Microsoft has added another Android backer to the list of those signing with Redmond for patent protection: General Dynamics.
READ FULL STORY

“Citigroup suffered about US$2.7 million in losses after hackers found a way to steal credit card numbers from its website and post fraudulent charges. Citi acknowledged the breach earlier this month, saying hackers had accessed more than 360,000 Citi credit card accounts of U.S. customers. The hackers didn’t get into Citi’s main credit card processing system, but were reportedly able to obtain the numbers, along with the customers’ names and contact information, by logging into the Citi Account Online website and

guessing

account numbers.”

Both chambers of Congress have approved legislation to revamp the national patent system, but the two bodies must now hammer out one proposal to put before the White House. Technology firms have been lobbying lawmakers for reform since they say the system does a poor job of vetting questionable patents, leading to lawsuits. The House version of the legislation would award patents on a “first to file” basis instead of giving ownership to the first to invent a technology. The Wall Street Journal (tiered subscription model)/Law Blog

Security, one of the issues that initially held up virtualization adoption, continues to be a challenge as technologies such as multi-vendor virtual-machine hypervisors come into the mix, according to this article. Gartner research analyst Neil MacDonald says there is a need for better security policies. Network World

Google confirmed that the Federal Trade Commission was looking into the company’s business practices, but said it wasn’t sure what regulators were after exactly.

A company blog post appears to fall back on the company’s original “do no evil” mantra from its initial public offering filing. Google’s argument: We work for users, innovate and don’t lock people in.

That latter point will be critical in any FTC trial—should an investigation go that far. Google has near monopoly status in search, but the company’s argument has always been that consumers could use something else. The problem with that argument is that there’s really only one search provider at scale—Microsoft’s Bing. And Bing is still dwarfed by Google. Word leaked out that the FTC was planning a broad probe into Google’s business practices and whether it was abusing its search power to drive traffic to its own properties over rival sites and services.

With that backdrop, let’s read between the lines of Google’s blog post on the FTC matter.

Google: “We respect the FTC’s process and will be working with them (as we have with other agencies) over the coming months to answer questions about Google and our services. It’s still unclear exactly what the FTC’s concerns are, but we’re clear about where we stand. Since the beginning, we have been guided by the idea that, if we focus on the user, all else will follow.”

Translation: Google is doing a public service and regulators are probing needlessly. And yes, Google knows that Microsoft said something similar about its Windows-Internet Explorer bundle. And so what if we point to our own sites—we are better. Does it kill anyone if a search on email goes to Gmail first? It’s all about the user. Search email on Bing and Yahoo, a Microsoft partner, is first.

Google: “Instant answers. New sources of knowledge. Powerful tools—all for free. In just 13 years we’ve built a model that has changed the way people find answers and helped businesses both large and small create jobs and connect with new customers.”

Translation: Regulators are messing with a public service if they start screwing around with our ad model. Ditching free services doesn’t help the consumer.

Google: “Search helps you go anywhere and discover anything, on an open Internet. Using Google is a choice—and there are lots of other choices available to you for getting information: other general-interest search engines, specialized search engines, direct navigation to websites, mobile applications, social networks, and more.”

Translation: OK, we know we have this tremendous market power, but we have to say that you have search choices. We all know that none of you are going to use any alternative other than Bing.

Google: “Because of the many choices available to you, we work constantly on making search better, and will continue to follow the principles that have guided us from the beginning.”

Translation: Don’t be a hater just because we try to be relevant, label ads, are transparent and generate loyalty. Can we help it we’re so successful.

Google: “We’re committed to giving you choices, ensuring that businesses can grow and create jobs, and, ultimately, fostering an Internet that benefits us all.”

Translation: We threw in that job creation line because the economy stinks and that’ll ratchet up some political pressure on the watchdogs.

Related:

FTC reportedly eyes antitrust probe of Google: Is search giant too dominant?

In this economy, is a Google antitrust probe “un-American?”

The cyber cold war between China and the U.S. just got a little chillier. Twice this year, China demonstrated its ability to "substantially manipulate" the Internet. These incidents, both of which took advantage of well-known vulnerabilities, are a wake-up call for U.S. authorities.

Read More

Oracle Fusion Applications are 100 percent open-standards-based business applications that set a new standard for the way we innovate, work, and adopt technology.

Read More

RealNetworks warns of seven different vulnerabilities affecting Windows
RealPlayer SP 1.1.4 and and RealPlayer Enterprise 2.1.2.

Read More

Ed Bott’s Microsoft Report

The panic over this month’s wave of targeted, zero-day attacks against Google, Adobe, and other companies is over. Microsoft has released a security update for Internet Explorer that patches the underlying vulnerabilities, and everyone can breathe a sigh of relief.

But what does this episode say about Internet Explorer? I’ve seen several pundits argue that Internet Explorer is inherently unsafe. I think they’re overreacting. Yes, there is a case to be made for using a different browser, especially one with a lower market share that is targeted less frequently than Internet Explorer. (And if you’re too impatient to read this entire post, then skip to the last page for that discussion.) But it’s also true that switching browsers is a small part of a comprehensive, defense-in-depth security strategy.

One thing’s for certain: Changing browsers isn’t a magic bullet, and it might not have made a difference in this case, as I explain in this post.

First things first: How do I protect myself from becoming a victim of this exploit?

Regardless of which version of Internet Explorer or Windows you’re using, you should install today’s Cumulative Security Update for Internet Explorer (described in KB978207 and Microsoft Security Bulletin MS10-002). This update should be delivered automatically via Windows Update or Windows Software Update Services.

You should also turn on Data Execution Prevention, a feature which prevents code execution from data pages in memory (technical details for the Windows XP family are here, for Windows Vista and 7 here). DEP is on by default in Internet Explorer 8. To enable DEP on Windows XP or Windows Vista with IE6 or IE7, use the Fix It tool on the MS10-002 advisory page.

