Slashdot Mirror

Scott_F writes "Researchers at the University of Colorado at Boulder have been able to defeat the security mechanisms of the Internet Chess Club and can effectively play a zero-time match, as well as have complete control over the game. The paper is titled How to Cheat at Chess: A Security Analysis of the Internet Chess Club. If you're not familiar with the ICC, it is where many Grandmasters play regularly, with rumors of Bobby Fischer making an occasional appearance. It appears that the ICC has relied on security through obscurity, but we all know how poorly that works. Chess, anyone?" Update: 09/08 21:08 GMT by J : In totally unrelated chess news, I found today's commentary on Zermelo's Theorem interesting, both for the math of the game and the look at a mistaken echo chamber.

Cyclotron_Boy writes "The Genesis probe (reported here) has crashed to the ground, near a road in the Utah desert. The stunt chopper pilots were not to blame, though. The drogue chute didn't open on re-entry. NASA TV is covering it currently. The choppers have landed near the probe, but no word yet as to the condition of the space dust." Many readers have also pointed to CNN's coverage. Update: 09/08 16:39 GMT by J : MSNBC has more coverage and a sad photo of the half-buried capsule: "The capsule broke open on impact. It was not yet clear whether the $260 million Genesis mission was ruined."

An anonymous reader writes "Joshua Kinberg, creator of Bikes Against Bush, was arrested in NYC for vandalism while being interviewed by MSNBC. Kinberg's website describes his project as 'using a Wireless Internet-enabled bicycle outfitted with a custom-designed printing device, the Bikes Against Bush bicycle can print text messages sent from web users directly onto the streets of Manhattan in water-soluble chalk". Both Wired and Popular Science have done stories on Kinberg's work." Update: 08/30 01:30 GMT by J : Mr. Kinberg has been released; he describes his arrest and brief stay behind bars on this MSNBC blog.

querencia writes "Sun has announced that Solaris 10 will comply with the Linux Standard Base specification, thus allowing Linux apps to run unchanged on Solaris. This isn't emulation -- they claim that it is 'kernel-integrated and supported as an operating system feature.' While I appreciate the benefits of the Solaris OS, I've considered them on the losing end of the battle until now. Will the power of Linux apps put Solaris back into the running?" Update: 08/04 15:50 GMT by J : At OSCON, Sun reaffirmed that Solaris 10 will be open-sourced. They said it would be one of the OSI licenses, not sure which yet; that this was approved at the highest levels of the company; and (with the expected "we're just guessing" language), it could happen as soon as year's end.

uncadonna writes "ZDNet is reporting that corporate web servers are infecting visitors' PCs. The combination of two unpatched IE security holes and hacked corporate websites is apparently distributing malware via several high-credibility sites. ZDNet says users have 'few options' other than alternative browsers or platforms." Update: 06/25 14:50 GMT by J : A reader points out Microsoft's What You Should Know page. Here's the short version for avoiding this Critical severity attack: you must install add-on software, and change multiple settings in multiple programs, thus causing "some Web sites to work improperly." By changing more settings, you can regain functionality for a particular site if "you trust that it is safe to use," which you have no way of knowing. Or try Firefox. Update: 06/25 19:30 GMT by J : Reuters reports the attack installs a keysniffer which can steal credit card numbers, passwords, and so on. The story offers safety tips, but fails to mention that, after patching the hole, many users will be infected without their knowledge. Shouldn't the "fix" include ceasing to type anything important into your computer until you purchase software which can detect and remove the Trojan? And will you be downloading that software with Mastercard or Visa?

uncadonna writes "ZDNet is reporting that corporate web servers are infecting visitors' PCs. The combination of two unpatched IE security holes and hacked corporate websites is apparently distributing malware via several high-credibility sites. ZDNet says users have 'few options' other than alternative browsers or platforms." Update: 06/25 14:50 GMT by J : A reader points out Microsoft's What You Should Know page. Here's the short version for avoiding this Critical severity attack: you must install add-on software, and change multiple settings in multiple programs, thus causing "some Web sites to work improperly." By changing more settings, you can regain functionality for a particular site if "you trust that it is safe to use," which you have no way of knowing. Or try Firefox. Update: 06/25 19:30 GMT by J : Reuters reports the attack installs a keysniffer which can steal credit card numbers, passwords, and so on. The story offers safety tips, but fails to mention that, after patching the hole, many users will be infected without their knowledge. Shouldn't the "fix" include ceasing to type anything important into your computer until you purchase software which can detect and remove the Trojan? And will you be downloading that software with Mastercard or Visa?

prostoalex writes "InfoSync talks about a new MemoryStick card with wireless 802.11b support. The launch date is Dec 1st, the price is $130." Update by J : It's for Palm OS 5 devices like the CLIE, and not made by Sony.

arantius writes "An article on BottomQuark points to a new development: Here's a story about a new start-up Huminity, referred to as the technology of the year. The software they produce combines instant messaging, chat, and social networking. After burning through over $30k of personal funds, the team has now raised millions for their company. We've heard about Friendster recently, but somehow this seems more interesting." Jamie adds: Social networking was in the news recently because this patent apparently covers much of it. It was bought for $700K by the two underdogs and may be used to beat up on Friendster. Don't worry, the guy who wrote Slashdot's friend-of-friend code doesn't think we're affected :)

The Raindog writes "I noticed over at Tech Report that Apple is apparently only offering its latest round of OS X security fixes to Panther users, leaving older versions of OS X out in the cold. " Update: 10/31 by J : But see the next day's story.

