to be a whole lot faster to me than the 4.x release I had been using.
Aside from speed there are the new tools like Ncat that make Nmap 5 a major release.
"The new Ncat tool aims to be
Army Knife for data transfer, redirection, and debugging," the Nmap 5.0 release announcement states.
Extensibility is a key theme of the release with the The Nmap Scripting
Engine (NSE) which gets a big boost in version 5.
Cisco layoffs today?By Sean Kerner | July 16, 2009
Back in February, Cisco CEO John Chambers said he was optimistic that Cisco could emerge from the recession without major layoffs.
That doesn't mean Cisco isn't restructuring and reducing staff - which is happening this week. I contacted Cisco today to find out what was going on and received the following statement:
This limited restructuring is part of our ongoing, targeted realignment
of resources and was previously discussed on our fiscal second and third
quarter 2009 earnings calls. While Cisco constantly manages its
business priorities, resources and overall employee alignment as part of
our overall business management process, we are sensitive to the impact
these decisions have on employees during this challenging economic
environment. We are doing everything possible to minimize the impact on
employees affected by the limited restructuring.
At the end of the second quarter, Cisco's headcount totaled 67,318
which was a decease of 329 staffers from the end of the first quarter of
2009. At that time, Chambers forecast a near term reduction of between 1,500 to 2,000 jobs at Cisco.
According to my sources, there will be layoffs in 600-700 person range for the Cisco San Jose office alone. That number will become public knowledge soon, as there is a Department of Labor requirement (or so I've been told) that requires that disclosure.
The actual total headcount reduction across all the Cisco offices affected by today's layoff likely won't be made public until Cisco's Q4 2009 call in August.
Good luck to all those involved, losing a job is never easy. If analyst forecasts are correct though, the networking sector could be on track for recovery in 2010. Let's just hope that the recovery is a job-filled recovery.
Microsoft signs Linux patent deal with BuffaloBy Sean Kerner | July 16, 2009
Linux users take note: Microsoft has signed another patent licensing agreement with a Linux using vendor. In this new case, Microsoft has signed a deal with Melco Group the group that owns tech vendor Buffalo Technology.
The deal specifically deals with Buffalo's NAS (network attached storage) devices as well as Buffalo routers - both of which run Linux.
we plan to increasingly adopt Windows Storage Server for our NAS
business, we also wanted to ensure that our open source and
Linux-embedded devices had the appropriate IP protections," Hajime Nakai, director and member of the board at Buffalo in a statement. "By
collaborating with Microsoft on a practical business solution, we are
able to provide our customers with the appropriate IP coverage, while
also maintaining full compliance with our obligations under the GPLv2."
Microsoft has not specifically disclosed which patents it is licensing
to Melco - which is a cause for concern in my opinion.
Twitter hack was wrong - where have ethics gone?By Sean Kerner | July 16, 2009
Reports are out that a hacker broke into the personal files of Twitter employees by way of password guessing then sent those files to popular tech site TechCrunch where some of them have been published.
What's wrong with this picture?
If someone broke into your house, stole your bank statements, sent them to a media outlet and then were published, wouldn't the police be involved?
Was the information illegally obtained? If you access an email account that isn't yours (by brute force or otherwise) isn't that a crime?
Officially speaking Twitter has stated that:
"We are in touch with our legal counsel about what this theft means for
Twitter, the hacker, and anyone who accepts and subsequently shares or
publishes these stolen documents. We're not sure yet exactly what the
implications are for folks who choose to get involved at this point but
when we learn more and are able to share more, we will."
Firefox 3.5 zero-day flaw fixed in Firefox 3.6By Sean Kerner | July 16, 2009
On Tuesday, I wrote about the new critical 0-day flaw that is now publicly available for Firefox 3.5. As of 10 AM ET today there is no publicly released fix for regular Firefox 3.5 users, but users of the next generation Firefox 3.6 browser are already covered.
"It was checked in
yesterday, a few hours _before_ we learned of the milw0rm posting," Veditz wrote. "This
fix was going to be in the 3.5.x update we had scheduled for the end of
July, but obviously now we have moved up the schedule for release."
Google Courgette. Faster, smaller updates for ChromeBy Sean Kerner | July 15, 2009
If you're a Google Chrome user (on Windows), than you've got googleupdate.exe running - providing silent continuous updates to Chrome as Google releases them (*update* - Google Update actually now works with the Windows Update scheduler - ThnX P Kasting for commenting!).
