Slashdot Mirror

Hit Reply writes "Eweek is running the contents of a Symantec white paper that details how easy it is for a hacker to manipulate BlackBerry applications. Using a developer key that can be purchased by anyone for $100, an attacker can launch e-mail worms, SMS interception and backdoor attacks, and compromise the integrity of contacts, events and to-do items. The white paper has been yanked from Symantec's Web site." From the article: "Signed applications can send e-mail and read incoming e-mail. A malicious application could be used to allow third parties to send messages from the infected BlackBerry and also read all received messages. A malicious application could also use e-mail as a command and control channel to receive instructions to send and receive e-mails; send and receive SMS messages; add, delete and modify contacts and PIM data; read dialed phone numbers; initiate phone calls; and open TCP/IP connections."

Benny Folds writes "Cesar Cerrudo of Argeniss has suddenly cancelled plans to release daily zero-day flaws in Oracle databases during the first week in December. Just days before the project was due to start, Cerrudo announced that 'due to many problems,' the WoODB (Week of Oracle Database Bugs) is being scrapped. He did not elaborate on the reasons for the cancellation."

theodp writes, "'The IT work force is not skilled enough and almost never can be skilled enough,' said Robert Cresanti, Under Secretary of Commerce for Technology. So what does the Poli Sci grad and ex-General Counsel for the ITAA think is the answer? Open the gates to more foreign workers, urged Cresanti, including H-1B holders."

Behind the Front writes "eWeek has teamed up with Joe Stewart, a senior security researcher at SecureWorks in Atlanta, to show the inner working of a massive botnet that is responsible for the recent surge of 'pump and dump' spam. It's a detailed picture of how these sleazy operations work and why they're so hard to shut down. Sobering numbers: 70,000 infected machines capable of pumping out a billion messages a day, virtually all of them for penis enlargement and stock scams. Excellent graphics, too, including one chart that shows that Windows XP Service Pack 2 is hosting nearly half the attacked machines."

Behind the Front writes "eWeek has teamed up with Joe Stewart, a senior security researcher at SecureWorks in Atlanta, to show the inner working of a massive botnet that is responsible for the recent surge of 'pump and dump' spam. It's a detailed picture of how these sleazy operations work and why they're so hard to shut down. Sobering numbers: 70,000 infected machines capable of pumping out a billion messages a day, virtually all of them for penis enlargement and stock scams. Excellent graphics, too, including one chart that shows that Windows XP Service Pack 2 is hosting nearly half the attacked machines."

editingwhiz writes "eWEEK reports that Bill Gates told PBS talk show host Charlie Rose and a Stanford University audience at TechNet Wednesday that 'We're at the beginning of something important again' in the development of technology — just as in the 1980s with the advent of the PC. He also discussed the growing Microsoft-Google competition, world health issues, how to give lots of money away to the benefit of mankind, and whether he'll return to Harvard to finish his studies." From the article: "On whether there's another idea today that is as powerful as the idea of the personal computer in the 1970s: 'If I knew medicine like I do computers, I would like to be able to control the [human] immune system, to fight against the onset of disease on a world level ... but I think the idea of the PC still would have topped that.'"

Joan writes "Kaiser Permanente, the largest HMO in the U.S., has spent about $4 billion on an unreliable electronic medical record system that is impacting patient care, according to a 722-page internal report revealed by Computerworld. The CIO resigned after the news came out, and CEO George Halvorson is telling the media that the goal is an alarmingly low 99.5% uptime and that all the problems are really just power outages. Yesterday, Slashdot covered a story about the possibility that the NHS in the UK could now claim the 'biggest IT disaster' prize, but Americans, fear not: so far, the Brits are running a much more efficient failure at $24,000 per physician per year, while America's KP is spending $76,920 per physician, per year on its failing project."

Geekgal writes "Red Hat has slammed the door shut on any possibility of entering into a patent protection deal similar to the one Microsoft recently announced with Novell, eWeek is reporting. While Microsoft has repeatedly said it wants to work with Red Hat and would like to structure a relationship where its customers can be assured of the same thing as Novell's customers now are, Mark Webbink, Red Hat's deputy general counsel, says 'we do not believe there is a need for or basis for the type of relationship defined in the Microsoft-Novell announcement.' Interestingly enough, Microsoft also says that it has not ruled out going it alone and providing some sort of indemnification for its customers who also use Red Hat Linux." Meanwhile, Eben Moglen, the FSF general counsel, promises that GPLv3 will explicitly outlaw deals like this. (Of course everyone's on v2, so calling the Novell deal "DOA" would be premature.)