So, exactly what happened in this case?

The public does not know the full details of what happened. Various reports and analysts have published conflicting reports with a lot of speculative analysis. A January 12 report by Verisign’s iDefense security outfit blamed the attacks on an Adobe PDF vulnerability. That report was retracted two days later, although many news stories based on that inaccurate report have not been corrected.

Some key questions have not been answered–or, in some cases, even asked: why, for example, was Google vulnerable to an attack using the outdated Internet Explorer 6? It’s reasonable to assume that an outdated browser with known security issues would be used in a lab environment at Google, but this exploit was successful because someone was using IE6 for general-purpose browsing while connected directly to Google’s network. Other reasons for the general dearth of hard facts? There’s an ongoing criminal investigation with international diplomatic repercussions. Many security professionals are reluctant to disclose details that might help the bad guys with future attacks. And, perhaps most importantly, there is an understandable desire on the part of victims to avoid embarrassment and damage to their reputation by disclosing details.
Microsoft was originally made aware of this vulnerability in August 2009 and confirmed its severity in September 2009.

If you want to read more, you can start with the official statements from Google and Adobe. The original Microsoft Security Advisory (979352) has been replaced with Microsoft Security Bulletin MS10-002 and an accompanying Knowledge Base article (KB978207). Microsoft’s security bulletin specifically thanks five companies for “working with Microsoft security researchers and providing details of the targeted attacks.” The five organizations listed are Google, Adobe, McAfee, MANDIANT, and the French Government CSIRT (CERTA).

A report by George Kurtz on McAfee’s Security Research Blog contains the most detailed independent discussion of the issue. McAfee reports that they are “working with multiple organizations that were impacted by this attack as well as the government and law enforcement” and claim to have “analyzed several pieces of malicious code that we have confirmed were used in attempts to penetrate several of the targeted organizations.”

Did Microsoft take too long to issue this patch?

The original disclosures from Google and Adobe were published around the beginning of January. Microsoft had completed its investigation and released a patch less than three weeks later. That would be an impressively fast turnaround if the early January date was the first they had heard of this vulnerability. According to Ryan Naraine at ThreatPost, however, Microsoft was originally made aware of this vulnerability in August 2009 and confirmed its severity in September 2009. The fix delivered today was scheduled for release in the normal Patch Tuesday update on February 9 and was accelerated after this attack. The companies that were targeted are no doubt wondering why this fix wasn’t available earlier. Had it been released on the second Tuesday of November or December, it’s possible that these attacks would not have been so effective.

If the victims of this attack had been using Firefox or Chrome, this would never have happened, right?

Not necessarily.

It’s possible that the attackers targeted particular victims because they were using IE6.
The victims in the current wave of attacks were targeted, presumably by criminals or spies who knew exactly what they were doing. In a targeted attack, victims are picked out because they have access to valuable information and can provide access to sensitive parts of their company’s network. It’s possible that the attackers targeted particular victims because they were using IE6. However, the bad guys could also have used malicious PDF files to do their dirty work, as was the case in a similar wave of targeted attacks in July 2009. They could also have used vulnerabilities in other software. In fact, the McAfee report suggests that might have been the case in this instance:

While we have identified the Internet Explorer vulnerability as one of the vectors of attack in this incident, many of these targeted attacks often involve a cocktail of zero-day vulnerabilities combined with sophisticated social engineering scenarios. So there very well may be other attack vectors that are not known to us at this time.

Mozilla has issued multiple security updates for Firefox 3.5 addressing memory corruption vulnerabilities similar to those used in this case (two examples are here). Mozilla Security reported 34 Critical security advisories in 2009, defining Critical as those that “can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.”

Although Chrome is widely praised for its sandboxing approach to security, it’s still vulnerable to attacks. One such vulnerability in Google Chrome 3.0, reported last October within days of its release, was triggered by a buffer overflow and could “allow execution of arbitrary code in the Google Chrome sandbox.” Two vulnerabilities in Google Chrome 2.0, currently listed as unpatched, reportedly “can be exploited to execute arbitrary HTML and script code in a user’s browser session.” Secunia reports that four other Critical vulnerabilities in the then-current version of Google Chrome were disclosed and patched between June and August 2009.

But the victims would have been really safe if they had used computers running OS X, right?

Again, not necessarily. It is true that there are very few public exploits that target OS X users, mostly because their numbers are so relatively small.
A sufficiently motivated attacker who is aware of an unpatched vulnerability can take over any system, including a Mac.
But in a case like this, where the attackers identified specific targets and created custom exploit code to attack those targets, it certainly would have been possible in December 2009 to compromise a system running OS X 10.6 with all security updates. Security Update 2010-001, released by Apple earlier this week, contained fixes for the following vulnerabilities:

• A buffer overflow exists in the handling of mp4 audio files. Playing a maliciously crafted mp4 audio file may lead to an unexpected application termination or arbitrary code execution.
• Multiple issues exist in the Adobe Flash Player plug-in, the most serious of which may lead to arbitrary code execution when viewing a maliciously crafted web site.
• A buffer overflow exists in Image RAW’s handling of DNG images. Viewing a maliciously crafted DNG image may lead to an unexpected application termination or arbitrary code execution.

A sufficiently motivated attacker who is aware of an unpatched vulnerability can take over any system, including a Mac. That was proven in dramatic fashion in the 2009 installment of the PWN2OWN competition at CanSecWest, where Charlie Miller successfully compromised a fully patched Mac in seconds (he had also successfully taken over a Mac in 2008). According to ZDNet’s Ryan Naraine, Miller summarized his experience as follows: “It took a couple of seconds. They clicked on the link and I took control of the machine.”

The security bulletin says IE7 and IE8 are vulnerable. Doesn’t that mean all versions of Internet Explorer are equally insecure?