The only problem is sometimes an update can be a bit large, which is where the new Courgette system comes in. With Courgette, Google is going to pushing down a compressed 'diff' to users. That is instead of an entire new application the diff is the difference between old and new (the delta).
"It is an anathema to us to push out a whole new 10MB update to give you
a ten line security fix," Stephen Adams, Google software engineer wrote in a blog post. "We want smaller updates because it narrows the
window of vulnerability. If the update is a tenth of the size, we can
push ten times as many per unit of bandwidth."
Adams added that means that users can be protected earlier and the smaller update will also work better for users on slower network connections.
It makes a whole lot of sense to me. The diff approach is one that isn't new, Adams mentions bsdiff in his post, but he also notes that Courgette produces diff files that are even smaller. As an example of the difference in file sizes, Adams said that for a recent Chrome dev-channel update the full update was 10.4 Megabytes (MB), the bsdiff update was 704.5 KB and Courgette update was only --- get this -- 78 KB.
That is an astounding level of difference.
Recovery for telcom/networking gear in 2010?By Sean Kerner | July 15, 2009
Infonetics Research is now forecasting a recovery of the telecom/datacom equipment market in 2010.
While the recession officially started in the US in 2008, Infonetics is now reporting that the telecom and datacom (networking) equipment vendors they track, hit global revenues of $150 billion in 2008. That represents a year over year growth rate of 8 percent. That growth wasn't due to increased unit shipments, but rather the depreciation of the US dollar in relation to other currencies.
For 2008, Infonetics names Cisco as the overall global leader in telecom/datacom network equipment with Alcatel-Lucent and Ericsson following.
"Though service provider capital expenditures are slightly decreasing in 2009 and 2010, spending is still on the rise for products that help carriers transform their networks," Jeff Wilson, Infonetics Research's Principal Analyst for Network Security said in a statement.
Cisco: Want security? You need IPS and WAFBy Sean Kerner | July 15, 2009
From the 'real hardware for real threats' files:
My colleague Alex Goldman wrote a great story yesterday about Cisco's mid-year security report. Cisco's report (and the story) has a strong emphasis on what IT can do to better secure itself with best practices and awareness of threats, insider and otherwise.
One thing that report doesn't specifically call out is the need for hardware - specifically IPS (Intrusion Prevention System) and WAF (Web Application Firewall) technologies. It's something that I asked Patrick Peterson, Cisco fellow and Chief Security Researcher about (pic above left from a screen capture I took during the webcast) during a live webcast discussing the Cisco security report.
"In the report we talk specifically about vulnerabilities that are always present in a large organization and you can't be 100 percent protected from all the time. That's where IPS comes in," Peterson said. "The ability for IPS to be updated more quickly than you can thousands of PCs and be able to stop attacks is very valuable."
Will the US State Dept please use Firefox?By Sean Kerner | July 14, 2009
In a really interesting town hall exchange (for which a full transcript is now available) a US State Department official asked Mrs. Clinton if he could please get the Mozilla Firefox browser for his PC.
"I just moved to the State Department from the National Geospatial
Intelligence Agency and was surprised that State doesn't use this
browser," Jim Finkle asked. "It was approved for the entire intelligence community, so I
don't understand why State can't use it. It's a much safer program."
That admission, from a former member of the US intelligence establishment is interesting itself. I personally did not know that Firefox was approved in that way by the US intelligence community -- though I'm not surprised. It also speaks to a lack of a cohesive IT policy across all US government assets.
Clinton didn't know the answer to Finkle's question so she referred it to her under secretary. Under Secretary of State Kennedy told Finkle that it is an expense question, to which Finkle replied that Firefox is free.
US-CERT is warning today about a new un-patched 0-day Firefox 3.5 vulnerability. According to US-CERT, the vulnerability is due to an
There is proof of concept code for the exploit publicly available now and as such in my opinion this represents an immediate threat to Firefox 3.5 users. To the best of my knowledge this is the first 'critical' flaw publicly reported for the Firefox 3.5 release which came out two ago.
The code that I saw was written by security researcher Simon Berry-Byrne and is officially titled, "Firefox 3.5 Heap Spray Vulnerability. Berry-Byrne in his proof of concept code thanks security research H D Moore, "...for the insight and Metasploit for the payload." Metasploit is an open source security testing framework which can enable an attack to become 'weaponized' for testing and research purposes.
There is a second potential vulnerability that is making the rounds in the security research community involving a DNS leakage in Firefox 3.5.