2U*U2 writes to mention an EWeek article about an entry in the Month of Kernel Bugs. John Ellch has discovered a critical vulnerability in the Broadcom wireless driver: a driver used in machines from HP, Dell, Gateway, and eMachines. From the article: "[The bug] is a stack-based buffer overflow in the Broadcom BCMWL5.SYS wireless device driver that could be exploited by attackers to take complete control of a Wi-Fi-enabled laptop. The vulnerability is caused by improper handling of 802.11 probe responses containing a long SSID field and can lead to arbitrary kernel-mode code execution. The volunteer ZERT (Zero Day Emergency Response Team) warns that the flaw could be exploited wirelessly if a vulnerable machine is within range of the attacker."

filenavigator writes, "This week the security firm Authentium found a workaround for Patch Guard, the security feature Microsoft has embedded into the 64-bit version of Windows. It is supposed to keep out unsigned drivers, kernel modifications, and security company competitors. With Authentium's workaround it can be turned off, software installed, and turned right back on. Microsoft immediately responded by saying their reckless ways are endangering the security of Windows users and that they will disable this hack quickly."

Unwanted Software writes "There's an interesting interview on eWeek with Joanna Rutkowska, the stealth malware researcher who created 'Blue Pill' VM rootkit and planted an unsigned driver on Windows Vista, bypassing the new device driver signing policy. She roundly dismisses the quality of existing anti-virus/anti-rootkit products and makes the argument that the world is not ready for VM technology. From the article: 'Hardware virtualization, as recently introduced by Intel and AMD, is very powerful technology. It's my personal opinion that this technology has been introduced a little bit too early, before the major operating system vendors were able to redesign their systems so that they could make a conscious use of this technology, hopefully preventing its abuse.'"

bucksDrop writes "Eweek.com is reporting that the Metasploit Project will add 802.11 (Wi-Fi) exploits to a new version of its point-and-click attack tool. Metasploit 3 will integrate kernel-mode payloads to allow users to use existing user-mode payloads for both kernel and non-kernel exploits. Metasploit is collaborating with Jon 'Johnny Cache' Ellch and implementing it by wrapping the LORCON library."

Have data center, will travel. Sun recently announced their portable data center initiative, though it is not yet available. The "Project Blackbox" , a 20-by-8-by-8-foot shipping container, "holds 120 Sun Fire T2000 or 240 Sun Fire T1000 servers, or about 250 AMD Opteron-based "Galaxy" systems. In addition, a storage-focused container can provide up to 2 petabytes of storage, said Sun Chief Marketing Officer and Executive Vice President Anil Gadre. A container also can offer up to 15TB of memory. The compact design's floor space is about one-third the size of a traditional 10,000-square-foot data center; saves up to 20 percent in power and cooling costs; and can be deployed about 10 times faster, sometimes in a matter of weeks. "Basically, it rolls up to you, you hook up your power, you hook up your water, you hook up your network and you're ready to go," Gadre said."

An anonymous reader writes "SpamThru takes the game to a new level. The new virus uses an anti-virus engine to remove potential 'rival' infectious code." From the article: "At start-up, the Trojan requests and loads a DLL from the author's command-and-control server. This then downloads a pirated copy of Kaspersky AntiVirus for WinGate into a concealed directory on the infected system. It patches the license signature check in-memory in the Kaspersky DLL to avoid having Kaspersky refuse to run due to an invalid or expired license, Stewart said. Ten minutes after the download of the DLL, it begins to scan the system for malware, skipping files which it detects are part of its own installation."

An anonymous reader writes "Researchers are finding it practically futile to keep up with evolving botnet attacks. 'We've known about [the threat from] botnets for a few years, but we're only now figuring out how they really work, and I'm afraid we might be two to three years behind in terms of response mechanisms,' said Marcus Sachs, a deputy director in the Computer Science Laboratory of SRI International, in Arlington, Va. There is a general feeling of hopelessness as botnet hunters discover that, after years of mitigating command and controls, the effort has largely gone to waste. 'We've managed to hold back the tide, but, for the most part, it's been useless,' said Gadi Evron, a security evangelist at Beyond Security, in Netanya, Israel, and a leader in the botnet-hunting community. 'When we disable a command-and-control server, the botnet is immediately re-created on another host. We're not hurting them anymore.' There is an interesting image gallery of a botnet in action as discovered by security researcher Sunbelt Software."

An anonymous reader writes "Researchers are finding it practically futile to keep up with evolving botnet attacks. 'We've known about [the threat from] botnets for a few years, but we're only now figuring out how they really work, and I'm afraid we might be two to three years behind in terms of response mechanisms,' said Marcus Sachs, a deputy director in the Computer Science Laboratory of SRI International, in Arlington, Va. There is a general feeling of hopelessness as botnet hunters discover that, after years of mitigating command and controls, the effort has largely gone to waste. 'We've managed to hold back the tide, but, for the most part, it's been useless,' said Gadi Evron, a security evangelist at Beyond Security, in Netanya, Israel, and a leader in the botnet-hunting community. 'When we disable a command-and-control server, the botnet is immediately re-created on another host. We're not hurting them anymore.' There is an interesting image gallery of a botnet in action as discovered by security researcher Sunbelt Software."

gondaba writes "The One Laptop Per Child project is actively recruiting hackers to help crack the security model of the $100 laptop to avoid the obvious risks associated with what will effectively be the largest computing monoculture in history. From the article: 'The key design goal, Krstic explained, is to avoid irreversible damage to the machines. The laptops will force applications to run in a "walled garden" that isolates files from certain sensitive locations like the kernel. "If we discover vulnerabilities, the security model must hold up enough that even a machine that is unpatched won't be easily exploitable. This gives us a bit of diversity to avoid the monoculture trap," he added.'"

