Rob Stringer

A leading academic has warned that the benefits of the internet may have set it on a path to its own destruction.

Johnathan Zittrain, professor of internet governance at the Oxford Internet Institute, puts the threat down to ‘generativity’; a term which encapsulates those open products that allow users to build their own applications without requiring permission from, for instance, the makers of their personal computer. While this enables creativity and interactivity, it also opens the door to the multitude of viruses and worms waiting in the shadows. Hacking, argues Zittrain, is the ‘drug trade equivalent’ for the internet.

"I want recognition from people that the network they enjoy now is in many important respects a collective hallucination," states Zittrain. "If too many of them start treating it as a cash and carry service, they are going to get the network they deserve."

Zittrain cites ‘sterile’ technology such as the iPhone as a possible ‘cure’. The system will not allow a user to write or add programmes without Apple’s permission. Although this offers the user a greater sense of security, it is not without its dangers - a prevailing concern being that the user must hand over proprietorial control to the organisation, leading to damaged innovation and potential abuse. The iPhone’s lack of compatibility with certain programmes has recently led critics to claim that it’s not yet ready for business use.

If we cannot address these problems, Zittrain claims, the ‘happy accident’ of the internet may face meltdown, unless we lock it down first.

“The public and businesses alike need to consider deploying technologies that monitor and only allow known good applications or devices to connect to their PC or network,” maintains Andrew Clarke, senior vice president of Lumension Security.

“Whilst this ‘whitelisting’ approach has had a reputation for impacting productivity, the technology has progressed rapidly since it emerged on the market, not prohibiting the user entirely, but allowing them to access data and execute programs that are needed to perform their daily tasks while keeping the malicious activities out”, Clarke concludes.

(Original Post )

..Bet hes against net neutrality too..

This manager buys a BlackBerry, and in short order the pilot fish in charge of IT support gets an e-mail from manager’s assistant.

"She wants to receive her business e-mail on it," says fish. "The organization doesn’t support personal equipment and doesn’t support BlackBerries. The decision was made years ago to support Treo and Goodlink as the corporate standard.

"I duly inform the assistant that the organization doesn’t support personal equipment and doesn’t support corporate BlackBerries either. I offer to send copies of the manager’s e-mail to an offsite e-mail address if she provides one."

Just after sending that out, fish receives a copy of an e-mail from his telecom analyst, who got the same request from the manager’s assistant. Analyst informs assistant that the organization doesn’t support personal equipment and doesn’t support BlackBerries.

And that should be it — right?

The next thing that pops up in fish’s mail is a meeting request. From the manager’s assistant. Meeting subject: "BlackBerry E-mail Options."

Fish calls the assistant to ask if she didn’t get the e-mails.

Yes, assistant says, both she and the manager got them. But they don’t understand the options.

"She explains that we should know they aren’t technology people, so they need it explained in simple terms," fish says. "I accept the meeting.

"Now we’ll have to see how I can nontechnically explain ‘no, we don’t support them,’" fish says.

"Of course, if I did, could this ‘nontechnical’ person handle the BlackBerry anyway?"

(Original Post )

He won’t do that again

A TEEN FACES 38 YEARS in jail for hacking into his school’s computer and changing his grades.

According to Orange County Superior Court documents, Omar Khan, 18, faces 69 felony counts of second degree burglary, identity theft, computer access and fraud, removing and secreting a public record, and altering and falsifying a public record.

Court documents claim that Khan broke into the school at night and on weekends using a stolen master key.

He tried to steal his teachers’ login credentials and passwords to change his C, D and F grades to As and Bs. He also installed spyware on his teachers’ PCs to access the school network remotely. He also altered the grades of 12 other students.

It all came to light when Khan appealed a denial of admission to the University of California for the fall semester by requesting a new school transcript. School administrators got wind of the discrepancy over Khan’s grades and investigated.