Linux achieves 1 second bootBy Sean Kerner | July 14, 2009
The race for the fastest Linux boot has been going on for about a year at this point and now we've got a new winner. Embedded Linux vendor MontaVista today is announcing the demonstration of a 1 second Linux boot.
In contrast the fastest production Linux releases today are in the 20-25 second range.
To be fair, MontaVista's Linux with the 1 second boot is embedded and designed specifically for the Freescale Semiconductor
MPC5121e hardware built on Power Architecture technology. That's not to say they can't get the same performance on other architectures, it's that is the hardware on which the first 1 second boot is being demonstrated.
"The achievement of one second boot from cold power to operational
status is a breakthrough in embedded Linux performance," said Jim Ready,
CTO of MontaVista Software in a statement. "It's always been thought that embedded
Linux could never perform at this level of speed and efficiency."
Why Oracle won't kill openSolarisBy Sean Kerner | July 13, 2009
From the "speculation of pre-mature termination" files:
Lots of chatter today about Oracle planning on killing off openSolaris, once it completes its acquisition of Sun.
I don't think so. Killing openSolaris is at this point the same as killing Solaris itself which would be madness. While Oracle is a huge backer of Linux it has many customers on Solaris. The future of Solaris, what was once called Solaris Next is openSolaris.
In the true open source fashion openSolaris is the project that develops new technologies for Solaris. OpenSolaris is not just a standalone open source project, it is the Solaris 11 incubator. Sun officials most recently re-iterated that fact when openSolaris 2009.06 was released last month
Now there may be a question of priorities once Oracle takes over Sun which could limit the investment in Solaris overall. But don't forget that Oracle today supports multiple flavors of Unix, Linux and Windows.
Oracle supports a multi-OS strategy because that's what its customers want. I doubt very much that Oracle would want to alienate its own customers (that is, Oracle users who have been running Solaris for years).
Nortel's Olympic loss is Cisco's London gainBy Sean Kerner | July 13, 2009
Nortel Network has been in bankruptcy protection for all of 2009 and is now trying to sell itself off piece by piece. Should it be any surprise that some big names are now dropping Nortel?
The London Olympics 2012 organizing committee announced late last week that they were dumping Nortel as the lead networking vendor for the event. Replacing Nortel will be Cisco -- though Cisco is not coming in as a sponsor in the same capacity that Nortel would have.
Nortel had been a Tier One sponsor while Cisco is coming in as a Tier Two sponsor. The difference in sponsorship levels could be a loss of $20 million for the London Olympics, according to multiple reports.
Nortel however is still set to be the networking vendor for the 2010 Vancouver Winter Games at this point.
From my own point of view, it's still uncertain whether or not a company named 'Nortel' in any capacity will still actually exist once the 2010 Olympics roll around - so I don't think the book is closed on that event's networking vendor yet either.
Mozilla Jetpack 0.3 slides inBy Sean Kerner | July 13, 2009
Mozilla's Jetpack project was updated over the weekend to version 0.3, improving on a number of key features. Jetpack is Mozilla's vision for a next generation add-on technology - add-ons are very important to Mozilla with over a billion total installs.
From my vantage point the biggest change in Jetpack 0.3 are the improvements to the SlideBar. Basically SlideBar is Mozilla's Jetpack term for a browser side bar.
"Slide bars have been very well received, with dozens of Jetpacks
implementing on top," the Jetpack 0.3 release announcement states. "Based on the feedback we got, we've dramatically
revised the API. We've also added new features, like the ability for a
slide bar to notify the user of an update in a fun but non-obtrusive
Makes a lot of sense to me.
I'm still not clear one how the existing massive user community of Mozilla add-ons will transition to Jetpack over time. Currently Mozilla says that they have had over 60,000 that currently have Jetpack. That number isn't too shabby for an early effort, but still has some ways to go before it can eclipse the existing method of browser add-ons.
The real key in my opinion is when/if Mozilla will decide to formally integrate Jetpack into Firefox 3.6. They've already decided to integrate Ubiquity (as Taskfox). Adding Jetpack is likely just a matter of time - until the APIs settle and core functionality is stable.
Mozilla Ubiquity 0.5 update - Taskfox for Firefox 3.6?By Sean Kerner | July 10, 2009
From the 'Firefox 3.6 features' files:
With Firefox 3.5 now a stable release (with an update coming soon), I'm turning my attention to the next release, Firefox 3.6. One of the key new features that should be part of that release is the Mozilla Labs project called Ubiquity -- though in Firefox 3.6 it is being called Taskfox.