endychavez writes "Executives and politicians may be starting to realize that privacy is dead and secrets can no longer be kept in the information age. There is always a technological trail, and transparency is pervasive. Just ask Patricia Dunn and Mark Foley. In a piece at eWeek, Ed Cone from CIO Insight talks about the specific technologies that brought them down." From the article: "Foley may have thought his IMs were disappearing into the ether as soon as they cleared his computer screen. Instead, the messages were saved, and his career was ruined, and the House leadership is left to fight for survival. We talk a lot a about transparency as a virtue in the age of the web, and hold it up as a marketing technique and a better way to run an enterprise. Sun's blogging CEO, Jonathan Schwartz, is lobbying the SEC to allow more financial information to be disclosed online. Corporations are using all manner of web-techs to speak more directly to stakeholders. But transparency needs to be understood as more than a slogan or a strategy. It's a reality. It can be imposed on you by the Internet, whether you want to be transparent or not."

Qubit writes, "DefectiveByDesign.org, a campaign by the Free Software Foundation, is making Oct 3rd a Day Against DRM: 'Defeating DRM is all about awareness. The direct actions that we have taken are all about this. Today we are asking you to let the people around you know that DRM is bad for our society. Let's create space for the debate. Do we want handcuffs and locks on art and knowledge? As our friends at Disney recognize, if there is this debate, we will have won.'" Bayboy adds an article from eWeek mentioning that members of DefectiveByDesign.org are going to descend on flagship Apple stores in New York and London to protest the company's embrace of DRM. And Another AC writes, "In honor of the Day Against DRM, DreamHost has released a new service called Files Forever (for Dreamhost customers only during beta) This seems to be basically an iTunes Music Store that anybody can sell any sort of files through... as long as they have no DRM. Dreamhost handles all the payment processing and stores the file forever, offering unlimited re-downloads to end users who buy files through the service. When somebody buys a file they're even allowed to 'loan' it to others for free!"

Akon writes, "eWeek is running a follow-up story on the claim by two hackers that Firefox's implementation of JavaScript is critically flawed and could result in code-execution attacks. Turns out this is a possible hoax that was overblown for laughs." Mozilla's engineers say the risk is limited to a denial-of-service issue. From the article: "'As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has... I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven't used it to take over anyone else's computer and execute arbitrary code,' Spiegelmock said." Spiegelmock also stated that the claim that there were 30 other undisclosed exploits was made solely by his co-presenter, Andrew Wbeelsoi.

An anonymous reader writes, "The Zero Day Emergency Response Team, or ZERT, stepped out of the shadows a week ago to offer a quick patch for the Microsoft VML vulnerability. eWeek reports that reactions to third-party patches have been mixed. Jesper Johansson, a former Microsoft security consultant, said 'I will not use the unofficial patch, nor can I think of anyone I would recommend it to.' ZERT has enrolled former White House IT security expert Marcus Sachs as a spokesman of sorts. He told eWeek, 'This patch is just another arrow in the quiver. These guys are some of the best-known reverse engineers and security researchers. It's a tight-knit group that has worked for years to make the Internet a safer place. This isn't a patch created by some guy in a basement.' And while MS did release an out-of-band patch this week for XP, ZERT releases updates for operating systems that are out of MS support: Windows 98, Windows 98 SE, Windows ME, Windows 2000 and Windows 2000 SP3."

GeeksAreSexy writes "Eweek has an article up about the invention of a new kind of nonvolatile memory technology that could one day replace traditional flash memory. Unlike traditional flash memory, chips using this new technology will be able to execute code with performance, and sustain millions of read/write cycles without dying." From the article: "This is a case in which 'Necessity is the mother of invention' is very true. We were forced to look for something else, completely different. That's why we decided to invest in PCM ... There are definitely limits to what you can do with our current flash methodology. There needs to be a complete quantum leap somewhere along the line to push everything forward. We believe PCM are going to be that quantum leap."

Holy Mother of Thor writes to mention an eWeek article about a third-party patch for Internet Explorer. A dark horse security group formed after the WMF attacks in late 2005, the ZERT (Zero Day Emergency Response Team) has released a patch to attempt to slow the malware attacks on Windows. From the article: "'It is clear that we are dealing with an underground group of people who are writing exploits for profits. They are waiting for Patch Tuesday to pass, then it becomes Exploit Wednesday. We're seeing these zero-days in the wild, timed precisely to guarantee at least an entire month to spread,' Stewart said in an interview with eWEEK. Stewart, who is volunteering his reverse-engineering skills and time to ZERT in his private capacity, wrote an early version of the VML (Vector Markup Language) patch the group released Sept. 22 and worked closely with others to fine-tune the update to minimize potential glitches."

default DOLLAR writes to mention an eWeek article following up on the ATM reprogramming scam pulled in Virginia Beach last week. A security researcher in New York has used a YouTube video, a few Google searches, and other legal methods to discover the master passwords to thousands of ATMs across the country. From the article: "Dave Goldsmith, founder and president of penetration testing outfit Matasano Security, in New York, did not say how he obtained the operator manual--which contains master passwords and other sensitive security information about the cash-dispensing machines--but an eWEEK investigation shows that a simple Google query will return a 102-page PDF file that provides a road map to the hack."