Absolutely not. Many analysts who aren’t experienced at decoding security bulletins are confused by the terms vulnerability and exploit. A vulnerability means that a section of code has a flaw that can potentially lead to a security issue. But turning a vulnerability into a working exploit is more difficult. Security features in other parts of the operating system can prevent an exploit from working properly.
If you must use IE6, the safest way to do so is in a virtual machine, with security settings for the Internet zone set to High and Active Scripting disabled.
In this case, the exploit worked particularly well under IE6 running on Windows XP, but two additional security features (Microsoft refers to these as mitigations) made the exploit much more difficult to execute using later browser versions and Windows Vista or Windows 7.

• Address Space Layout Randomization (ASLR), a security feature introduced in Windows Vista and also used in Windows 7, moves data into randomly selected locations in memory. An attacker who aims at a buffer overflow on a system running Windows XP can predict the address location where the overflow data will wind up and can then try to execute it. Using ASLR, the attacker has to guess at the location and has only a 1 in 256 chance of being right.
• Data Execution Prevention (DEP) takes advantage of a security feature in modern CPUs to mark pages in memory with the NX (No Execute) bit. If a buffer overflow is able to force code into a page that is intended for data, the code will not execute. Security researchers have been hammering on DEP for several years with limited success, but in the meantime it has nullified entire classes of exploits.

In this instance, one researcher was reportedly able to work around DEP and create a proof-of-concept exploit using IE8 on Windows XP. However, Microsoft researchers report that the same exploit did not work on Windows Vista and Windows 7 because of ASLR. Based on published, if someone at one of the targeted companies was running Internet Explorer 7 or 8, they were not affected by this attack.

If I’m currently using IE6, what should I do?

Please switch to a more modern browser if possible. The best way is to upgrade to a more recent version of Windows. Neither Windows Vista nor Windows 7 will run IE6. If you must use IE6, be aware of its inherent vulnerabilities and take extra security precautions.

Is there a safe way to continue to use IE6?

If you must use IE6, the safest way to do so is in a virtual machine, with security settings for the Internet zone set to High and Active Scripting disabled. Add the list of known sites that require IE6 for access (including applications running on your corporate intranet) to the Trusted Sites zone. Use the virtual machine only for access to those sites, and do everyday web browsing in a more modern and secure browser.

So, should I stop using Internet Explorer?

That’s a choice only you can make, and you shouldn’t let anyone use fear or exaggeration to scare you into making a hasty or ill-considered decision.

In my opinion, if you don’t have overriding compatibility or support issues, there are several good reasons to prefer alternative browsers such as Firefox or Google Chrome to any version of Internet Explorer. For starters, both Mozilla and Google have generally been faster at releasing updates to security issues than Microsoft. If it’s true that Microsoft knew about this issue for more than four months before delivering a fix, that’s a big argument against trusting IE.

And, right or wrong, security by obscurity is real. Although other browsers have serious vulnerabilities, Internet Explorer is the one with the target on its back. Those other, less popular products might be targeted someday, but at least for now most in-the-wild exploits simply don’t work on anything except Internet Explorer.

If you do decide to switch default browsers, just remember that doing so is only one relatively small step in a comprehensive security program. And if you have assets that bad guys are likely to target, your security challenges are enormous, and the stakes are getting higher every day.

Source

Microsoft Security Bulletin Advance Notification issued: January 20, 2010
Microsoft Security Bulletins to be issued: January 21, 2010

This is an advance notification of one out-of-band security bulletin that Microsoft is intending to release on January 21, 2010. The bulletin will be for Internet Explorer to address limited attacks against customers of Internet Explorer 6, as well as fixes for vulnerabilities rated Critical that are not currently under active attack.

This bulletin advance notification will be replaced with the January bulletin summary on January 21, 2010. For more information about the bulletin advance notification service, see Microsoft Security Bulletin Advance Notification.

To receive automatic notifications whenever Microsoft Security Bulletins are issued, subscribe to Microsoft Technical Security Notifications.

Microsoft will host a webcast to address customer questions on the out-of-band bulletin on January 21, 2010, at 1:00 PM Pacific Time (US & Canada). Register now for the January 21, 1:00 PM Webcast. Afterwards, the Webcast is available on-demand. For more information, see Microsoft Security Bulletin Summaries and Webcast.

Microsoft also provides information to help customers prioritize monthly security updates with any non-security, high-priority updates that are being released on the same day as the monthly security updates. Please see the section, Other Information.

Source

There are tens of thousands of Hong Ke, or red visitors, as they are known in China. Many are motivated by patriotism, although it is more difficult to establish their relationship with the Chinese government or military, which some experts suspect as being behind the attacks.

The Honker Union, China’s most famous group of Hong Ke, shows the grey area between patriotic hackers and the state. The group has denied involvement in the Google attack.

“The Honker Union … has no interest in getting involved in politics. We work only for the security of Chinese websites,” one of its core members, Lyon, said in a telephone interview. Lyon, his hacker handle, is the head of a department in a major state-owned telecommunications firm and declined to disclose his real name.

Founded in 2001, it was involved in cyber-warfare with U.S. hackers over the Hainan spy plane incident in 2001 and last week attacked Iranian websites in retaliation for the Iranian Cyber Army’s temporary takeover of Chinese search engine Baidu.

“It is pretty clear that many Chinese hackers are motivated by patriotism,” said Trevor T, the pseudonym of an American who helps run Dark Visitor, a U.S.-based blog about Chinese hackers.

“China may not be where the U.S. is militarily, but it clearly has invested a lot of brainpower in developing capabilities that can offset the U.S. advantage in force-on-force conflict,” he said.

Google announced last week that a “sophisticated” attack coming from China resulted in the theft of its intellectual property. It cited the hacking episode, as well as censorship, as reasons it may leave China.

Google did not specify how it knew the attacks came from China, or why it and an estimated 34 other companies were targeted. Cyber experts say source codes may have been the prize.

SO YOU WANT TO BE A HACKER?