Ubiquity is interesting tool that enables to developers (and end users) to have commands they can send through the browser in order to execute tasks. The Ubiquity 0.5 update is a major release for the project - and it breaks compatibility with older Ubiquity releases.
"The new version of the parser has a new API for command developers," Mozilla Ubiquity developers blogged. "Unfortunately, this means custom Ubiquity commands will need to be
updated in order to work with the new version. Fortunately, the
required updates are very minor; they mostly have to do with how
commands declare their arguments."
The new API is a key feature of the 0.5 release and it fixes a few things that the older versions of Ubiquity could not do.
Fedora 9 is dead. Long Live Fedora 10 and 11?By Sean Kerner | July 10, 2009
From its initial creation out of what was once the Red Hat Linux distribution, Fedora has always been a fast moving distribution. As part of that fast moving approach, older releases don't live all that long. The current policy is that releases will live only until one month after the N-2 (next two) release is out. Fedora 11 came out one month ago and now its time for Fedora 9 to go away.
Officially speaking, this is the end of life for Fedora 9, which was released in May of 2008. Fedora 9 was an important release for Fedora and Red Hat as it helped to re-affirm Red Hat's commitment to the Linux desktop, following some communication earlier that year that seemed to imply that Red Hat was getting out of the desktop business.
It will be interesting to see as the weeks go by, how many Fedora 9 users drop off and become Fedora 11 users. According to the most recent Fedora stats (June 1, 09), there are over 3 million installations of Fedora 9.
Apple updates Safari 4.0.2 for two security issuesBy Sean Kerner | July 09, 2009
Apple's Safari 4 is being patched for a pair of security issues that affect both Mac and Windows versions. Both of the issues involve patches to WebKit.
One of the patched issues is a Cross Site Scripting (XSS) flaw. According to Apple's advisory on the flaw:
"An issue in WebKit's handling of the parent and top objects may result
in a cross-site scripting attack when visiting a maliciously crafted
website. This update addresses the issue through improved handling of
parent and top objects."
The second issue is a memory corruption issue that could lead to a crash or possibly arbitrary code execution.
The 4.0.2 update is the first update to Safari since it came out of beta in June. If you're a Safari user (I've got it running a Windows test box now) you should see an update notification today - so be sure to update!
Google Chrome 3.0.192.x gets better on Linux, MacBy Sean Kerner | July 09, 2009
Amidst all the excitement yesterday of the Google Chrome OS announcement, Google slipped out a new update to it Chrome browser. Let's not forget, that Chrome as a real product, right now is just a browser - and one that isn't' yet even stable on Linux.
Google is however working at improving Chrome on Linux, which makes sense considering that Chrome OS is after all, set to be a Linux OS.
Chrome 3.0.192.x fixes a number of items across Windows, Mac and Linux versions. The new version continues Chrome march toward full extension support with at least one key bug fix
Linux users will now get their initial taste of GTK theme support (enabling a smoother integration with the look of a users desktop). Mostly though, this looks to me to be a bug fix heavy release.
On Linux for example there is a bug fixed where according to Google's release noted, "...users were getting a resize cursor near the top the web content area."
In total the release notes peg four specific LInux release fixes as well as four for Mac release fixing stability and bug issues.
For the Linux version, I would expect that with Chrome OS now a declared initiative from Google, we will see more aggressive development - at least towards Windows parity for stability. Both the Linux and Mac version of Chrome are not yet available in the stable-channel and are currently only available as dev-channel releases.
Google Chrome OS - a new open source Linux distroBy Sean Kerner | July 08, 2009
Google's Android mobile OS is not the only OS up Google's sleeve. Google announced late Tuesday that it is working on a Linux based Chrome OS as an operating system for the web.
Don't rush out to Google to download Chrome OS today - Google doesn't expect to have it available to consumers until the second half of 2010.
architecture is simple - Google Chrome running within a new windowing
system on top of a Linux kernel," Google's blog post announcing Chrome OS stated. "For application developers, the web is
The goal for Chrome OS is to run on x86 as well as ARM, which means we could see this on both netbooks, regular PCs and even mobile devices at some point.
The plan is to have a secure OS, such that viruses and malware are not an issue - it's a lofty goal and one that I wish Google the best of luck in completing.
While having a browser based operating system makes a whole lot of sense to me, where does that leave Android? Is it now obsolete?