Ben Rothke writes "In an important new book Brave New Ballot: The Battle to Safeguard Democracy in the Age of Electronic Voting, Avi Rubin writes 'too often in American life, when it comes to divisive issues, the facts can be less important than the weight of public opinion'. That basically sums up Rubin's story in this fascinating story of his frustrations in dealing with government and corporate officials in his quest to show that e-voting was not as secure as it was originally made out to be." Read the rest of Ben's review. Brave New Ballot: The Battle to Safeguard Democracy in the Age of Electronic Voting author Aviel Rubin pages 272 publisher Morgan Road Books rating 10 reviewer Ben Rothke ISBN 0767922107 summary Electronic voting systems are being deployed with inadequate levels of trust and security

Brave New Ballot (BNB) is Rubin's story of how in 2003, he and his graduate students at Johns Hopkins University demonstrated that the Diebold Election Systems electronic voting technology in wide use was full of security problems. It was just in 2002 that Sherron Watkins of Enron was named Time magazine person of the year for her work in uncovering fraud at Enron. It would have been thought that Rubin's work would have immediately won him some sort of patriot of the year award for his work.

While the accolades were indeed many, his team's research was maligned as being that of a homework assignment, and the Administrator for Elections for the state of Maryland (where Rubin lives and works) publicly stated that 'computer scientists (a direct reference to Rubin and his team) who question the security of electronic voting machines are undermining our democracy.' Such a scenario makes up much of the story that the book tells in Rubin's team's efforts to blow the whistle on unsecure e-voting machines.

As to the Administrator for Elections for the state of Maryland and her disdain for computer scientists, she would likely find constituents such as the zombie-like Stepford wives more to her liking. Unfortunately, she ended up with Professor Rubin.

It is not that secure electronic voting is inherently unattainable. Rather, nearly all of the commercial solutions that have shipped to date have not been adequate designed with security in mind. This is due to many factors, some of which are that the makers of these devices do not completely understand the security risks and countermeasures, in addition to public officials who are far too trusting of these commercial e-voting vendors.

The early chapters of the book detail how Rubin's team analyzed the security and cryptography used within extremely sloppy coding of the Diebold Accuvote-TS director recording electronic device. One particularly humorous incident is when the Diebold programmers reference Bruce Schneier's Applied Cryptography in their C++ code for their decision of which algorithm to use of a for pseudorandom number generation. The only problem is that Applied Cryptography states that the specific algorithm they used should specifically not be utilized for random number generation. Rubin comically states about that incident that Diebold should have consulted with Schneier, rather than have their staff misunderstand what they read in his book.

I had a similar frustrating incident when consulting on an e-voting systems some years ago. The lead developer (who obviously was no expert in cryptography) documented that the e-voting system used 120-bit encryption. Upon analysis, we found that the system was using 40-bit encryption. When countered about that, the developer replied that they perform the 40-bit encryption routine three times using the same key, for an effective 120-bit key length. Of course, 40-bit encryption will always be (insecure) 40-bit encryption, no matter how many iterations he put it through; but it is frightening that he did not know that.

After his team presented their report in 2003, Rubin writes in detail how Diebold started a smear campaign against him. Not only was it Diebold, but also election officials in municipalities that had deployed the Accuvote-TS system that also maligned Rubin. This was done primarily by misinterpreting his objections, and also by refusing to pay attention to other independent reports on the insecurity of the devices.

For a more timely and somewhat humorous account of how insecure Diebold really is, see 'Hotel Minibar Key Opens Diebold Voting Machines'.

Being a whistle-blower always takes a toll on a person and Rubin was no different. He work on e-voting consumed him and took a toll on his family, career and his students. The book chronicles how Rubin found himself caught in a crossfire between big business, partisan politics, and overworked election officials. Rubin also found himself between the crosshairs of the ITAA (Information Technology Association of America), powerful vendor-based lobbying group. The ITAA, of which Diebold was a client, attempted to discredit him on many occasions, but their evidence was always weak and reckless, and in the end only served to bolster Rubin's claims against the Diebold systems.

Part of the absurd claims of the ITAA was that the open-source movement is using the issue of e-voting security to wage a 'religious war' that pits open-source software against proprietary software. Rubin could have filed chapters with similar ITAA absurdities, but wisely chose not to.

Similarly, an article I wrote 'E-Voting: It's Security, Stupid' also was the recipient of the wrathful ITAA reply. In their so-called rebuttal mistakenly titled 'E-Voting Does Work', Harris Miller of the ITAA follows his modus operandi of first attacking the person, avoiding the issue, stating vague meaningless comments, and concluding the issue by missing the point.

99% of the voting public does not know about backdoors, insecure code, Trojan Horses, insider threats, and scores of other security issues that the e-voting vendors have yet failed to fully address. The election process as we know it is rapidly being migrated to these electronic voting machines that are replacing the older, but more reliable mechanical systems.