The popularity of hacking in China, and hackers’ use of multiple addresses and servers, in Taiwan and elsewhere, makes it hard to prove how or by whom they are coordinated. Would-be hackers in China don’t have to look far to figure out how to do it, thanks to a healthy hacking industry.

For $150, a keen student can buy all the modules online, from programing Trojans to evading anti-virus programs. Tutors are available via instant-messaging and interactive tutorials.

The market for malware in China includes a software known as Grey Pigeon, originally designed to remotely control users’ own computers, that turned out to be an ideal tool for hacking.

Grey Pigeon’s homepage says it was discontinued in 2007, because of rampant misuse for illegal activities, but the 2010 version of Grey Pigeon is easily found for sale online in China.

That market helps hackers quickly exploit any opening.

“Malware groups out of China have been very quick to adopt zero-day exploits,” software flaws for which there is no patch, said Nart Villeneuve, chief research officer at SecDev.cyber.

“They may be operating independently but there may be some sort of market for selling the information that they get.”

Some Chinese hackers train at schools like the Communication Command Academy in Wuhan to get sensitive information, cyber expert James Mulvenon told a congressional commission in 2008.

China now may have up to 50,000 military hackers trained or in training, he said. This could not be independently confirmed.

“Who is most likely to become the leading protagonist … of the next war? The first challenger who has appeared and is the most well known is the computer ‘hacker’,” two People’s Liberation Army (PLA) colonels, Qiao Liang and Wang Xiangsui, wrote in a 1999 book, “Unrestricted Warfare.”

Developing countries can beat more developed countries with war tactics that transcend boundaries, they argued.

“We urgently need to expand our field of vision regarding forces which can be mobilized, in particular non-military forces,” they wrote.

One of the best documented, and coordinated, hacking attacks out of China was reported last year. It took place against exiled Tibetans, an attack that seemed motivated by politics, not profit.

“It’s the political connection that many use to provide the link to the Chinese government,” Villeneuve said.

Similar attacks have targeted foreign reporters in China, and individuals and groups pushing for greater human rights.

(Additional reporting by Benjamin Kang Lim; Editing by Bill Tarrant.)

Source

SEATTLE (Reuters) – Microsoft Corp said it will issue a patch to fix the old version of its Internet Explorer browser that allowed recent attacks on Google Inc’s network in China.

Technology

The patch, due out on Thursday, “addresses the vulnerability related to recent attacks against Google and a small subset of corporations,” said Jerry Bryant, senior security program manager at Microsoft. “Once applied, customers are protected against the known attacks that have been widely publicized.”

Google said last week it had been the target of sophisticated cyber-attacks in China, along with more than 20 other companies. Microsoft acknowledged that the hackers took advantage of a weakness in Internet Explorer 6 to mount the attacks.

Microsoft said it continues to see some attacks, with the only successful attacks against Internet Explorer 6. The most recent version of the software is Internet Explorer 8.

(Reporting by Bill Rigby, editing by Leslie Gevirtz)

Source

This is Serious.

(AFP) – 1 day ago

BEIJING — Google is checking whether any of its China staff helped hackers lead a major cyberattack against the US Internet giant, which is now mulling whether to leave the country, a report said Tuesday. 

The Wall Street Journal, citing unidentified sources, said the internal network access of some of Google’s 700-odd employees in China had been cut off for the duration of the internal investigation. 

It was not immediately clear if Google had found evidence to link any of its China-based staff to either the theft of its intellectual property or alleged attempts to access Gmail accounts of Chinese dissidents. 

Google said Monday it was “business as usual” in China and its employees were at work, after local media reports that some staff had seen their access to Google’s global network cut off and could no longer work. 

The company last week announced it was considering abandoning its Chinese search engine, and could shut its China offices, over theft of its intellectual property by hackers, believed to have been based in China. 

Google says it is no longer willing to bow to Chinese Internet censors by filtering search results on google.cn, but is still seeking talks with Beijing on a solution. 

The United States has asked for an explanation from Beijing over the Google dispute. China says the row will not affect Sino-US ties, but has also insisted that Google and other foreign Internet firms must obey its laws. 

The Foreign Correspondents’ Club of China said Monday that expatriate journalists in a “few” bureaus in Beijing had discovered that their Gmail accounts had been hacked, with messages forwarded to a stranger’s account.

Source

Cloud computing and virtualization are just two technologies that cybercriminals are anxious to exploit, forecasts a report released Wednesday by security vendor Trend Micro.
The year ahead offers new opportunities for cybercrooks as they hunt for more targets and new challenges as people try to protect themselves, says Trend Micro’s 2010 Future Threat Report (PDF).
Cloud computing and virtualization can be cost effective. But since they’re beyond the confines of a company’s own firewall, they could be potentially open areas for cybercriminals to attack. October’s Sidekick data outage highlighted the vulnerabilities of the cloud, which cybercrooks are likely to abuse, according to Trend Micro.
Social networks have proved to be an appealing area for bad guys, a shift that Trend Micro thinks will increase through the use of social engineering. Cybercrooks will try to enter people’s communities and circles of friends at sites like Facebook in an attempt to steal personal information.
Malware outbreaks will shift from the global landscape to more local, targeted attacks, similar to the strategy employed by Conficker, which Trend Micro calls a “carefully orchestrated and architected attack.”
Trend Micro also believes the move toward international domain names orchestrated by ICANN will open up the playing field for more phishing attacks as crooks create look-alike domains names using the Cyrillic alphabet instead of Latin characters.
A few other trends for 2010 and beyond to keep us all on the alert:
Windows 7 will have an impact since it is less secure than Vista in the default configuration (presumably because User Access Control (UAC) in Win 7 is not set to its most restrictive level by default).
Drive-by infections are the norm–one Web visit is enough to get infected.
Malware is changing its shape–every few hours.
To protect yourself, Trend Micro dispenses the usual advice we’ve all heard before. But it bears repeating–keep your PC patched and updated, don’t click on strange e-mail attachments, make sure the online stores you shop at are secure (https vs http), and don’t use the same password for all Web sites.