Khan’s attorney, Merlin Stapleton, told the local rag that the charges were too severe. He said it was not the first time a kid cheated and often they did these sorts of things to find out if they could

(Original Post )

Just my comment on this.. Why 38years? I mean yea thats nuts.. By why not 30 or 40 where the heck did 38 come from???

June 19, 2008 — Dice-size crumbs of bright material have vanished from inside a trench where they were photographed by NASA’s Phoenix Mars Lander four days ago, convincing scientists that the material was frozen water that vaporized after digging exposed it.

"It must be ice," said Phoenix Principal Investigator Peter Smith of the University of Arizona, Tucson. "These little clumps completely disappearing over the course of a few days, that is perfect evidence that it’s ice. There had been some question whether the bright material was salt. Salt can’t do that."

The chunks were left at the bottom of a trench informally called "Dodo-Goldilocks" when Phoenix’s Robotic Arm enlarged that trench on June 15, during the 20th Martian day, or sol, since landing. Several were gone when Phoenix looked at the trench early today, on Sol 24.

Also early today, digging in a different trench, the Robotic Arm connected with a hard surface that has scientists excited about the prospect of next uncovering an icy layer.

The Phoenix science team spent Thursday analyzing new images and data successfully returned from the lander earlier in the day.

Studying the initial findings from the new "Snow White 2" trench, located to the right of "Snow White 1," Ray Arvidson of Washington University in St. Louis, co-investigator for the robotic arm, said, "We have dug a trench and uncovered a hard layer at the same depth as the ice layer in our other trench."

On Sol 24, Phoenix extended the first trench in the middle of a polygon at the "Wonderland" site. While digging, the Robotic Arm came upon a firm layer, and after three attempts to dig further, the arm went into a holding position. Such an action is expected when the Robotic Arm comes upon a hard surface.

Meanwhile, the spacecraft team at Lockheed Martin Space Systems in Denver is preparing a software patch to send to Phoenix in a few days so scientific data can again be saved onboard overnight when needed. Because of a large amount a duplicative file-maintenance data generated by the spacecraft Tuesday, the team is taking the precaution of not storing science data in Phoenix’s flash memory, and instead downlinking it at the end of every day, until the conditions that produced those duplicative data files are corrected.

"We now understand what happened, and we can fix it with a software patch," said Phoenix Project Manager Barry Goldstein of NASA’s Jet Propulsion Laboratory, Pasadena. "Our three-month schedule has 30 days of margin for contingencies like this, and we have used only one contingency day out of 24 sols. The mission is well ahead of schedule. We are making excellent progress toward full mission success."

(Original Post )

"Half the Mac OS X boxes in the world (confirmed on Mac OS X 10.4 Tiger and 10.5 Leopard) can be rooted through AppleScript: osascript -e ‘tell app "ARDAgent" to do shell script "whoami"’; Works for normal users and admins, provided the normal user wasn’t switched to via fast user switching. Secure? I think not."
On the other hand, since this exploit seems to require physical access to the machine to be rooted, you might have some other security concerns to deal with at that point, like keeping the intruder from raiding your fridge on his way out.

(Original Post )

Announces a porn shop named after one of his biggest opponents

People in the small mountain town of Allenspark are drawing up the battle lines.
The controversy began when Jeff Mead wanted to open an ATV rental store there.
But nearby neighbors complained about the noise and enviromental impact.
Margie Patterson says Mead’s clients have damaged pristine private land, a claim Mead dismisses.
The Boulder County Planning Commission recently denied the businessman a special-use permit to open his business.
So Mead put out a banner on his building which reads,"Patterson’s XXX Porn Gallery".
Mead said he’s serious about opening the adult store to make money since he was denied a permit to open his rental shop.
Patterson and other residents claim the move is childish and in poor taste.
Mead says he hopes to open the porn gallery by August

(Original Post )

A tour of Microsoft’s gargantuan, under-construction San Antonio data center reveals a state-of-the-art IT infrastructure on an immense scale.