BNB is a timely and important book as it details the very real defects on which these e-voting systems are built on (and Windows is only one of them). The ITAA made claims such that the only vulnerability within e-voting is that of a rogue programmer conspiring to steal public office. Such politicking only serves to confuse the issue for a public that is inherently trustful of these voting machines. Yet if these e-voting machines were built to the same stringencies and regulations that the aviation and pharmaceutical industry faces, they would never make it within a mile of a voting booth.

Brave New Ballot is to e-voting what Rachel Carson's Silent Spring is to the global environmental movement. It is a vitally important book that details the problem of e-voting and what can be done in the future to make certain that it can one day be carried out in a secure manner.

Of course, the image of an embedded crypto key or plaintext password in an e-voting system does not convey the same impact on the public as that of a thalidomide baby. Pictures of thalidomide babies caused heads to roll at the FDA, and one should hope the that the publication of Brave New Ballot will awaken the public from their slumber on the topic of electronic voting, and encourage the Election Assistance Commission to immediately ban electronic voting until it can be secured.

Deforest Soaries, the first Chairman of the United States Election Assistance Commission sums it up best when he states 'If the integrity of our sacred right of voting is less important than partisan politics, corporate interests, or bureaucratic systems, then shame on us for presenting ourselves as the global standard bearers of democracy. As Brave New Ballot shows, there is a lot of shame going around.

You can purchase Brave New Ballot: The Battle to Safeguard Democracy in the Age of Electronic Voting from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Ben Rothke writes "In an important new book Brave New Ballot: The Battle to Safeguard Democracy in the Age of Electronic Voting, Avi Rubin writes 'too often in American life, when it comes to divisive issues, the facts can be less important than the weight of public opinion'. That basically sums up Rubin's story in this fascinating story of his frustrations in dealing with government and corporate officials in his quest to show that e-voting was not as secure as it was originally made out to be." Read the rest of Ben's review. Brave New Ballot: The Battle to Safeguard Democracy in the Age of Electronic Voting author Aviel Rubin pages 272 publisher Morgan Road Books rating 10 reviewer Ben Rothke ISBN 0767922107 summary Electronic voting systems are being deployed with inadequate levels of trust and security

Brave New Ballot (BNB) is Rubin's story of how in 2003, he and his graduate students at Johns Hopkins University demonstrated that the Diebold Election Systems electronic voting technology in wide use was full of security problems. It was just in 2002 that Sherron Watkins of Enron was named Time magazine person of the year for her work in uncovering fraud at Enron. It would have been thought that Rubin's work would have immediately won him some sort of patriot of the year award for his work.

While the accolades were indeed many, his team's research was maligned as being that of a homework assignment, and the Administrator for Elections for the state of Maryland (where Rubin lives and works) publicly stated that 'computer scientists (a direct reference to Rubin and his team) who question the security of electronic voting machines are undermining our democracy.' Such a scenario makes up much of the story that the book tells in Rubin's team's efforts to blow the whistle on unsecure e-voting machines.

As to the Administrator for Elections for the state of Maryland and her disdain for computer scientists, she would likely find constituents such as the zombie-like Stepford wives more to her liking. Unfortunately, she ended up with Professor Rubin.

It is not that secure electronic voting is inherently unattainable. Rather, nearly all of the commercial solutions that have shipped to date have not been adequate designed with security in mind. This is due to many factors, some of which are that the makers of these devices do not completely understand the security risks and countermeasures, in addition to public officials who are far too trusting of these commercial e-voting vendors.

The early chapters of the book detail how Rubin's team analyzed the security and cryptography used within extremely sloppy coding of the Diebold Accuvote-TS director recording electronic device. One particularly humorous incident is when the Diebold programmers reference Bruce Schneier's Applied Cryptography in their C++ code for their decision of which algorithm to use of a for pseudorandom number generation. The only problem is that Applied Cryptography states that the specific algorithm they used should specifically not be utilized for random number generation. Rubin comically states about that incident that Diebold should have consulted with Schneier, rather than have their staff misunderstand what they read in his book.

I had a similar frustrating incident when consulting on an e-voting systems some years ago. The lead developer (who obviously was no expert in cryptography) documented that the e-voting system used 120-bit encryption. Upon analysis, we found that the system was using 40-bit encryption. When countered about that, the developer replied that they perform the 40-bit encryption routine three times using the same key, for an effective 120-bit key length. Of course, 40-bit encryption will always be (insecure) 40-bit encryption, no matter how many iterations he put it through; but it is frightening that he did not know that.

After his team presented their report in 2003, Rubin writes in detail how Diebold started a smear campaign against him. Not only was it Diebold, but also election officials in municipalities that had deployed the Accuvote-TS system that also maligned Rubin. This was done primarily by misinterpreting his objections, and also by refusing to pay attention to other independent reports on the insecurity of the devices.

For a more timely and somewhat humorous account of how insecure Diebold really is, see 'Hotel Minibar Key Opens Diebold Voting Machines'.