Cymphonix rolls network security via iPhoneBy Sean Kerner | July 07, 2009
Most network security vendors have some kind of browser based interface by which admins can monitor networks. Web security vendor Cymphonix is going a step further and extending their interface to Apple's iPhone as an app.
That's right - you can monitor and control your network from an iPhone (provided you have Cymphonix's gear).
My first thought when I saw this news was, why not just use the built-in Safari browser (or the web browser on any other mobile device for that matter).
As it turns out, network security information is often designed for regular PC sized screens making them difficult (if not impossible) to be comprehensible for phone users.
Brent Nixon, president of Cymphonix explained to me that what the iPhone app enables Cymphonix to do is get the same
info as the full browser version just presented as a lite version. Cymphonix does not have a Blackberry version, though Nixon told me that his company is investigating what it would take to build their client for other
devices, but at this point he had no definitive plans.
It sure sounds simple enough to me and as the iPhone continues to gain market traction, I'd be surprised if we don't see a whole lot of network security apps show up in the App Store sooner rather than later.
Will Mono benefit from Microsoft's C# patent promise?By Sean Kerner | July 07, 2009
Microsoft is adjusting its licensing for two key standards that are critical to .NET and Novell's Linux implementation of .NET, Mono.
ECMA 334 which is a standard for C# and ECMA 335 which is a standard for .NET's CLI (Common Language Infrastructure) are now part of Microsoft's Community Promise.
Basically what that means is that anyone can now use those two standards without licensing them from Microsoft.
"Under the Community Promise, Microsoft provides assurance that it will
not assert its Necessary Claims against anyone who makes, uses, sells,
offers for sale, imports, or distributes any Covered Implementation
under any type of development or distribution model, including
open-source licensing models such as the LGPL or GPL," Microsoft blogger Peter Gali wrote on Microsoft's Port 25 open source blog.
This is a potentially a big deal in that it open up Mono (or at least parts of it) in a way that might be enough to satisfy patent concerns that many have. Mono is part of Microsoft's interoperability agreement with Novell and was originally part of the working patent covenant established between the two vendors.
IE at risk from zero day ActiveX flaw - Vista safe?By Sean Kerner | July 06, 2009
Microsoft has issued a new security advisory for a critical security issue that could potentially enable an attacker to take control of a users PC by way of Internet Explorer (IE).
The flaw stems from an issue in the Microsoft Video ActiveX Control. Microsoft has noted in its advisory that it is currently aware of attacks related to this flaw. Microsoft offers a work-around in its advisory to let users disable the ActiveX Control in question. According to the advisory Microsoft is currently working on a security update to fix the flaw as well. In my view this is likely to be an out of band update, though seeing as patch Tuesday is tomorrow we could get early too.
Microsoft advisory notes that the update will be released, "...when it has
reached an appropriate level of quality for broad distribution."
Aside from the fact that IE is at risk from a flaw, the interesting part of this flaw in my opinion, is that the function which this attack is abusing has no real use in IE in the first place.
"Our investigation has shown that there are no by-design uses for this
ActiveX Control in Internet Explorer which includes all of the Class
Identifiers within the msvidctl.dll that hosts this ActiveX Control," Microsoft's advisory states.
ARIN gets a new CEO - kindaBy Sean Kerner | July 06, 2009
ARIN (American Registry for Internet Numbers) the
organization that is tasked with allocating IP address in the US and
Canada for both IPv4 and IPv6, is getting new leadership today. Well officially at least they are.
ARIN has named
Nonetheless Curran is well experienced in the ways of ARIN, and has actually served as the chairman of the ARIN from
"John is the perfect person for the job. His unparalleled knowledge of
ARIN and the Internet industry, along with his extensive business
experience is the best possible combination to allow ARIN to meet the
changing needs of the Internet community," said
Chairman of ARIN's Board of Trustees in statement. "We are excited that he has
agreed to come aboard full time to lead the organization and direct
ARIN's important registry, educational and policy initiatives during
this critical time for the industry."
Linux devs strike back at Microsoft patent claimsBy Sean Kerner | July 02, 2009
In 2007, Microsoft shook up the Linux community with claims that open source allegedly infringes on as many as 235 of Microsoft's patents. Until this year, Microsoft had not actually filed any kind of legal suits on those patents - which changed with the TomTom case.
With TomTom, Microsoft showed its hand, and identified some of its IP issue with Linux as being related to FAT (Define:FAT). At the time, I thought the legal challenge was a great thing for Linux because it finally showed devs where Microsoft had some issues. Developers have long said they would simply replace or code around Microsoft's IP, but they first needed to know where that IP resides.