There are always going to be oddities with any big online service, but this one seems to be persisting. Join the discussion in trying to figure out a pattern. For maybe a week, Google has been returning zero results or "1-1 of about xxx,000" for common searches. One-word searches seem unaffected, but there are certain two-word combinations of common words like candle truck or speaker bracelet. Reversing the order can affect searches too: motorcycle candles vs. candles motorcycle. The strange thing is that usually the 1 or 2 results found are to commerce sites. Read the Search Basics, compare your notes to GoogleWhack's, have fun looking for patterns, but remember that Google always returns slightly different results for different IP numbers.

(Update: 13:56 GMT by J : When I first posted this story it said the problems have been occurring "for several weeks at least" -- but it seems to be more like one week.)

Slashback tonight brings you more on the recent cracking of GSM encryption,the odds of file sharers escaping industry scrutiny in Canada, the recently found (and stomped) OpenSSH bug, installation-time ads in Mandrake, and more. Read on below for the details.

Art of the Saber Jagaast writes "As a counterpoint to all the hype about the Star Wars kid, here's a Star Wars fan film that's actually very well done. Art of the Saber is 'a light saber fight sequence with the flavor of a Hong Kong martial arts action movie.' Well worth watching." Update by J : I've made torrents available.

Vote early, often, and reversably. An anonymous reader writes "As a follow up to a previous story here on Slashdot on electronic voting, Excite has a story on the same subject with a bit more information including this amazing quote from Deborah Seiler, Diebold's West Coast sales representative: '"These activists don't understand what they're looking at," Seiler said.'"

GSM-crack paper online morcheeba writes "Copies of the GSM-crack paper described in last week's Slashdot article are now available online (PDF) thanks to John Young's Cryptome"

Mandrake ads...take 2 *no comment* writes "Apparently there has been some controversy over the ads in the upcoming Mandrake 9.2. I thought it was pretty cut & dried, but apparently Mandrake thought it was enough of a controversy to to release a written statement about it. I wonder how many flames were posted in the slashdot forum using the download version of Opera."

Blaster Worm still alive and well on MIT campus fwc writes "MIT still has 900 network drops disabled due to the Blaster worm infection. Of particular interest is that MIT network security requires users to reformat their hard drive and re-install their operating system before they get back on the network. Sounds like a good excuse to reinstall something other than a Microsoft operating system."

A big AWOOOGAH for Canadian file sharers. Rumor writes in response to a recent story suggesting that Canadian users could swap files scot-free: "Listen, Canadians, don't go using your p2p apps and thinking you are immune from lawsuit, you are liable for copyright infringement if you share files on p2p apps.

To wit: a fellow law student and I have written an analysis of s. 80 of the Copyright Act and we've concluded that one can download music safely under the Private Copying provision, but no one can share or upload files without infringing on copyright.

In a nutshell, Private Copying allows anyone to make a copy of a song purely for their own use. As you probably know, when you share files and someone downloads from you, what actually happens is that their computer makes a request and your computer actually sends the file to them. Thus, you're copying for someone else's use and infringing. It doesn't matter if you didn't realize that's what happens, either... intent is not required for infringement.

The upside is that you can accept copies from other people (ie. download) all you want. Although there might be an issue of contributory infringement to worry about... I won't go into analyzing that, since so far the record companies are only suing uploaders.

The article can be found on greplaw.

I've recently confirmed this analysis with an IP law professor at my university, so I'm pretty damn sure of it. So, please, be aware of this danger. Downloading cool, uploading/sharing not. I guess the situation still better than nothing."

Why not ask for your money back? zaaj writes "There are several articles out about a newly found/fixed(openssh.org) buffer management bug in OpenSSH and some derivatives. Cisco's Advisory only mentions DoS attacks against certain of their SSH-enabled devices, but ZDNet's article hints at rumors of long-existing root exploits. Regardless, RedHat's got their typical list of updated packages with the patch back-ported. A few other distro's have info in the vendor section of Cert's advisory CA-2003-24"

An anonymous reader says "O'Reilly Developer News is reporting details of the newest Google programming contest, Google Code Jam 2003. Prizes range from t-shirts to ten grand and you can use any programming language you want to solve the increasingly challenging problems." Update by J : ... as long as it's Java, C++, C# or VB.NET.

securitas writes "The President's Commission on the U.S. Postal Service's final report (PDF) has recommended that the USPS and the Department of Homeland Security develop sender identification technology for all U.S. mail. The commission said Intelligent Mail could bolster security and let consumers track the progress of all mail they send, which has been a top consumer demand in surveys. The report released July 31 reads, "Each piece of Intelligent Mail will carry a unique, machine-readable barcode (or other indicia) that will identify, at a minimum, the sender, the destination, and the class of mail... Intelligent Mail will allow the real-time tracking of individual mail pieces." Privacy advocates like the EFF and Center for Democracy & Technology are understandably concerned. The Final Recommendations are available in PDF format. More at Direct Marketers News and pro-privacy/civil liberties magazine Counterpunch." Jamie adds: This confuses me, because I read a news story in late 2001 which matter-of-factly explained that authorities would be contacting recipients of letters which went through a particular post office around the same time as an anthrax envelope. The implication, which I haven't seen any discussion of then or since, is that records are kept of every letter's travels through every post office. Anyone know anything about that? Update: mec does.

Elysdir writes "DARPA is creating an idea futures market, the Policy Analysis Market, to try to predict events in the Middle East. See Bloomberg article for more info." Read this article. I mean it. This is amazing. Update: 07/29 14:45 GMT by J : The NYT story claims "The White House also altered the Web site so that the potential events ... that were visible earlier in the day ... could no longer be seen," but those example images are still being served: Jordanian overthrow, bidding on assassinations, cool graphics... Update: 07/29 16:44 GMT by M : Looks like the publicity was too much.

bmarklein writes "The RIAA has announced that it has named Mitch Bainwol, former chief of staff to U.S. Senate Majority Leader Bill Frist, as chairman & CEO. He replaces Hilary Rosen, who left earlier this month. This confirms the speculation that the RIAA would appoint a well-connected Republican (Rosen was a Democrat)." Several readers have submitted links to CNET's coverage as well. Update: 07/29 12:30 GMT by J : Lobbyists wield incredible power nowadays, and Slate's report on why was enlightening. Here's part 1 and part 2. Includes lyrics to the rap recorded for Rosen's going-away party by some of the most powerful people in the world: "Who wants the job of Hilary Rosen? / How 'bout the dream team of Bono and Tauzin?"

Wacky_Wookie was only one of many who wrote in with a mention of Apple's "leak" of specifications for a new line of PowerMacs to be dubbed "G5", apparently running the new PowerPC 970 CPUs. No offense, but anyone who thinks it was a mistake or leak doesn't understand marketing. :) Update by J : In case those linked sites get taken down too, try MacNN.

tsu doh nimh writes "Are spam blackhole lists good, bad or indifferent? That appears to be the question they're tackling in this Washington Post story. It has some interesting back and forth between supporters of the lists and those who claim they condone censorship." J adds: Brad Templeton recently offered some comments on the most extreme pro-blacklist position.

savetz writes "20 years before User Friendly, Doctor Fun, and Dilbert, about the only place a geek could go for a fix of nerdy comic goodness was ... Radio Shack. Tandy Computer Whiz Kids was a comic book series that was distributed for free at Radio Shack stores. It featured overeager kids stopping bad guys with their TRS-80s and acoustic modems, sweetly naive information about computers, and constant shilling of Radio Shack products. They're now on the Web." Update: 04/19 03:44 GMT by J : We're having a bit of DB trouble tonight... bear with us.

theodp asks: "Motley Fool offers a dead-on take on the computer mail-in rebate fulfillment process--Once I receive your 'claim,' I will begin to 'process' it. Assuming that you filled out all the information correctly, and assuming nothing is missing, and assuming your claim doesn't get lost somehow, and if you call or write a few times to check on your claim's status, then I will mail your check within 10 to 12 weeks. Maybe. Or maybe it'll be four to six months. Or never." What are your thoughts on rebates, and have any of you noticed who, at least in the computing industry, is more trustworthy with rebates than others? Update by J : Here's the short version of the article.

Hrvat writes "In a somewhat surprising move, Sonnet Technology announced the release of a 1GHz G4 ZIF (Zero Insertion Force) upgrade for the old Beige G3s. Since the old G4 ZIF upgrades maxed out at 500mhz (and they were compatible with Beige G3, Blue and White G3 and the PCI graphics G4), this is a huge jump. The upgrade is pricey, though ($700) and I am not sure that I am willing to dish out that kind of cash just for a processor upgrade." Update: 04/15 19:15 GMT by J : In related news, here's a review of three non-ZIF CPU upgrades, at Inside Mac Games. For what it's worth, last month I bought Sonnet's 1.2 GHz CPU for my AGP Power Mac, easy install, it's working fine so far. Mmmmmm, framerate.

On Saturday night, Virgil and Acidus, two young security researchers, were scheduled to give a talk at Interz0ne II on security flaws they'd found in a popular ID card system for universities. It's run by Blackboard, formerly by AT&T, and you may know it as OneCard, CampusWide, or BuzzCard. On Saturday, instead of the talk, attendees got to hear an Interz0ne official read the Cease and Desist letter sent by corporate lawyers. The DMCA, among other federal laws including the Economic Espionage Act, were given as the reasons for shutting down the talk (but -- update -- see the P.P.S below). I spoke with Virgil this morning.

Virgil was there two years ago when Dmitri Sklyarov was arrested and led away in handcuffs at Def Con 9. He's not in handcuffs now, but in speaking to me, he had to stop and think about everything he said, and every third answer was "I really shouldn't talk about that."

The DMCA is largely to thank for that. Section 1201 states that no one "shall circumvent a technological measure that effectively controls access to a work," and that no one "shall... offer to the public... any technology" to do so. Blackboard Inc., whose card system is called the Blackboard Transaction System and known to end users under various names, uses a network of card readers and a central server, and they communicate over RS-485 and Internet Protocol -- using, or so they apparently claim, measures that effectively control access.

For the record, none of what I learned about the Blackboard technology was from him or Acidus after the restraining order was sent. I spoke to other people, who have not been served with a restraining order. Google has a less enlightening mirror of the slide titles from this weekend's PowerPoint presentation and a more enlightening mirror of Acidus's "CampusWide FAQ" from last July. And, most enlightening of all, this mirror has an updated version with details on what they figured out how to do and what their talk was going to be about (click "CampusWide" for the text description, the PowerPoint slides, and Acidus's timeline of the last year).

At many schools, Blackboard's system is the ID: you swipe your card for your meal plan at the cafeteria, to get into your dorm, maybe even to get your final exam.

A swipe at a vending machine will get you a soda -- a money transaction from your campus debit account. When you use a swipe to do laundry and make copies, money has to be involved. Blackboard even notes that they can set up a merchant network on- and off-campus: "a cashless, safe, and secure way to transact on and around campus while offering parents the assurance that their funds will be spent within a university-approved network." (Emphasis added. Maybe readers who go to schools that use such a system can expand on how that system is used.)

The kicker, of course, is that this network is not very secure, or at least Blackboard doesn't think it's as secure as... well, as lawyers. One anonymous Slashdot submitter wrote that: "The authentication system is so weak that [Virgil and Acidus] have been able to create a drop in replacement for the CampusWide network debit card readers used on coke machines on campus."

Virgil couldn't provide me any details about what he had learned about the system. Based on the mirrors, it looks like a man-in-the-middle replay attack -- which is a pretty simple attack, repeating messages sniffed over the RS-485 protocol, or even over IP -- can have effects like convincing a Coke machine to dispense free product. Or, it's claimed, the attacker can create a temporary card, with no name attached, and free money in its account. Hmmmmm.

Or, more ominously, someone else's identification might be sniffed, and then replayed from a security terminal. If a thief gained entrance to a building by sending the message "open the door, my name is John Doe," the real John Doe might be sorely inconvenienced the next morning.

So, if you're a student at a school that uses Blackboard, do you feel more secure now that the DMCA has tried to stop you from learning about its security flaws?

If you're a parent putting money into a Blackboard-based debit account, do you feel more confident of its safety now that this information is ostensibly hidden?

This card system has been installed on many campuses and its roots go back almost twenty years. My guess is that replacing the card-reading hardware would be necessary to improve the security of these devices. Obviously, Blackboard would be hard-pressed to replace thousands of hardware devices at all its locations, even if they'd started in late 2001 when Acidus claims he called to tell them of the flaws he'd found (and "was blown off").

So, assuming that's not possible -- is the DMCA a viable tool to ensure security?

P.S. Virgil tells me that he has a good lawyer. They are scheduled to argue on Thursday that the restraining order not be made permanent. Slashdot will keep you apprised of what happens in our Slashback stories... stay tuned.

P.P.S. Update: 04/15 02:30 GMT by J : Now online are the restraining order, which just lists the six things that Acidus and Virgil are not to do, and the more detailed Complaint. Now that these are available, as Declan McCullagh points out, it turns out the DMCA was only in the lawyers' threatening letter and not considered as part of the Complaint itself. I'm not sure why it would be included in the letter -- some of the language of the Georgia Computer Systems Protection Act is similar, and who knows, Section 1201 might be mentioned later on, as this case progresses. Maybe the lawyers are just keeping their options open. Meanwhile, I love this part of the Complaint:

"Mr. Hoffman openly acknowledges on his website that 'I am a hacker.' His website then defends the process of hacking. See Exhibit B."

phreak404 writes "The full theatrical trailer for The Matrix Reloaded was released today. Its in Quicktime, 1000px by 540px, and weighs in at about 100MB. Looks awesome and unlike the previous teasers, actually has some of the plot." As soon as someone puts up a bitorrent we'll post it here. Update: 04/11 00:40 GMT by J : And here it is, http://f.scarywater.net/ (includes links to client download, stats, old torrents, fun stuff like that).

Red Hat Linux 9 is out, and as of today the ISOs are officially available to Red Hat Network subscribers ($60/yr). Or, as of right now, you can grab the same ISOs using BitTorrent. For those unfamiliar with this free/Free P2P download protocol, an introduction follows, written by ololiuhqui. Update: 03/31 23:45 GMT by J : After roughly four hours, BitTorrent has transferred over 500 full copies of all 3 ISOs, and a total of over 1.5 TB, at 170 Mbytes/sec. Thanks to the more than 3000 people who helped each other download the data, and especially to the more than 200 who got full copies and still have their clients open, to keep serving data to everyone else :)

Tectonic Rumblings

Every so often a new tool comes along that causes a shift from Bronze to Iron, that divides history into "before" and "after." The peer-to-peer world has certainly seen its share. Those who used 486s to encode and play MP3s remember it wasn't just abysmal modem speeds that kept people from casual trading, but the tiresome process of finding users and content; Napster freed us from that bondage, letting the computer do the heavy lifting and freeing people to do what they do best.

When the weaknesses began to show in Napster's overly centralized model, Gnutella stepped in with a distributed, decentralized network. Audiogalaxy gave us astounding variety (even the most obscure music could always be found sooner or later) and a rich sense of community that is still sorely missed. WinMX offered the ability to connect to multiple Napster-compatible networks; with the advent of multi-source downloading, Morpheus and similar programs allowed us to rise above the limitations of slow upstream (until it's hard now to find any P2P applications that don't use it); and EDonkey added the nice touch of being able to share files before they were done downloading.

So what's the next stage of P2P evolution?

Enter BitTorrent -- a "swarming, scatter and gather" file transfer protocol developed by Bram Cohen that's taking the net by storm. Even without a friendly, unified interface, BT's ability to scale in the face of overwhelming demand while minimizing the free rider problem ("leeching") has attracted a flood of new users. But as with any tool, understanding how and why it works will always make using it easier and more fun.

All technical references are taken from the BT server tutorial and the official documentation.

Let's Start with the Basics

BitTorrent is not a 'website' or a 'network', and strictly speaking is not even a program -- it's a protocol with a number of functional implementations.

Instead of jumping right into downloading, first we'll discuss how files are served. Most new BT users are familiar with going to a website and clicking on links to .torrent files, but this just provides a friendlier interface and isn't actually necessary. All you really need to serve is a public Internet machine. The "tracker" will "keep track" of who is connected and who has which pieces of the file(s) in question. Like any public Internet service, a static IP address and/or valid hostname will make it easier for people to connect to your tracker.

To start serving, you choose a file or directory to serve and run a program which generates a .torrent file. This contains a 'hash,' which serves as a checksum to ensure the file is the same on all systems, as well as the address of a tracker. A typical .torrent file is quite small, typically 5-50k in size.

The second step is to load the .torrent file into a BT client. The client asks you where to save the file, you point it at the existing and complete copy, it verifies that the file hash matches, says the download is done and sits there uploading when necessary until you cancel it.

Here's an animated graphic (.mng, currently viewable only in Mozilla) of a torrent transfer.

Getting Started

The official BT client is available for Win32, Mac OS X, as an unstable Debian package, and as Python source code.

Getting started is quite simple; the Windows installer asks no questions and provides no options, and the only behind-the-scenes addition is that Internet Explorer now launches BT when you click on links to .torrent files. (Mozilla users will need to edit Preferences, Navigator, Helper Applications and add the mime type "application/x-bittorrent", to be launched by the btdownloadprefetched executable.) You can also download .torrent files and load them locally without going through a website.

Once the .torrent has been invoked, the client will prompt you for a location to save the file to. The client then creates a file of the appropriate size containing all zeros, and connects to the tracker to get a starting list of some random subset of available peers (other users connected to the 'swarm'). BT then starts connecting to peers and downloading random chunks of the file, and begin uploading to other peers as soon as you have enough for it to bother.

Every time your client verifies another piece of the download, it tells the tracker it has a good copy of that piece. By directly utilizing each user's outgoing bandwidth, downloads can be generally be completed very quickly while minimizing the load on the original server, in effect turning the dreaded "Slashdot Effect" against itself -- the more who want to download, the more there are to upload. Sooner or later (usually sooner), the download is done, and the client continues to upload pieces to other users.

What's In It For Me?

Now your first instinct at this point might be to close the program, but you really ought to leave it open as long as possible afterward, to help seed the file into the network. But this is really a social and cultural issue which can't necessarily be addressed through technical measures; BT can enforce fairness during the transfer with its algorithms, but no software can force the user to keep the client open. Many tracker owners keep a close eye on such things, and will generally ban repeat offenders. In any event, "giving back" your bandwidth has never been easier, even for users behind firewalls or NAT (although as always, being able to avoid or go through these will make the transfers more efficient).

Alternative Clients and Other Tools

That said, there are perfectly valid reasons to want some control over the amount of bandwidth a P2P application uses, and an experimental, unofficial client (Win32, Python source) has been created to provide a friendly interface for this. BT will automatically adjust your download speed appropriately if you set a slower upload speed, but it's still an invaluable tool for some cable and DSL users whose downloads will choke and abort if they use too much upstream, or for anyone with limited upstream who wants to reserve some of it for other uses.

Currently, both the official and experimental GUI clients use a separate window for each transfer. BT++ (Win32, Python source) has made an initial attempt at combining all transfers into one window, as well as offering some other enhancements, but users report mixed results, with some saying "it works for me" and others that it's buggy to the point of unusable; still, it's one to keep an eye on. (Caveat: BT++ provides an option to automatically stop uploading when the download is completed. I believe this deliberately encourages people to do so even if there is no real need to do so, and would advise anyone using BT++ to refrain from using this option; it's unnecessary, detrimental to the BT networks, and may lead to your IP being banned as described above.)

TorrentSpy (Win32) is another useful tool that shows various statistics about your transfers, including which files of a multi-file torrent are complete. It's not meant to replace a downloading client, but to complement it.

I should add that the speed and time-to-completion numbers may not be wholly accurate, and will typically fluctuate wildly to some extent during a transfer. (After all, do you believe Windows when it tells you how long it will take to copy a file?) The "percentage completed" at least is accurate, and you may be able to get more accurate information using TorrentSpy. A new version of BT has just been released (3.2) and its reported changes include "more even and consistent download rates".

A Few Miscellaneous Points

It's quite possible to generate .torrents for files you want to serve and then advertise them on someone else's tracker. Since anyone can run a tracker, BT is more like IRC, Usenet or Direct Connect than something like Kazaa. Like Freenet, it works best if the content is highly in demand; it's also more effective on recently released stuff. One highly recommeded website is Bstark. It doesn't provide .torrents for anyone to download, but functions as a "metatracker", that is, a tracker that keeps track of trackers. If you're a statistics geek, the graphs are a lot of fun, and even for the average user it's a simple way to check what files are most in demand and most in need of someone to serve them. This is even more effective when you combine it with an alternate means of communication such as IRC or email, making it easy for users to check supply and meet demand. The .torrent file can also be distributed by any means, be it a website, IRC channel, email attachments or perhaps carrier pigeon.

Conclusion

With the 'entertainment industry' finally focusing their attention on IRC, the cantankerous and difficult granddaddy of Internet file sharing, BitTorrent has found a niche and filled it admirably. The author understandably wishes to focus upon using BT in a legal manner. As with any new invention, "the street finds its own use for technology," and BitTorrent will undoubtedly continue to be rapidly adopted for both licit and illicit use.

Given the decentralized nature of BT networks and the rapid development of new tools, it's only a matter of time before someone writes a GUI wrapper for an IRC client, web browser and all-in-one BitTorrent interface. After all, Napster did it, as do most other mainstream P2P apps like Kazaa. Like Direct Connect with its 'hubs,' there will always be multiple BT servers available, and a unified interface would not only make it easier for users to find and download content, but free them to focus on forming the social and cultural networks that are also needed. A website typically uses far too much CPU and bandwidth to handle popular traffic, but a BT tracker uses minimal bandwidth by itself. Perhaps the next-generation clients will try to automatically locate trackers, or help the user find and serve older content as well as new releases.

The late great Audiogalaxy had many strengths, but one of its most fundamental was the sense of community it encouraged. BitTorrent wisely fills a narrow set of technical requirements, leaving a great deal to human need and will. The ad hoc arrangements and customs that have so far sprouted as expressions of the will to fill these needs are often chaotic and messy -- but that's human action for you.

gcondon writes "The Register is reporting that Microsoft is teaming up with the University of Leeds to teach students how to write secure code. Given the sheer number of programming errors that can lead to security vulnerabilities, it probably makes sense to learn from the company that has tried them all." UndercoverBrotha points out that University of Leeds is one of several venues: "Microsoft is planning to offer 11-week courses at Universities around the world."

Update: 03/24 18:00 GMT by J : Another report worth reading is Writing Software Right, which requires a free but annoying registration at Technology Review. This regards automated methods of finding software errors (not security specifically). Sun's "Jackpot" is discussed, a lint that also "identifies general instances of good or bad programming."

And Microsoft's efforts in this field are explained as well -- the company "paid more than $60 million in 1999 to acquire Intrinsa, maker of a bug-finding tool called Prefix. The program, which sifts through huge swaths of code searching for patterns that match a defined list of common semantic errors, helped find thousands of mistakes in Windows and other Microsoft products." As a Microsoft QA person says, "Our challenge is to get our software to the point that people expect it to work instead of expecting it to fail."

novocastrian writes "As reported at PlayMyth, Myth II has been Carbonized and will be released to owners of the game on the 15th of March. The work was done entirely by dedicated followers of the game. The disappointing Myth III has also undergone a major overhaul and will be soon be hosted on a popular player-based server." J adds: Myth II will not support hardware rendering in OS X. But as I recall, software rendering gave an almost-playable framerate even on my 604/250, so on modern machines it might not be bad. Myth I and II were great tactical combat games. I'm itching to play Mudpit again!

TimWeigel writes "The Japan Times is reporting the results of a study by the United Nations University on the environmental impact of michrochip production. We've already seen the impact of disposal practices, but is the manufacturing more environmentally friendly? Turns out it ain't necessarily so - according to the study, producing and using a 32MB DRAM chip weighing 2 grams requires 32 kg of water, 1.6 kg of fossil fuels, 700 g of elemental gases, and 72 g of other chemicals, many of which are hazardous. I'm no environmentalist, but this looks like it might add up to more bad news when you consider that these things are cranked out by the millions each year." Update: 01/26 16:31 GMT by J : Yep, it's a dupe.

anarkhos writes "Lexmark leads the curve by being the first to invoke the DMCA to prevent 3rd parties from making Lexmark-compatible toner cartridges." It's gonna get worse before it gets better. Update: 01/12 14:13 GMT by J : Yep, it's a dupe; see here and here for more info; for more on the DMCA, see our next story ;)

Apple CEO Steve Jobs once again introduced the new PowerBooks new and upgraded software to a throng of adoring fans at the annual Macworld Expo San Francisco, including a new web browser, new versions of the "iLife" applications (iPhoto, iMovie, and iDVD), and presentation software (which Steve himself has been "beta testing" at every Macworld keynote since 2002). The PowerBook has been extended in two directions, with screens up to 17" and down to 12". Both feature a new material for the casing, aluminum (anodized, not painted), with AirPort antennas in the screen. The AirPort range of the PowerBook now equals the iBook. It will no longer boot into Mac OS, only into Mac OS X.

The 17" model is 1440x900 resolution, 16:10 aspect ratio, G4/1GHz, SuperDrive, GeForce4 440 Go/64MB, and all the same ports, with the addition of line in and FireWire 800 (in addition to FireWire 400). It is less than 1" thin, and 6.8 lbs., and has fiber-optic lightning for the keyboard activated by ambient light sensors. It will be available next month for $3,300.

The 12" version is 4.6 lbs., and is smaller than the iBook in every dimension. It's 1024x768, G4/867, GeForce4 420 Go/32MB, and is AirPort-ready ($99 extra). It is $1,800 for a combo drive model, $2,000 for a SuperDrive model, and will be available in two weeks.

Both models sport the new AirPort Extreme (802.11g), which is 54Mbps, up from the 11Mbps of AirPort (802.11b). The base stations and clients are fully compatible with the old AirPort, handle 50 users, and support both wireless bridging (to extend the range by adding more stations) and can act as a USB printer server.

Jobs also introduced Safari, a new Mac OS X browser based on the KHTML rendering engine from KDE (and Apple will publish changes they've made to it). There's nothing especially great about it -- it's a web browser -- except that, unlike most other browsers, it is expected to be fast and work properly, as well as be fully integrated into Mac OS X. The web is a killer app, but pretty much all web browsers suck; Apple hopes to give us something that doesn't suck in Safari. It is a free download for the beta, starting today. This story was posted using Safari. W00p.

iPhoto 2 has been revamped, with iTunes integration (access to playlists, tracks, even searching) for slide shows; one-click enhance of photos; a retouch brush; archiving to CD/DVD; and more. iMovie 3 has added chapters, the "Ken Burns Effect" (panning through still images), and precise audio editing. iDVD 3 has added a ton of quite cool themes, which will look great the first few times you see them.

They are -- along with iTunes -- bundled with all new Macs beginning January 25 as "iLife". All but iDVD will be freely available online, contrary to previously published reports. The entire bundle of four apps will be available for retail purchase for $50.

For sale today at $99 is another new app, Keynote, which is the presentation software Jobs has been using for over a year for his own presentations. It includes all sorts of flashy features like textures and Quartz-powered 3D transitions, and can import and export PowerPoint, as well as export to PDF and QuickTime. It has an open file format (using XML).

Jobs also introduced Final Cut Express, a stripped-down version of Final Cut Pro, for $300, and noted other prominent third-party software recently released for Mac OS X: QuickBooks, Director, and DigiDesign Pro Tools (later this month). He noted that the number of native apps for Mac OS X jumped from 2,000 to 5,000 in 2002.

Meanwhile, the number of users of the OS went from 1.2 million to 5 million last year, and he expects the number to jump to 9 or 10 million in 2003.

Update: 01/07 19:37 GMT by Jamie (also posted with Safari): And thanks to the several Slashdot readers who pointed out a great but unannounced product: X11 (aka the X Windows System) for Mac OS X. It's in Public Beta right now. Great to see this, an Apple-supported X is greatly needed. I don't know why Jobs didn't at least mention this, it would have gotten quite the round of applause I'm sure.

Slashback with more on Salon's struggle to balance ads and subscriptions, online retailers versus online bargain hunters, the not-at-all-secret government proposal to obtain "Total Information Awareness" (including information about you), and more.

Circumventing the upsell, but not all of it. Responding to the recent post about cable service a la carte, alta writes "I got a response from Jane Black (who wrote the original article) and she said slashdot jumped the gun. You can not pick and choose which channel you want. You can just choose to get basic limited and premium without getting the 2 steps in between. Here's the actual piece of law:

"Buy-through of other tiers prohibited - A cable operator may not require the subscription to any tier other than the basic service tier required by paragraph (7) as a condition of access to video programming offered on a per channel or per program basis. A cable operator may not discriminate between subscribers to the basic service tier and other subscribers with regard to the rates charged for video programming offered on a per channel or per program basis.

Read it all here. Here's what Jane said:

'But please make sure you understand the rule (Slashdot's headline was misleading indeed.) You can't just choose which channels you want. The new rule says that you can get basic (the network and cspan etc) plus HBO/Starz/Showtime *without* having to buy the standard package as well. If you want AMC, Lifetime, whatever, you still need to buy the whole package. Make sense?'

If you still need it, you can find more about the law here. Just type 543 in the "Section" field. The citation is: Section 623(b)(8) of the Communications Act of 1934, as amended. Found at volume 47 of the US Code Section 543(b)(8)"

The Salon dilemma. A Slashdot post last week reported that Salon was in serious financial trouble, and had dropped its premium section and instituted giant ads. Salon has now moved to over-the-counter trading. "While we valued the prestige of a NASDAQ listing, this move to the OTC market should not affect our core business," says Salon's president and CEO in the story. Update: 11/26 00:42 GMT by J : One correction: Salon has not dropped its premium section.

Dole, or Hormel? MacAndrew writes "As briefly discussed in slashdot a few weeks ago, Senator-elect Elizabeth Dole has been sued by a constituent who received eight unsolicited emails from her. He claims $100 damages including "emotional distress for having received spam from someone who should know better." Salon has now published an article focusing on the critical political versus commercial speech aspect of the case. Courts have recognized political speech as the innermost circle of free speech protection, and groups such as the Electronic Frontier Foundation believe spam laws that interfere with it may be not just unwise but unconstitutional."

Surely, someone's wallet will end up fat. In reaction to the recent story about provisions of the DMCA being used to prevent the posting of post-Thanksgiving sales prices from large retailers, Brian McWilliams writes "I finished up my story about FatWallet after you posted that link on Slashdot. Might help explain some stuff."

Well, we thought this here panopticon would be a nice idea ... McLuhanesque writes "DARPA has posted the architecture for their Total Information Awareness Systems , the uber-database that purports to suck in every scrap of electronic information about everyone, mix in some Human ID at a Distance technology, among other stuff, and profile ... well, just about everyone. More of their proposed fun and games are listed here." And Declan McCullagh writes: "Just posted the transcript of the Pentagon news briefing (worth a read) on Politech. Note this is on the TIA program, not 'eDNA.'

$10,000 is nothing to sneeze at. The idea of buying code into the world of Free software (aka code Ransom, as mentioned on Slashdot a few days ago) is drawing interest. waxed writes "FreePepper is an effort to collect enough money to purchase the source code for the multiplatform text editor Pepper from its author, Maarten Hekkelman, who has ceased development of it and re-release it under a BSD-style license. Donations may be made via PayPal or cheque."

Senators Wyden (D-Ore.) and Kyl (R-Ariz.) introduced the Global Internet Freedom Act earlier this month, setting aside $60 million over two years "to develop and deploy technologies to defeat Internet jamming and censorship." Of course they don't mean libraries and schools in this country -- they're talking about countries like China, as Kyl et al. explain in a National Review article a few days ago. I guess it wasn't confusing enough to (1) subsidize censorware and (2) criminalize researching it -- we also need to (3) subsidize researching it. How about forbidding American corporations from trading censorware goods or services to these "repressive governments," wouldn't that be a good start? Update: 10/30 03:37 GMT by J : Here's the Wired story from early this month on the version that was introduced in the House.

(Sen. Wyden also teamed up last month with Sen. Cox (R-Calif.) on a little bitty resolution standing up for your fair use rights before the tank parade of the DMCA.)

netphilter writes "Apple is trying to "close the operating system to tweakers" according to this story on Wired. The addition of the BSD kernel and the command line left me thinking that they were trying to open the OS a bit more to tweakers, not close it. I'm not a Mac user, but I have been thinking about trying out OS X. However, if Apple is trying to CLOSE the OS (contrary to the impression that I had) then I'm not going to waste my time." Jamie adds: life may be harder for them, I guess, but many developers are still tweaking Mac OS X.

jsled writes "C|Net /News.com article details how the forthcoming Netscape 7.0 will not include the nifty pop-up blocking sported in Mozilla, as AOL depends on pop-up ads for annoy^H^H^H^H^Hmarketing to their "valued" customers. The MozillaZine story and comments have a couple of extra, interesting points of detail: how to easily restore the functionality and how some sites get around the popup blocking." Update: 08/15 12:45 GMT by J : In related news, Doug Isenberg asks over on GigaLaw: Are Pop-Up Ads Illegal? The news publishers who say "yes" say that turning off graphics in your web browser should be illegal too.

phriedom writes "Salon has coverage of Palladium which gives first page coverage to the idea that Palladium is designed to kill open source software. My favorite part though is on page two, where the Microsoft apologist says that ones view of Palladium 'depends on what you believe Microsoft's long-term aims are. If you believe it's to stimulate commerce and stimulate security, it's a step in the right direction ...and if you're perhaps given to suspicions that Microsoft always makes decisions with the aim of frustrating competitors of the Windows empire rather than for the good of consumers, you might have a different view of the same architecture.'" Wired also has a story claiming under-the-hood exposure to Palladium, although it doesn't seem to have much information that hasn't come out already. Update by J : Steven Levy's Palladium story, which we linked to in an earlier article, has allegedly been pulled from MSNBC's website. Anyone know if there's a simple explanation of this?

BrotherhoodOfSteel writes " Accelerate your Mac reports that MacPlay is re-releasing Fallout as part of their value series. This is the original (good) version and the new release will be Mac OS X-compatible. MacGamer has a preview. And since it's news, there must be a press release." Those who have played Fallout and Fallout 2 can vouch for the quality of narrative in this single-player RPG. Now if someone would port Fallout 2, life would be complete for Macintosh users. Update: 06/21 16:24 GMT by J : Here's Omnigroup's page on the Mac OS X port.

Rivard was one of several to point out that MSNBC says software sucks. My opinion is that in software fields where the monetary gap between market-leader and second-place is large, we should expect bad software. Good design, good execution, good debugging all take time, but users can't see under the hood -- and wherever information is scarce or not readily traded among consumers, the free market bogs down. (Note what the article says about McAfee VirusScan.) So companies that don't plan on releasing a crummy 1.0 and fixing it later go under. That's just the way some markets work; if you're a coder or engineer who doesn't like that, find yourself a job in a niche without that monetary gap. Anyway, the really stunning thing is that, of all the media outlets, MSNBC points out that just one of Microsoft's poor design decisions has cost consumers $8.75 billion, and wonders why nobody has sued. Update: 06/18 14:10 GMT by J : Readers point out the story is a reprint from Technology Review (one of the few good magazines I get -- but this issue hasn't arrived yet :).

Rivard continued his writeup with an interesting point of view, saying that while we all know software sucks, we just accept it:

"Even though 'plenty of reviewers, pundits, hackers and other outsiders' will point out problems, often intentionally left in the product, no one has brought a liability suit against the makers of the known-to-be-vitiated product -- because the software gestapo (the End User License Agreement) has been 'able to avoid product liability litigation partly because software licenses force customers into arbitration' of poorly designed pith.

"There is a light at the end of the tunnel, believe it or not, and it's Bill Gates. Microsoft suspended coding for two months to seminar on bugs and how to fix them. