Slashdot Mirror

This program, which has been in place since 2003, has paid out a grand total of $250. All of it in one whopping check to the college mates of the Sasser programmer. Presumably they split it and bought some beer. The program manager must be quite proud of himself.

In related news, Microsoft is working with ICANN and others to prevent the registration of the domain this thing calls home to. It probably hasn't even occurred to them that the programmers ran their random name generator out a long way in advance, registered the domain in the name of some perfectly innocent third party long ago and that they're too late because launch day for downadup is tomorrow since they always kick these things off of the eve of a holiday weekend.

If you admin Windows desktops, I wouldn't invest too much in your plans for this weekend.

You could always read the English version in the UK edition... http://www.heise-online.co.uk/news/Report-claims-German-armed-forces-setting-up-cyberwar-unit--/112595 It's a pretty good translation

No need for bad translations. The article is available on english:
http://www.heise-online.co.uk/news/Report-claims-German-armed-forces-setting-
up-cyberwar-unit--/112595

No?

Yes.

as coreboot targets many bioses and platforms, i'd expect portability to become so much more important.
btw, i found an interview with coreboot developer at http://www.heise-online.co.uk/open/The-Open-Source-BIOS-is-Ten-An-interview-with-the-coreboot-developers--/features/112353/2. from there :

"The real accomplishment was to be able to write memory and other early initialization code in C. Which is much easier to write and maintain then assembler. Assembly code is fragile when you change it, especially when you don't have a stack. C is much more robust â" the code is easier to change without breaking everything. This makes coreboot easier to work on, to contribute to and to maintain."

The type of plans necessary to create a functioning implosion device are state-held secrets and have only been seen by a select few with Top Secret clearance.

That makes me feel safer then. The MOD are very good at data protection.

Those are tall orders for any engineer!

Or a totally awesome challenge....

You are overstating the case. In many instances one can make good guesses at how strongly overwritten it was. This works particularly well if the data being recovered is in some well understood format where one can look for markers. Say is there a sequence of 000s which act as a header? do we expect to see the sequence CR LF every so often?

http://www.heise-online.co.uk/security/Secure-deletion-a-single-overwrite-will-do-it--/news/112432

They concluded that, after a single overwrite of the data on a drive, whether it be an old 1-gigabyte disk or a current model (at the time of the study), the likelihood of still being able to reconstruct anything is practically zero. Well, OK, not quite: a single bit whose precise location is known can in fact be correctly reconstructed with 56 per cent probability (in one of the quoted examples). To recover a byte, however, correct head positioning would have to be precisely repeated eight times, and the probability of that is only 0.97 per cent. Recovering anything beyond a single byte is even less likely."

...big grain of salt needed.
While TNO has been in the far past a research *company* with a respected name, nowadays they are more and more on the hand of whoever it is that pays them to do a study.
When I saw this headline in Dutch papers, it clearly was that "more and more people are downloading without paying". Maybe somewhere in the appendix, it read that they would buy songs when downloading.

TNO was the same agency that approved our voting computers multiple times in a row - the same ones that are forbidden right now.
TNO also researched the chip used for the public transport system in The Netherlands, and approved its security multiple times.

Maybe even that won't get rid of the adware.
It will, if you do it right. That means
1) Don't try to "repair" the installation, format C: and do it really from scratch.
2) Don't install from a "recovery CD" from the hardware vendor, it might have the adware pre-installed. Use an unmodified Microsoft CD. Install from that.

Now you have a clean installation. To make it stay clean (not only from adware), do the following:
3) Before you connect to the internet again, install the latest service pack AND the post-SP4 hotfixes. Here a utility that collects all the updates into an offline update CD is helpful. I use the offline updater from heise, a German IT publishing house.
You can download the current version from http://www.heise.de/ct/projekte/offlineupdate/download/ctupdate50.zip
The UK site of heise has an article in English that explains the system (for an older version, but I think the principle still applies): http://www.heise-online.co.uk/security/Do-it-yourself-Service-Pack--/features/80682
4) It is usually a good idea to use something else than Internet Explorer for surfing ;-)

My mother used to say "If all of your friends told you to jumped off the blue Water bridge, you would?"
The law reads,