Now Linux developer Andrew Tridgell has developed a patch that could potentially help out Linux users to get around the FAT issue.
"Both the original patch and the new patch that we posted today
have been through legal review by several lawyers who specialize
in this area," Tridgell wrote in a mailing list posting.
Will AES crypto go the way of MD5?By Sean Kerner | July 02, 2009
The AES (Advance Encryption Standard) (Define:AES) is a standard encryption mechanism in use by the US Government and many others - and it is now at risk from a very theoretical attack.
The attack is what is described as a cryptanalytic attack, by the researcher who have proposed that attack vector. AES is an extremely complex cryptographic algorithm and is something that to the best of my knowledge has not been hacked (successfully) before.
The key (no pun in intended) with this new approach is that it involves massive compute power in order to potentially decipher the AES encryption.
"While this attack is better than brute force -- and some cryptographers
will describe the algorithm as "broken" because of it -- it is still
far, far beyond our capabilities of computation," Security researcher Bruce Schneier blogged. "The attack is, and
probably forever will be, theoretical. But remember: attacks always get
better, they never get worse."
Schneier is absolutely right - all you need to do is look at how the MD5 cryptographic hash went from being a standard to being dropped by the US Government (and everyone else) as secure mechanism.
Back in 2004, security researcher Dan Kaminksy wrote a paper titled, "MD5 To Be Considered Harmful Some Day." Theoretical collisions were discovered in that case, that were within three years, enough to give MD5 a black eye.
Firefox 3.5.1 update coming this monthBy Sean Kerner | July 02, 2009
Firefox 3.5 has been out for barely two days - but an update is already being planned for later this month.
The Firefox 3.5.1 update will fix at least three key bugs that didn't get fixed in time for the official Firefox 3.5 release.
According to a Mozilla meeting wiki post :
"The goal of this release (3.5.1)should be a quick-turnaround that:
fixes topcrashes and bugs we almost held ship for...can be shipped to 3.5 users in mid-to-late july, so narrow scope, small change."
Some of the top crash bugs in the upcoming update include one to fix for a bug where
Arabic letters are disconnected in edit fields.
At present, I personally don't see any major security items that are tagged for the 3.5.1 update, but that is likely to change for a few reasons. One reason is that on July 10th, Mozilla has scheduled a Firefox 3.5 Security Testday.
Red Hat Enterprise Linux 5.4 beta released with KVMBy Sean Kerner | July 01, 2009
Red Hat today officially announced the beta availability of Red Hat Enterprise Linux 5.4 (RHEL), which in my view is a lot more than a typical point release. Sure we're all waiting for the big RHEL 6 release, but there are some major changes in RHEL 5.4.
The most obvious change is the shift to the KVM hypervisor (as opposed to Xen). Xen is still in RHEL, but with RHEL 5.4, Red Hat is signaling its intention that KVM (eventually) is to be Red Hat's preferred Hypervisor. It's a preference that Red Hat execs have indicated at multiple points this year and should be no surprise since Red Hat now owns lead KVM vendor Qumranet.
RHEL is Red Hat's flagship platform and the inclusion of KVM is the first really big shift for Red Hat's new virtualization roadmap which favors KVM. Red Hat also has - in private beta - a standalone KVM hypervisor product as well as new server and desktop virtualization management application.
While KVM is the big new item in RHEL 5.4, there are also a few other goodies for users to try out.
Month of Twitter Bugs begins with bit.ly flawsBy Sean Kerner | July 01, 2009
Security research Aviv Raff has followed through on his promise of starting the Month of Twitter Bugs (MoTB). His first target? The popular bit.ly URL shortening service.
Finding flaws in URL shortening services is not an entirely new phenomenon, just two weeks ago Cligs disclosed that upward of two million of its shortened URLs had been hacked.
For bit.ly, Raff found four vulnerabilities of which in his view three are now patched (I have not yet been able to independantly get comment from bit.ly to confirm the fourth though Raff has a decent working proof of concept publicly posted that worked when I tried it).
All four of the issues were Cross Site Scripting (XSS) related flaws.
Though Raff is the research bundling up the issues under the banner of Month of Twitter bugs, at least one of the flaws was publicly disclosed before today.
Raff reports that there is a flaw that involves a reflected Cross-Site Scripting in the keywords parameter - which was first reported by security researcher Mike Bailey on June 24th 2009.