Though the building alone covers a whopping 11 acres, you can’t even see Microsoft (NSDQ: MSFT )’s new $550 million data center in the hills west of San Antonio until you’re practically on top of it. But by that point, you can hardly see anything else.

These days, the massive data center is a bustling construction zone where visitors have to wear hardhats, helmets, orange safety vests, goggles and gloves. By September, it’ll be the newest star in Microsoft’s rapidly expanding collection of massive data centers, powering Microsoft’s forays into cloud computing like Live Mesh and Exchange Online, among plenty of other as-yet-unannounced services. Pulling in, visitors are stopped by Securitas guards who check IDs and ask if they work for Microsoft. An incomplete gate marks the way. Microsoft’s general manager of data center services, Mike Manos, won’t say exactly what security measures will be in place when the data center opens, but won’t rule anything out. "Will the gates be able to stop a speeding Mack truck?" I ask. "Or more," he responds. "Will you have biometrics?" "We have just about everything."

As the car rounds the bend beyond the gate, the building sweeps into full view. The San Antonio data center building itself is 475,000 square feet, or about 11 acres. It’s a 1.3 mile walk to circumnavigate the building. To get a perspective on that, it’s one building that’s the size of almost 10 football fields laid out side-by-side, or 1/10th the floor space of the entire Sears Tower, covered with servers and electrical equipment. "I thought I understood what scale looked like," Manos says.

When the San Antonio data center was under peak construction, 965 people were working full time to build it, with more than 15 trucks of material coming and going each day in order to get the job done in 18 months from scouting the site to opening up. The facilities were built with continuous workflow of materials in mind, even after the site’s completion.

As one walks toward the data center’s main entrance, a feature that stands out is a row of several truck bays much like would be seen in an industrial park. Trucks pull up and leave servers or other materials inside the bays or "truck tracks," to be picked up and inventoried in the next room and then moved to storage or deployment.

Most everything in the data center is functional. On the small scale, wainscoting-like pieces of plywood cover the bottom of hallway walls to protect both the walls and servers and other equipment moving back and forth. On the large scale, San Antonio is actually two data centers side by side to separate business risk. "One side could burn down and the other one could continue to operate," Manos says.

The components inside are just as gargantuan as those on the outside. Seven massive battery rooms contain hundreds of batteries and 2.7 mW of back-up power apiece. Very few industrial sites, among them aluminum smelters, silicon manufacturers and automobile factories, consume as much energy as mega data centers of the order Microsoft is building.

(Read More )

EMC’s Interpretation -
At most companies today, security projects are being driven by compliance and audit, so what a surprise that they don’t have alignment with the business! Security practitioners are not working on business problems; they are working on regulatory issues.
Now I’m not going to suggest that all regulation is unjustified and that businesses can’t profit from the level playing field that regulation can create.

While effective attacks against 1024-bit RSA keys appear unlikely to emerge in the near term, the community has for some years suggested the prudence of a movement away from 1024-bit key lengths by the end of 2010. The U.S. National Institute of Standards (NIST) recommends in its special publication 800-57, "Recommendation for Key Management–Part I: General http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf " (p. 66), that 1024-bit RSA be used to confer data protection only through 2010. Similarly, in May 2003, RSA Labs published key-size recommendations deprecating the use of 1024-bit RSA keys for protection of data with a lifetime beyond 2010. The general consensus is that 1024-bit RSA keys are roughly equivalent in strength to 80-bit symmetric keys, and that advances in computing power and incremental algorithmic advances could bring such keys within the reach of intensive computational attack in the next decade. It is worth noting, however, that many view the NIST date of 2010 as a conservative "best by" date, selected in part in anticipation of delayed industry adherence to NIST guidelines.

However, any regulation can be interpreted to the extreme and when it comes to security, materiality and RISK are NOT often given their proper weighting.