Any unauthorised access to third-party computers could be regarded as tampering with data, which is punishable under paragraph  303a of the German Penal Code. That paragraph threatens up to two years' imprisonment for unlawfully deleting, suppressing, making unusable or changing third-party data. Storm Worm botnet cracked wide open

one might argue that telling infected computers to access a different sever isn't accessing them, they are accessing your server, telling the infected computer to disinfect itself and possibly causing colatteral, isn't the same as actaully doing this youself; Of course IANAL, YMMV and don't try this at home.

is available on thier UK site: 25C3: Serious security vulnerabilities in DECT wireless telephony

http://www.heise-online.co.uk/security/

25C3: More light shed on "denial of service" vulnerabilities in TCP

25C3: Reliable exploits for Cisco routers

25C3: Cracks in the iPhone security architecture

English version of this article can be found here:
http://www.heise-online.co.uk/news/25C3-Serious-security-vulnerabilities-in-DECT-wireless-telephony--/112326

The article you quote contradicts your statement:

"While it is true that ext3 is more resistant to file fragmentation than FAT, and NTFS filesystems, nonetheless ext3 filesystems can and do get fragmented over time.[14] Consequently the successor to the ext3 filesystem, ext4, includes a filesystem defragmentation utility and support for extents (contiguous file regions)."

14: "We found heavily fragmented free areas on an intensively used IMAP server which stores all its emails in individual files - although more than 900 GB of the total disk space of 1.4 TB were still available." http://www.heise-online.co.uk/open/Tuning-the-Linux-file-system-Ext3--/features/110398/3

Firefox misses a fix for Firefox 2.0.0.19

No one's perfect. Congratulations to the MS IE team for getting a fix out for this 0day vulnerability fast. Firefox on the other hand... now I have to go and update again!

ext3 and a lot of modern filesystems do not need defraging.

http://www.heise-online.co.uk/open/Tuning-the-Linux-file-system-Ext3--/features/110398/3 This article explains how an Ext3 filesystem can be less fragmented than say NTFS but still need defraging under extreme conditions.

This is actually cool from the aspect that if they implement it well, they can bypass the entire poking holes in firewall's issue. Are you behind a really restrictive motel firewall? Doesn't matter.

Take a look at how Skype does it;
http://www.heise-online.co.uk/security/How-Skype-Co-get-round-firewalls--/features/82481

Basically they can bypass the firewall's restrictions on incoming connections by fooling the firewall into thinking it's already established a UDP connection to a computer for which it really hasn't.

This works because of the way firewall's handle UDP. Switching P2P to UDP would be excellent for those of us who don't like teared Internet speeds.

They already did prosecute him:
http://www.heise-online.co.uk/news/DDOS-attackers-appear-in-US-court--/111667

Btw.:
http://ago.bastart.eu.org/cgi-bin/index.cgi
http://de.netlog.com/MegaAgo

Blastwave...heh. Which Blastwave are you talking about?

Sorry, this is a bit of a sore point for me. At work, we have a Solaris 10 machine that powers about 30 SunRays for mathematicians. JDS is fine, but adding other programs is a pain. (Disclaimer coming up, so bear with me.)

• Blastwave: They just had the split. But before that there were problems. Upgrading CUPS broke printing; they'd moved around some Ghostscript filters. Upgrading Postfix broke Postfix, because they'd moved the config files to play nicer with zones, and their script that should've dropped everything in the right place didn't. These were stable versions, not the unstable.
• pkg-src: Great until you trip over something that won't compile and spend days trying to track down what it is -- say, 1 package in 20. Sounds like good odds? Try compiling Firefox or Kile, with dependencies stretching back to libc and the Dead Sea scrolls. I'm guessing they just aren't able to do as much testing on Solaris...and fair enough; the job of making umpty thousand packages compile on mumble different OS' is hard enough.
• compile from source: fine, unless it's obscure (say, some mathematical package) that assumes GNU tools all the way, or a Linux OS, and weird, obscure things break.
• download binaries: yes, if they've got 'em.

And now for the disclaimers: No, this isn't enterprise (which was your point; I was looking for a place to jump into this discussion, and the mention of Blastwave got me). Yes, a real sysadmin could compile all this from scratch without problem. Yes, this is an edge case on top of an edge case (desktops for mathematicians? How obscure!). Yes, ZFS and dtrace are seriously, jaw-droppingly awesome.