Being a whistle-blower always takes a toll on a person and Rubin was no different. He work on e-voting consumed him and took a toll on his family, career and his students. The book chronicles how Rubin found himself caught in a crossfire between big business, partisan politics, and overworked election officials. Rubin also found himself between the crosshairs of the ITAA (Information Technology Association of America), powerful vendor-based lobbying group. The ITAA, of which Diebold was a client, attempted to discredit him on many occasions, but their evidence was always weak and reckless, and in the end only served to bolster Rubin's claims against the Diebold systems.

Part of the absurd claims of the ITAA was that the open-source movement is using the issue of e-voting security to wage a 'religious war' that pits open-source software against proprietary software. Rubin could have filed chapters with similar ITAA absurdities, but wisely chose not to.

Similarly, an article I wrote 'E-Voting: It's Security, Stupid' also was the recipient of the wrathful ITAA reply. In their so-called rebuttal mistakenly titled 'E-Voting Does Work', Harris Miller of the ITAA follows his modus operandi of first attacking the person, avoiding the issue, stating vague meaningless comments, and concluding the issue by missing the point.

99% of the voting public does not know about backdoors, insecure code, Trojan Horses, insider threats, and scores of other security issues that the e-voting vendors have yet failed to fully address. The election process as we know it is rapidly being migrated to these electronic voting machines that are replacing the older, but more reliable mechanical systems.

BNB is a timely and important book as it details the very real defects on which these e-voting systems are built on (and Windows is only one of them). The ITAA made claims such that the only vulnerability within e-voting is that of a rogue programmer conspiring to steal public office. Such politicking only serves to confuse the issue for a public that is inherently trustful of these voting machines. Yet if these e-voting machines were built to the same stringencies and regulations that the aviation and pharmaceutical industry faces, they would never make it within a mile of a voting booth.

Brave New Ballot is to e-voting what Rachel Carson's Silent Spring is to the global environmental movement. It is a vitally important book that details the problem of e-voting and what can be done in the future to make certain that it can one day be carried out in a secure manner.

Of course, the image of an embedded crypto key or plaintext password in an e-voting system does not convey the same impact on the public as that of a thalidomide baby. Pictures of thalidomide babies caused heads to roll at the FDA, and one should hope the that the publication of Brave New Ballot will awaken the public from their slumber on the topic of electronic voting, and encourage the Election Assistance Commission to immediately ban electronic voting until it can be secured.

Deforest Soaries, the first Chairman of the United States Election Assistance Commission sums it up best when he states 'If the integrity of our sacred right of voting is less important than partisan politics, corporate interests, or bureaucratic systems, then shame on us for presenting ourselves as the global standard bearers of democracy. As Brave New Ballot shows, there is a lot of shame going around.

You can purchase Brave New Ballot: The Battle to Safeguard Democracy in the Age of Electronic Voting from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Gungadin writes "Eweek.com has a story about a British security researcher figuring out a way to manipulate legitimate features in Adobe PDF files to open backdoors for computer attacks. David Kierznowski, a penetration testing expert specializing in Web application testing, has released proof-of-concept code and two sample PDF files to demonstrate how the Adobe Reader program can be rigged to launch Web-based attacks without any user action. He claims there are least seven different ways to backdoor a PDF."

round stic writes "eWeek magazine has an interesting look at the effects of the Windows monoculture on IT budgets, even as everyone agrees on the severity of the inherent security risks. The article contains interviews with Dan Geer and others who warned about the risks of the Windows monopoly three years ago. The article coincides with a piece in the Observer that suggests Vista is the end of the Microsoft monolith because of how complex the operating system has become."

consumerist writes "Researchers at the German Honeynet Project have discovered that a malicious hacker earned about $430 in a single day installing spyware on computers in the latest Windows worm attack. Within 24 hours, the IRC-controlled botnet hijacked more than 7,700 machines via the Windows Server Service vulnerability (MS06-040) and hosed the infected computers with the spyware from DollarRevenue. The botnet operator made between a penny and 30 cents for every piece of spyware installed. Add that to the spam rental and DDoS extortion money and we have a booming business."

Handset writes "Former Microsoft security strategist Window Snyder is joining Mozilla to lead the company's effort to protect its range of desktop applications from malicious hacker attacks. eweek.com reports that Snyder, who was responsible for security sign-off for Microsoft's Windows XP Service Pack 2 and Windows Server 2003, will spearhead Mozilla's security strategy and improve its communications with external hackers and bug finders."

SteelyBen writes "Researchers at Microsoft have completed work on a prototype framework called BrowserShield that promises to intercept and remove, on the fly, malicious code hidden on Web pages, instead showing users safe equivalents of those pages. The BrowserShield project, an outgrowth of the company's 'Shield' initiative, could one day even become Microsoft's answer to zero-day browser exploits such as the WMF (Windows Metafile) attack that spread like wildfire in December 2005."