Exploit code for a critical (remotely exploitable) vulnerability in Microsoft’s Internet Explorer 7 browser has been released on the Internet, prompting a new round “upgrade now!” warnings from computer security experts.

The vulnerability could be used in malware attacks to take complete control of a Windows machine running IE 6 or IE 7, according to an advisory issued over the weekend.

Here’s the gist of the problem:

A vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by attackers to compromise a vulnerable system. This issue is caused by a dangling pointer in the Microsoft HTML Viewer (mshtml.dll) when retrieving certain CSS/STYLE objects via the “getElementsByTagName()” method, which could allow attackers to crash an affected browser or execute arbitrary code by tricking a user into visiting a malicious web page.

The vulnerability was confirmed on fully patched Windows XP SP3 systems with Internet Explorer 6 and 6.

For IE users unable (or unwilling) to upgrade to IE 8, you can disable Active Scripting in the Internet and Local intranet security zones.

Security researchers at Symantec have tested the published exploit and warned that a fully-functional reliable exploit will be available in the near future.

When this happens, attackers will have the ability to insert the exploit into Web sites, infecting potential visitors. For an attacker to launch a successful attack, they must lure victims to their malicious Web page or a Web site they have compromised. In both cases, the attack requires JavaScript to exploit Internet Explorer.

Microsoft has not yet issued an advisory with mitigation guidance.

November 18th, 2009

Posted by Mary Jo Foley @ 11:20 am

Categories: Corporate strategy, Development tools, Internet Explorer, PDC 2009, Silverlight (wpf/e), Windows client

Tags: Microsoft Silverlight, Microsoft Internet Explorer, Microsoft Corp., Web Browsers, Internet, Mary Jo Foley

Microsoft shared some information about what’s coming in Internet Explorer 9 and Silverlight 4 during its November 18 Professional Developers Conference (PDC) keynotes.

If you want to see a real example of the difference in disclosure policies between Microsoft’s Windows unit and its Developer Division, the level of information provided by execs with each division today made that quite clear.

As expected, Microsoft Windows President Steven Sinofsky shared a few tidbits about Internet Explorer (IE) 9. Sinofsky emphasized that Microsoft will continue to play up privacy, user choice and responsible development with the next IE release. But he offered no information on when the team is planning to release a test build or the final version of the browser.

Sinofsky said during the Wednesday morning keynote that the IE team is about three weeks into the IE 9 project. (I’ve been getting tips that there already is a build of the product out there that is being used inside Microsoft, but it’s not available to external testers yet.)

Sinofsky noted that Microsoft is fully aware that it needs to keep pushing on the standards front. He noted that IE 9 is currently passing 32 of 100 Acid3 tests (compared to Firefox at more than 70 and Opera at 100). He also made it clear that Microsoft is aware it needs to continue to do work to improve JavaScript performance with IE.

Sinofsky said IE 9 will support hardware-accelerated rendering and rounded borders, but didn’t say a whole lot more about it. There are a (very) few more specifics about IE 9 on the IE Team blog today.

Scott Guthrie, Microsoft’s Corporate Vice President for .Net, had lots more to say about Silverlight 4, the next version of Microsoft’s browser plug-in that competes with Adobe Flash.

Microsoft is making a public beta of Silverlight 4 available for download today, November 18. A single, near-final Release Candidate will follow and then the final version of Silverlight 4 will be out in the first half of 2010, according to Guthrie.

Guthrie said Silverlight 4 will be a major new release of the plug-in. He said the upcoming version will incorporate nine of the ten most requested features by developers.

Guthrie itemized and demonstrated some of the new features of Silverlight 4 — which include everything from its support for webcam and microphone access, to the ability to run Silverlight inside the Google Chrome browser. Silverlight 4 also will include full support for Visual Studio 2010, native multicast support and improved printing, networking and reporting capabilities, company officials said. Silverlight Program Manager Tim Heuer has a full list of those Silverlight 4 features on his blog.

I’m interested in hearing from anyone who manages to download Silverlight 4 (servers are crawling, I hear) about what you think of the new beta of the product. Feel free to chime in in the talkbacks….

November 19th, 2009

Posted by Larry Dignan @ 6:32 am

Categories: General, Government, Hardware Infrastructure, IT Management, Telecommunications

Tags: FAA, Network, Flight Plan, Federal Aviation Authority, FTI, Networking, Larry Dignan

Updated: The Federal Aviation Authority is looking into a networking problem that threatens to delay flights across the U.S.

FAA spokesman Les Dorr said that there’s a “problem with the telecommunications network that’s affecting automated processing system” for things like flight plans.

“Anything controllers normally have done automatically have to be done manually,” said Dorr. Indeed, the FAA has a ground stop. Atlanta is the hub that appears to be most affected, reports CBS News.

According to the FAA, the problems reside in the FAA Telecommunications Infrastructure, or FTI for short. FTI provides the voice, data, and video communications that support operations and mission support functions at more than 4,000 FAA and Department of Defense (DoD) facilities. Add it up and the network provides for more than 20,000 services such as switching and routing, network monitoring and control.

The FAA is currently investigating the problem. Dorr reiterated that the FAA can track planes with radar and have communication with pilots, but there’s an efficiency issue: You can only keep tabs on so many planes manually.

The manual process for flight plans and other essential is that these documents are emailed or faxed and then entered to the processing system.

The outage started between 5:15 a.m. and 5:30 a.m. and Dorr said it’s impossible to predict the impact on delays Thursday because it’s still early in the day.

You can track the flight delays across the country at the FAA site. Here’s the snapshot as of 9:43 a.m. EST.