But this is my experience; so far, I simply have not done anything remotely enterprise. It's all been server + desktop in small shops. And for that environment, requirements are changing all the time. The mail server now needs to do spam filtering and DNS. Yes, they should be split up, but there isn't the budget. The new guy wants KDE on his machine instead of Gnome, or needs to try out a new library to see if it works.

And for these, it's not "set it and forget it"; we need new packages, or updates to the old ones, all the time. If all the heartache I described was a one-time thing, I'd do it and be done...but in this environment, it'll need to be done again in three months. That means a good package manager (hello, Debian!), or a good ports tree (*BSD), or an environment that everyone is familiar with (Linux, because it has just that much mindshare).

Bit of a rant, and less coherent than I'd like. But it's 6am, I haven't had my coffee yet, and my kid's about to wake up...so I'll have to leave it there.

The intel 945G chipset for Atom is fully documented and has quite good open source 3d drivers.

It sucks up 22W+ by itself though, and is very old. It's nothing compared to the VX800 or CN896.

The desktop 945 uses 22 W but the mobile 945GSE uses 4W: http://www.heise-online.co.uk/news/Intel-introduces-the-Atom-230-and-Atom-N270--/110855

> Nope, it's an entirely different company and patent. I'm guessing all the MP3 players already have licenses for the Fraunhofer patent - they usually do.

AFAIK there are multiple beneficiaries of MP3 licensing fees: I highlighted the German Fraunhofer Institute as just one of them.
To which patent are you referring ? I can not see one in the article.

I also just checked http://www.heise-online.co.uk/news/German-Customs-cracks-down-at-IFA--/111434 (English) and http://www.heise.de/newsticker/Zoll-auf-Beschlagnahmetour-Update--/meldung/115126 (German) and they suggest it is MPEG audio/ DVB-T related.

duplicity combined with ftplicity:

"Anyone storing data on an unfamiliar FTP server needs to encrypt and sign it to ensure reliable protection against prying eyes and external manipulation. duplicity is just the tool for this, and the ftplicity script from c't magazine makes working with it child's play."

http://www.heise-online.co.uk/security/Backups-on-non-trusted-FTP-servers--/features/79882
http://duplicity.nongnu.org/

Except sometimes, the box says AES and instead you get XOR. I'll take LUKS and dm-crypt over that any day of the week.

Earlier this year, there was news that someone was putting $100m into SCO: see http://www.vnunet.com/vnunet/news/2209808/sco-back-business Quote: "(SNCP) and unnamed Middle Eastern investors. The money will take the company out of bankruptcy protection and turn it into a private concern. "We saw a tremendous investment opportunity in SCO and its vast range of products and services, including many innovations ready, or soon to be ready, to be released into the marketplace," said Stephen Norris, managing partner at SNCP." Here's a pretty good summary if you haven't followed the story (but it doesn't mention the Bad News): http://www.heise-online.co.uk/features/SCO-vs-Linux-mixed-reactions-to-Novell-Unix-copyright-verdict--/110819

You're right with that tradeoff argument. But IMHO the severity of a local exploit is a few magnitudes lower than a (possible) overflow bug in this scan engine.

A bug in the file parser affects only local files, so an attacker has to find a way to get an infected file to your PC, too. Take this vulnerability from Symantec, for example. Exploiting it would involve a User actively downloading an infected RAR file to his PC, or at least exploiting another security hole in his browser to autodownload. That's several variables: a user has to have a buggy Symantec product *and* a buggy browser installed *and* you have to find a way for users to visit your infected website *or* you have make him want to download your file.

Now imagine a similar bug in that LinkScan scan engine and you'll have a disaster in spe. "Just" SEO a few infected sites into popular searches and a user doesn't even have to visit them. It's enough to visit the Google search and LinkScanner takes care for the infection all for himself by fetching and scanning all the links. This could infect thousands of AVG users before someone finds out.

If you have control over the email server you can configure one-time passwords.

It's a shame but most people seem completely unaware or what you're talking about and unable to read and comprhend what you've written.