Debra D'Agostino writes "Despite the media hype around Google CEO Eric Schmidt's appointment to Apple's board, CIO Insight Executive Editor Dan Briody says it's not that big a story. 'Apple and Google are already plenty tight,' he says. Arthur Levinson, CEO of Genentech, has been on both boards for years. And Al Gore and Intuit Chairman Bill Campbell are both Apple board members and advisors to Google. 'While it's fun to speculate about what an Apple-Google alliance could produce (GoogleMacs? MacGoogle? GoogleTunes?) this move is far from an alliance,' Briody writes. 'And even if it were, it wouldn't be first time that two upstart powerhouses have joined forces in an attempt to unseat Microsoft. Remember AOL-Netscape? Boy, they just steamrolled the team from Redmond, didn't they?'"

An anonymous reader writes "eWeek is reporting that a Microsoft Shared Source license, the Microsoft Community License, was submitted to the Open Source Initiative for official approval, but it wasn't Microsoft who submitted it. The license it appears was submitted by John Cowan, who is a programmer and blogger and who also volunteers for the Chester County InterLink, a non-profit founded in 1993 by former OSI president Eric Raymond and Jordan Seidel. Needless to say, the OSI contacted Microsoft to see if it should evaluate the license anyway, and was told to drop it."

bain writes "Reuters reports that Palm has committed to unveiling at least one of its next-gen Treos next month. It's believed that it will be the Windows Mobile-based UMTS model first mentioned for Vodafone in July." From the article: "The California-based firm said in July the new version will operate on Vodafone's high-speed third generation (3G) network and be powered by Microsoft Corp.'s Windows Mobile operating system, however details about the handset's functionality remain sketchy. The current 700p version of the latest Treo has a slot for Wi-Fi and Bluetooth cards, but with the latest Nokia, Sony Ericsson and O2 offerings all boasting the technology in-built, Palm knows it can not afford to fall further behind as the competition heats up."

wild3rbeast writes "Joe Stewart, a senior security researcher with LURHQ's Threat Intelligence Group has figured out a way to silently spy on a botnet's command-and-control infrastructure, and finds that for-profit crackers are clearly winning the cat-and-mouse game against entrenched anti-virus providers. From the article: 'The lesson here is once you get infected, you are completely under the control of the botmaster. He can put whatever he wants on your machine, and there's no way to be 100 percent sure that the machine is clean. The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system.'"

Kickball Notches writes "Immunity's Dave Aitel plans to start selling a portable hacking device equipped with hundreds of exploits. The wireless handheld, called Silica, comes equipped with more than 150 exploits from Canvas and an automated exploitation system that allows simulated hacking attacks from the palm of your hand. It supports 802.11 (Wi-Fi) and Bluetooth wireless connections and is based on Linux."

Laljeetji writes "eweek reports that the first wave of malicious attacks against the MS06-040 vulnerability is underway, using malware that hijacks unpatched Windows machines for use in IRC-controlled botnets. The attacks, which started late Aug. 12, use a variant of a backdoor Trojan that installs itself on a system, modifies security settings, connects to a remote IRC (Internet Relay Chat) server and starts listening for commands from a remote hacker. On the MSRC blog, Microsoft is calling it a very small, targeted attack that does not (yet?) have an auto-spreading mechanism. LURHQ has a detailed analysis of the backdoor."

10010010 writes "A network worm attack targeting a critical Microsoft Windows vulnerability appears inevitable. The flaw is easy to exploit, as evidenced by the quick release of an exploit module for HD Moore's Metasploit Framework. Within hours of the Patch Day release Tuesday, two pen testing companies (Immunity and Core) created and released 'reliable exploits' for the flaw, which was deemed wormable on all Windows versions, including Windows XP SP2 and Windows Server 2003 SP1."

gregger writes "Wow, so the Department of Homeland Security is really concerned with Microsoft patches now... enough to come out and tell us to patch our machines. This warning, chronicled in eWeek, was issued less than a day after the release of 23 patches from Redmond. So, if you don't apply the patches, then what?"

Krishna Dagli writes "Engineers at the Lawrence Berkeley National Laboratory and about 20 technology vendors this month will wrap up a demonstration that they said shows DC power distribution in the data center can save up to 15 percent or more on energy consumption and cost. The proof-of-concept program, set up at Sun Microsystems' Newark, Calif., facility, offered a side-by-side comparison of a traditional AC power system and a 380-volt DC distribution system, running on both Intel-based servers and Sun systems."

Leonel writes "Borland Software's Developer Tools Group just announced the return of the Turbo line of products. With free and cheap versions, it's aimed at students, hobbyist developers, occupational developers and individual programming professionals. More information is available at the the Turbo Explorer website, including a video of the Adventures of TurboMan."

Techie writes "Microsoft has decided not to move forward with a version of Virtual PC for the Intel-based Macintosh. The amount of time it would take to bring Virtual PC to Intel would be roughly equivalent to creating the product from scratch, Scott Erickson, director of product management and marketing for Microsoft's Macintosh Business Unit, told eWEEK. The article says Microsoft will also be discontinuing support of Visual Basic scripting in the next version of Office for Mac." From the article: "As cross-platform compatibility remains a top priority at Microsoft, Erickson says that as the company develops the next version of Office for Mac, the files will continue to be compatible across platforms, including with the 2007 Microsoft Office System for Windows. VB macros within files will not be accessible and users will not be able to view or modify them. However, the files themselves can be edited without affecting or changing the macros. "

HiTech writes "eWeek has an article looking at Oracle's frustration with both XenSource and VMware over their reluctance to work together. The goal is to develop a single interface for virtualization solutions in the Linux kernel. Oracle's comments follow those by Linux kernel maintainer Greg Kroah-Hartman at Oscon last week that XenSource and VMware were butting heads instead of working together to come up with a joint solution. Brian Byun, VMware's vice president of products and alliances, admits the company had been approached by a neutral third party for offline mediation to establish how best to make this happen. But Simon Crosby, the CTO for XenSource, rules out any mediation, saying he believes the two companies are committed to solving the real technical issues."

HiTech writes "eWeek has an article looking at Oracle's frustration with both XenSource and VMware over their reluctance to work together. The goal is to develop a single interface for virtualization solutions in the Linux kernel. Oracle's comments follow those by Linux kernel maintainer Greg Kroah-Hartman at Oscon last week that XenSource and VMware were butting heads instead of working together to come up with a joint solution. Brian Byun, VMware's vice president of products and alliances, admits the company had been approached by a neutral third party for offline mediation to establish how best to make this happen. But Simon Crosby, the CTO for XenSource, rules out any mediation, saying he believes the two companies are committed to solving the real technical issues."

fkx writes to mention an eWeek article suggesting that, finally, the PC-using public is going to 'get' the Mac. According to the article, the new advertising, increased functionality of OSX, and Intel-based machines are all raising the profile of Apple's machines to new heights. From the article: "However, this cycle isn't your usual processor upgrade cycle that comes every time Intel or Advanced Micro Devices tweaks a process. This is a major shift that affects all parts of the Mac customer-developer-vendor ecology. Longtime Apple watchers can count two earlier events of similar magnitude. The first such transition occurred in March 1994 with the arrival of the PowerPC architecture. The Motorola 680x0 architecture that had served the Mac platform for a decade was quickly supplanted by a set of new, more powerful machines. "

Rocky Mann writes "Jesper Johansson, a security guru for Microsoft, is leaving the company to join Amazon.com. Johansson served for some five years as a 'senior security strategist', and is considered one of the world's leading experts on how to protect installations of Windows." From the article: "Johansson is also an advocate for the use of safe-passwords techniques in the enterprise. At the height of the WMF zero-day attacks earlier in 2006, Johansson offered measured advice on the use of unofficial patches and he was constantly on the move, traveling around the world to help customers figure out how to use Microsoft's products securely."

conq writes "BusinessWeek just came out with its best global brands list. The list is quite similar to last year's with Coke topping it. The brand with the highest growth year over year: Google. The comment: 'Its recent inclusion as a verb in the Oxford English Dictionary confirms what competitors feared: Google means search to an army of Web users.'" I thought this tied in nicely to tappytibbins' story. They write "eWEEK.com has posted a feature with their picks of the 25 most innovative PC products of the last 25 years. Their #1 pick is a bit uninspired: The IBM PC. Down at #8 is the Mac. And is Apache really more of an innovation than Linux?" From that article: "15 - Palm Pilot: With an almost Zen-like minimalism of both software and hardware complexity, the Palm Pilot was no more than users needed?and exactly what many wanted."

Rakesgate writes "A second Trojan used in the latest zero-day attack against Microsoft Office contains characteristics that pinpoint corporate espionage as the main motive, according to virus hunters tracking the threat. This eWeek story walks through the attack, which uses a tainted 18-slide PowerPoint file, a Trojan dropper, 2 Trojans and a server in China that is used to communicate with compromised machines." From the article: "'Once this type of attack is out, it's very unusual for it to be limited to just one company. I think it's safe to assume that it's ongoing, especially since there is no patch for this vulnerability,' Huger added. Microsoft plans to issue a patch on August 8 for users of Microsoft PowerPoint 2000, Microsoft PowerPoint 2002 and Microsoft PowerPoint 2003. In the meantime, anti-virus experts are urging Microsoft Office users to be on the lookout for suspicious attachments, even those that appear to come from colleagues internally."

chr0.ot writes "Metasploit creator HD Moore has released an open-source search engine that finds live malware samples through Google queries. From the article: 'The new Malware Search project provides a Web interface that allows anyone to enter the name of a known virus or Trojan and find Google results for Web sites hosting malicious executables.' The tool then searches for actual malware signatures and uses the signature output from ClamAV to find the name of the malware. This is then used in conjunction with a PE signature matching method to form a Google query. Afterwards the malware can then be downloaded directly from Google."

theodp writes "eWeek reports that the big fear of offshore outsourcing customers has become a reality: a major bombing attack in an outsourcing hub. In the wake of the attack, companies are considering their resources and preparedness. Despite understandable fears, people on the ground don't seem to think these latest attacks will have a long-term effect on the growth of India's tech sector." From the article: "The terrorist attack in Mumbai--and conflict between Israel and Lebanon for that matter--raise a series of questions for companies sourcing technology globally. Do you know the disaster recovery plans of your offshore services provider? Are their plans integrated with yours? And how prepared are these providers? "