Update: The FAA said it fixed the issue at 9 a.m. EST. In a statement, the FAA also shot down theories that a cyberattack was to blame. The statement in full:

At approximately 5:00 am EST a router problem disrupted a number of air traffic management services including flight plan processing. The problem was resolved at approximately 9:00 am EST. Air traffic control radar and communication with aircraft were not affected during this time and critical safety systems remained up and running.

The failure was attributed to a software configuration problem within the FAA Telecommunications Infrastructure (FTI) in Salt Lake City. As a result FAA services used primarily for traffic flow and flight planning were unavailable electronically.

The National Airspace Data Interchange Network (NADIN), which processes flight planning, was affected because it relies on the FTI services. During the outage air traffic controllers managed flight plan data manually and safely according to FAA contingency plans.

There is no indication the outage occurred as a result of a cyber attack.

System wide delays and cancellations will continue to be assessed throughout the day.

A team of FAA technical and safety experts is already investigating the outage. FAA Administrator Randy Babbitt is meeting with representatives from Harris Corporation, the company that manages the FTI, to discuss system corrections to prevent similar outages in the future.

November 19th, 2009

Posted by Sam Diaz @ 2:30 am

Categories: AT&T, General, Legal, Mobile, Verizon

Tags: Advertisement, Verizon Communications Inc., AT&T Corp., Marketing Research, 3G, Marketing, Cellular Phones, Consumer Electronics, Personal Technology, Sam Diaz

AT&T may have lost the legal battle with Verizon Wireless over a marketing campaign that compares the 3G coverage of both carriers. But that doesn’t mean AT&T is going away quietly.

The company is airing a commercial of its own, which features actor Luke Wilson inside what appears to be a warehouse, standing in front of an orange magnet board with a checklist that compares AT&T and Verizon. (Techmeme)

When it comes to the fastest 3G network, AT&T wins, Wilson says. If you want to talk and surf at the same time, AT&T wins. Who has the most popular smartphones? AT&T, of course, home of the iPhone. Who provides access to more than 100,000 apps? You guessed it. Then, in the category, he asks which has a name that starts with the letter V.

I’ll give AT&T credit for making the attempt to even the playing field but – and maybe this is just me – the commercial felt sort of low-budget, like something thrown together in haste. Cheap set. Cheap props. Marketing messages in place of statistics. What is it telling me that’s new? I’ve been hearing that “Nation’s fastest 3G network” for some time now. As far as that “talk and surf” feature, I’m assuming that refers to tethering – mostly because Mr. Wilson doesn’t elaborate – but last time I heard, AT&T still wasn’t offering that for the iPhone.

Why would this commercial lure a potential customer to AT&T or convince an existing customer to stick around? There’s no fine print or footnotes about what sort of data these claims are based upon. No statistics. No independent analysis. There is a disclosure about 3G coverage not being available in all areas and some details about service plans, rebates and such.

There’s also a URL for a new Web site, called TruthAbout3G.com. But the site is nothing more than a place for cutesy marketing messages and some links to AT&T products and services. No statistics or hard data to be found.

It’s fun. But am I supposed to take it serious? From where I sit, Verizon launched a marketing campaign based on factual information (which AT&T didn’t dispute) and AT&T counters with… well, this. (see YouTube clip below.) If I’m a consumer (and I am), then this 30-second clip doesn’t offer the factual information that I need to be an informed customer.

What’s unfortunate is that this doesn’t help the company’s image – not by any stretch. In fact, you may recall that hole that AT&T was digging itself into. It appears the shovel has been handed from the legal department to the marketing department.

And it appears to be getting deeper.

Back in September, when Google launched the Google Chrome Frame plug-in for Internet Explorer users, Microsoft immediately warned that the move would increase the attack surface and make IE users less secure.

Now comes word that a security researcher in the Microsoft Vulnerability Research (MSVR) has discovered a “high risk” security vulnerability that could allow an attacker to bypass cross-origin protections.

SEE: Microsoft says Google Chrome Frame doubles IE attack surface

• Severity: High. An attacker could have bypassed cross-origin protections. Although important, “High” severity issues do not permit persistent malware to infect a user’s machine. We’re unaware of any exploitation of this issue.

The search technology company has shipped a new version of the Google Chrome Frame (version 4.0.245.1) with a patch for the vulnerability.

The plug-in update also fixes several bugs:

• Network requests fail randomly (Issue 27401).
• Fix issues with CFInstall.js to better detect compatible OS and browser versions, allow users to cancel the installation frame, and not cache the isAvailable result (Issues 22738, 23057, and 23132).
• Don’t use Google Chrome Frame for frames or iframes (Issue 22989).
• Follow redirects properly (Issue 25643).
• IE8 freezing intermittently (Issue 24007).
• Remove data directories on uninstall (Issue 27483).

“All users should be updated automatically,” said Mark Larson, a member of the Google Chrome team.

Mozilla’s flagship Firefox browser is vulnerable to at least 11 “critical” vulnerabilities that expose users to drive-by download attacks that require no user interaction beyond normal browsing. by Ryan Naraine

READ FULL STORY

US-CERT warns about BlackBerry spyware app
Infected sites rising at alarming rate
New LoroBot locks files and holds for $100 ransom

Microsoft is blaming human error for the the critical SMB v2 vulnerability that exposed Windows users to remote code execution attacks and argues that it’s near impossible to catch these types of bugs with existing code review tools and techniques.

According to a post-mortem of the issue by Redmond security guru Michael Howard (right), the company detected the vulnerable code “very late” in the Windows 7 development process but argued that there are no static analysis tools or SDL requirements that would spot this type of human error.

“Right now there is no static analysis tool I know of that would point out the developer used the wrong variable, and our analysis tools didn’t spot the potential array bounds problem in part because it’s hard to do so with generate a very large quantity of false positives,” Howard said.

“There is only one current SDL requirement or recommendation that could potentially find this, and that is fuzz testing. In fact we did find it very late in the Windows 7 development process through network fuzzing and that is why post-RC versions of Windows 7 do not have this bug,” he added.