Finally vendors must build and implement "Thinking Security" systems collaborating with practitioners and each other.The rise of thinking security will mean that information-centric security is a reality, a reality that will catapult security to a new plane where it is widely seen as an accelerator of innovation.

(Original Post )

Yesterday, Photobucket the world’s most popular photo sharing site according to Hitwise had its DNS records hijacked to return a hacked page courtesy of the NetDevilz hacking group , a Turkish web site defacement group most widely known for its defacement of the adult video site Redtube earlier this year. Photobucket users across the world are reporting minor outages of the service and problems when trying to access their accounts, the consequence of what looks like the type of DNS records hijacking that redirected Comcast.net to a third-party domain last month.

Third-party site monitoring services indicate that the site was down for 15 minutes yesterday, from from 17:39:39 to 17:55:10, whereas according to a comment left by a Photobucket Forum Support representative , the downtime due to the propagation of the corrected DNS entries was longer :

“On Tuesday afternoon, some users that typed in the Photobucket.com URL were temporarily redirected to an incorrect page due to an error in our DNS hosting services. The error was fixed within an hour of its discovery, but due to the nature of the problem, some users will not have access to Photobucket for a few hours as the fix rolls out. It is important to note that only a portion of Photobucket users encountered the problem and that no Photobucket content, password information or other personal information was affected by the redirect.”

The hacking group appears to have been using the hosting services of atspace.com , the web hosting service of Zetta hosting solutions, and users of Photobucket attempting to access the site with the old DNS entries are still being redirected to a default hosting ad page within atspace.com . The effect of the redirection can also be seen by taking a peek at the publicly obtainable stats for atspace.com , where the sudden peak in traffic resulting in 118,864 visitors for today came from the default ad page used in the redirection.

With the second DNS hijacking attack against a high-profile domain in the recent months, it seems that adaptive malicious parties unable to directly compromise a site will continue taking advantage of good old-fashioned DNS hijacking. At least to prove that it’s still possible even on a high-profile domain using the services of a Tier 1 domain registrar.

(Original Post )

And in two cases, that day is followed by a whole bunch of days in the hoosegow

Three high-profile cybercrime cases have come to a head in the past week, leaving two hackers headed for jail and a third arguing a pivotal legal appeal.

Two of the cases involved sentencing for previously convicted defendants, both of whom were found guilty of using botnets as a primary weapon.

On Tuesday, Gregory King (aka Silenz) of Fairfield, Calif., pleaded guilty to two counts of transmitting code to cause damage to a protected computer. He agreed to a two-year sentence, according to the U.S. Attorney’s office in Eastern California .

King admitted to using a 7,000-node botnet to launch multiple distributed denial of service attacks on Killanet, a Web design and gaming site, between 2004 and 2006. He also made DDOS attacks on Castlecops, an Internet security site that specializes in identifying spammers and phishers, in 2007.

On Wednesday, a Florida judge sentenced Robert Matthew Bentley to 41 months in prison for hacking into computers used by Newell Rubbermaid and harnessing them to create a botnet that was used to spread advertising for a Western European company. Each new infected computer would register with the advertising company, which would pay Bentley a commission, authorities said in a news report .

More than 100 computers were affected at Rubbermaid, resulting in costs of more than $15,000, the court said. According to the indictment, Bentley and his co-conspirators collected more than $5,000 between Oct. 1, 2005, and Oct. 31, 2006. The documents did not say how large Bentley’s botnet was.

And earlier today, five judges in the U.K. began hearing an appeal from Gary McKinnon, the British hacker, who is accused of attacking 97 U.S. government computers between 2001 and 2002 in what has been described as the "biggest military hack ever" on U.S. systems.

McKinnon is fighting extradition to the U.S. on charges that carry a potential sentence of 60 years in prison. McKinnon is arguing that U.S. authorities stepped over the line in a plea bargain negotiation and threatened him with a stiffer sentence if he did not voluntarily agree to the extradition. A decision on the appeal is not expected for several weeks.

(Original Post )