1. The US can and does use the "border seach exemption" to grab laptops and keep the entire laptop or to image the disk and return them computer. You cannot defeat this because you don't have full constitution rights at the border, even if you are a US citizen.
LINK

2. The US can and does hold people in contempt of court for refusal to provide encryption keys.
LINK
Note: You *might* win the case here after a year sitting in jail, but that sounds like an empty win doesn't it?

Your problem calls either for stenography on which you would be willing to bet your freedom and your livelihood, or for a physical seperation of yourself from the data (such as VPN). I can see no other solution, but I'd be very interested if someone else who and actually understands the situation this guy is faced with and is aware of the law can.

I'm referring to an article linked to off the Linus releases 2.6.25 Kernel article on the front page of the site, today.

http://www.heise-online.co.uk/open/Kernel-log-Proprietary-Linux-drivers-stumble-and-spark-debate--/news/110234

Several great examples there.

It is very doubtful it is any good...

See this encrypted usb HARD drive:

http://www.heise-online.co.uk/security/Enclosed-but-not-encrypted--/features/110136/0

Some 128 bit encryption was involved, but not implemented a correct way, so it was easy to decrypt beacuse only a xor key was involved.

Use Heise Security Offline-Update to patch any installation of Windows XP with the latest service packs and security updates.

Why? Heise Offline-Update handles everything. It comes from a reputable company that makes money selling other security services; they have a strong incentive to do it right. To make the CD or DVD, it downloads all the patches from Microsoft's servers, and makes an .ISO file which you burn to a CD or DVD. To use Heise Offline-Update, you insert the CD or DVD, start the program, and let it run.

Shortcomings of Heise Offline-Update? 1) It does only security updates. 2) The web site is mostly in German, although there is an older English explanation.

Why not the others? 1) Autopatcher and others were much more amateurish. Autopatcher is now back with a scheme like Heise Offline-Update, but that is after months of experimentation. The volunteers at Autopatcher don't seem to have the resources necessary. See the Autopatcher downloads page which says "This page will be back very soon :)" (2008-02-12). Before, Autopatcher provided patches directly from their servers; Microsoft stopped that, due to security risks, it said. But Microsoft did not provide its own solution.

Problems with Slashdot: 1) Bad stories create bad discussions. Slashdot editors apparently don't know much about Microsoft Windows. Almost all Slashdot readers have to deal with Windows, even if only to help family and neighbors. Sloppy stories that have not been researched waste reader's time. 2) Lots of readers comment when they don't have much to say.

That said, Slashdot is by far the best web site I know for computer-oriented news.

Problems with Microsoft: What Microsoft offers is not complete, so volunteers try to help. In my opinion, Microsoft is often extremely adversarial toward its customers.

It has been more than 3 years since Microsoft issued a Service Pack for Windows XP; that has wasted the time of hundreds of thousands because Windows XP is so unstable and buggy and malware-prone that it often needs re-loading. Often malware replaces a system file, and the only way to recover is to re-load the operating system. Re-loading Windows XP preserves all the programs and settings; however, the latest Windows XP CD from Microsoft has only Windows XP Service Pack 2; there have been hundreds of megabytes of updates since then, making updating over a dial-up connection extremely slow.

Microsoft does have a system for updating, but the system requires the very expensive Windows Server 2003, which requires a network and at least one other computer. Obviously requiring all that creates problems in helping someone with his or her home computer, or with a cash register computer in a small store, for example.

More problems with Microsoft -- Windows Update often fails. Amazingly, Microsoft is unable to deliver an updating system that works reliably. I just worked on a friend's computer, for example, and running Windows Update gives a long numerical error message with no help for fixing the error.

There have been many, many different kinds of problems with Windows Update. See, for example, Microsoft's Windows Update Discussion Group.

I guess that millions of hours are lost every year because of Microsoft's sloppy programming. Bill Gates deserves his title, Chief of Grief, although soon the chair-throwing, bad-mouthing Steve Ballmer will be the Chief, apparently. (The

Reknowned IT publisher Heise is already offering an even better solution: c't Offline Update. Update W2K, XP, Vista, Office in English, French, German, Spanish, Italian and some 20 more languages by using Microsofts update catalog to download all chosen updates, then creates an ISO image per OS (CD-sized) or for everything (DVD needed). The included scripts allow for a fully automated install of all updates from the CD or DVD, even including any necessary intervening reboots.

c't Offline Update Project Download Page