Howard did not explain why the fix was not back-ported to Windows Vista and other vulnerable versions until it was independently discovered and released by external security researchers.

[ SEE: Microsoft security guru: Get fuzzing ]

He said the only other technique that could find this type of vulnerability — an incorrect variable in an array reference — is the process of “very slow and painstaking code review.”

This code was peer-reviewed prior to check-in into Windows Vista; but the bug was missed. Humans are fallible, after all.

Howard said the types of vulnerabilities surfacing in Windows OS code today shows that the mandatory SDL has “whittled away most of the ‘low-hanging’ bugs.”

Of course, I might be proven wrong, but looking at all the bugs over the last year in Windows, the only pattern I can spot is there is no pattern! The majority of the bugs I see in Windows are one-off bugs that can’t be found easily through static analysis or education, which leaves only manual code review, and for some bug classes, fuzz testing. But fuzz testing is hardly perfect, because the malformed data might not hit the vulnerable code path or trigger a failure in the code.

He called on software developers to spend more time on defenses against unknown vulnerabilities, as well as trying to prevent or remove vulnerabilities.

See: MS09-050, SMBv2 and the SDL, by Michael Howard.

From You National Center for Supercomputing applications (NCSA)

Blue Waters is expected to be the most powerful supercomputer in the world for open scientific research when it comes online in 2011. It will be the first system of its kind to sustain one petaflop performance on a range of science and engineering applications. The project also includes intense collaboration with dozens of teams in the development of science and engineering applications, system software, interactions with business and industry, and educational programs. This comprehensive approach will ensure that scientists and engineers across the country will be able to use Blue Waters to its fullest potential.

Scientists will create breakthroughs in nearly all fields of science using Blue Waters. They will predict the behavior of complex biological systems, understand how the cosmos evolved after the Big Bang, design new materials at the atomic level, predict the behavior of hurricanes and tornadoes, and simulate complex engineered systems like the power distribution system and airplanes and automobiles.

Blue Waters is a joint effort of the University of Illinois at Urbana-Champaign, its National Center for Supercomputing Applications, IBM, and the Great Lakes Consortium for Petascale Computation. It is supported by the National Science Foundation and the University of Illinois.

Blue Waters will be based on POWER7 hardware from IBM—makers of more than one-third of the world’s 500 fastest computers and almost all of the 40 most “green” supercomputers. It will be the first of a powerful new system design from IBM. The design includes extensive research and development in new chip technology, interconnect technology, operating systems, compiler, and programming environments.

Substantial investments will be made by the Blue Waters partnership to enhance the scalability and performance of existing science and engineering applications and to develop new applications that take full advantage of the extraordinary capabilities that Blue Waters will provide. The partnership is developing an enhanced version of IBM’s high-performance computing environment to ensure that applications achieve high sustained performance. The enhanced environment will increase the productivity of application developers, system administrators, and researchers by providing an integrated toolset to use Blue Waters and analyze and control its behavior.

The Blue Waters project also includes a far-reaching educational and workforce development program. It will impact students from K-12 through postgraduate education, reaching out to geographical areas and communities that have been historically underrepresented in supercomputing. At the undergraduate level, the program will educate the next generation of graduate students, K-12 teachers, future technical staff, and the informed public. At the graduate and postgraduate levels, the program will educate and train the next generation of researchers.

An expanded industrial partner program is an integral part of the Blue Waters project. Members of the Great Lakes Consortium for Petascale Computation will work with their business and industry partners to introduce them to the world of petascale computing, giving industrial outreach a truly national scale.

To read more visit NCSA’s Website

Servers are the workhorses of business IT, but what are their most important features?

A server is a specialised machine — but it is also based on PC technology. So, what defines a server and separates it from the familiar personal-computing technology that lives either on your desk or your lap? And what is missing from the mix?

Generally speaking, a core philosophy behind server design is the notion that the machine must continue to provide a service even if an individual hardware component fails. Servers also deliver files and process information for multiple users simultaneously, so they need to be computing powerhouses.

All this data needs to get to and from users as fast as possible, so expect lots of high-speed network ports. And because they are not machines you sit in front of all day, they need to be remotely manageable.

Finally, there is one other characteristic that servers have all possessed up until now — but that may be starting to change. (More on this later.) Here then are the most important hardware attributes a server must possess if it is to fit the bill — and at the end, we have added are some items you should not expect to see.

Crucial attribute 1: Processors
At the heart of the server is the processor — or, more usually, these days, at least a pair of processors. If a server is doing anything more than just file-serving, then computing power is likely to be in demand. So this Dell T710 houses a pair of brand-new Intel Core i7 Xeon processors, using 45nm processor microarchitecture — code-named Nehalem.

Crucial attribute 2: Memory
Without memory, a computer is useless: our test server contains 12GB of PC8500 1066MHz DDR3 memory in the form of six 2GB DIMMs. That is enough to run a modern hypervisor such as VMware’s ESX and up to around eight to 10 virtual machines — which is increasingly what even low-end servers are being asked to handle.

Crucial attribute 3: Storage
Storage is a crucial part of the server, if only because the server needs an operating system from which to boot. While in many cases, servers boot from the network, local storage for the operating system and other data that needs to be held locally is typical. In this case, we have eight 10,000rpm SAS drives of 146GB each, configured for Raid 5 which helps protect against the consequences of a drive failure, and provides around 1TB of storage.

Crucial attribute 4: Network
The data I/O channel is often the server’s bottleneck but this machine houses four 1Gbps load-balancing Ethernet ports, helping to speed the flow of data and provide redundancy against hardware failure. Because of the growth of virtualisation technology, I/O is in greater demand because each virtual machine could be serving dozens of users’ requests for information.

Crucial attribute 5: Power
The server draws power via a mains cable but in a typical configuration it will house a pair of power supply units (PSU). This means that when a PSU fails — and moving parts such as the PSU fan along with hard disks are the server’s most failure-prone components — the machine continues working. This server’s 1100W hot-plug PSU slides out for easy online replacement.

Crucial attribute 6: Cooling
Venting excess heat from high-powered processors is crucial. This server contains four fans but can continue to run on two, should they fail. Like the power supply unit, the fans can be removed while the server is running to provide continuous service. For photographic purposes, we have removed the plastic ducting that helps ensure the cooling air flows over the CPUs and memory.

Crucial attribute 7: Remote management
Servers tend to live in places such as datacentres or, in smaller offices, dedicated locked rooms. They are not easily accessible yet admins need to be able to manage them remotely, at any time.

That is why this server is equipped with a remote-management port and a management application on a flash SD card. The management port allows admins to manage the server using an out-of-band network, which does not affect production network traffic.

Crucial attribute 8: Diagnostics
When you are in the presence of the hardware, it is useful to be able to grab a quick snapshot of the server’s state to help with problem solving. This server’s front bezel includes a one-line LCD that provides system information, such as system health monitoring, alerts and control of basic management configuration. It also allows admins to view a power meter and ambient temperature.

Crucial attribute 9: Power security
The basic IEC mains cable includes a plug that simply pushes into a socket on the back of the machine. But it is not a secure design and it is all too easy to pull the plug out by accident, perhaps when moving the server, or if the cable has been untidily routed. This simple Velcro cable security strip can prevent that happening.

Crucial attribute 10: Noise
The final issue is noise. Servers are still pretty noisy and this machine, though a little quieter than many, still makes more racket than would be acceptable in an office as a result of its multiple fans. But quieter servers are the future: noise results from wasted energy, and energy conservation is high on the agenda of all system and component designers.

Four things you do not need in a server:

1. Graphics
There is no need for expensive, power-sapping graphics cards in a server. The most complex graphics task for a server is a graphical user interface that is rarely used. If it is running Linux, you are more likely to do that remotely using SSH, so why waste CPU and memory on graphics?

2. Audio
Audio is unnecessary on a server because most of the time there is no-one there to listen, and the audio circuitry and its associated software are just additional points of failure.

3. Keyboard and mouse
You do not need human input devices (HID) on a server 99 percent of the time. That is not just because it is not being used interactively, but also because, on those occasions when you do need a keyboard and mouse, you can do so using a KVM device that transports the HID signals to your desk.

4. Windows licence
In fact, the machine featured in most of these pictures came with a temporary Windows licence, but you do not need one. Instead, download a 64-bit version of Ubuntu server and you will have a server that works without hefty licensing fees. Alternatively, VMware’s ESX hypervisor is downloadable free and provides a tried and trusted platform for virtualisation.

Story URL: http://resources.zdnet.co.uk/articles/imagegallery/0,1000002003,39743452,00.htm

Yahoo, Google and eight other top technology companies are participating in an effort to bring OpenID single login to US government websites as part of Obama’s Gov 2.0 initiative

Yahoo, Google and other top technology companies have signed up to an effort to bring OpenID authentication to US government websites.

Ten companies said on Wednesday that they will support president Obama’s initial pilot programmes to make it easier for people to register and use those websites. OpenID is an open identity system that allows people to use a single username and password to log in and authenticate themselves on multiple websites.

The companies — Yahoo, PayPal, Google, Equifax, AOL, VeriSign, Acxiom, Citi, Privo and Wave Systems — said they will act as digital identity providers using OpenID and Information Card technologies.

“By embracing OpenID (and InfoCard), the government is helping to further establish the value of owning one’s own identity, and of having convenient, consistent and privacy-protecting mechanisms in place to enhance and enable participation,” OpenID Foundation community board member Chris Messina wrote in a blog post.

The pilot programmes are being launched by the Center for Information Technology, National Institutes of Health and the US Department of Health and Human Services.

People will be able to use Yahoo, PayPal and Google IDs to sign into federal sites. According to the government, the use of OpenID will allow individuals to be more interactive with websites without revealing personally identifiable information, such as passwords.

Earlier this year, president Obama issued a memorandum launching an effort to make it easier for citizens to work with government websites. The Gov 2.0 initiative will ”transform government websites from basic ‘brochureware’ into interactive resources, saving individuals’ time and increasing their direct involvement in governmental decision-making”, the Information Card Foundation said in a statement.

01 Oct 2009 08:47

The software maker has opened what it says might be the world’s largest datacentre in the outskirts of Chicago

On most days it takes the right access badge and a biometric scan to make it inside the doors of Microsoft’s massive datacentre. But on Wednesday, the company allowed a group of reporters, customers and partners to tour the 700,000 square foot facility.

The datacentre, along with another just-opened facility in Dublin, Ireland and existing centres in San Antonio and Quincy, Washington, serve as the guts behind Microsoft‘s online ambitions, from Bing to Hotmail to Windows Azure.

For all its strategic import, the ground floor of the Chicago plant looks more like a lorry park than a traditional datacentre. In each parking spot, though, Microsoft can drop off a container packed with up to 2,000 servers.

Right now, only about a dozen of the 56 container spots are filled, but Microsoft executives said they expect that to change quickly. The software maker expects eventually to spend up to $500m filling the Chicago site with gear.

The site was originally slated to open months earlier, but Microsoft delayed things due to the economy. Eventually, though, it decided to move forward.

“Investing in these uncertain economic times is always a tough choice,” said Arne Josefsberg, general manager of infrastructure services Microsoft’s datacentre operations. But, he added, “We take a very long-term approach to the business.

The datacentre itself is housed in an unmarked warehouse in one of the Chicago area’s many industrial districts. (The software maker did not want the exact location disclosed.)

Microsoft picked the spot because of its convenient location close to cheap and abundant power, as well as the fact it sits atop a major internet connection point that houses major east-west and north-south fibre routes.

“It’s a lot about location, location, location,” Josefsberg said.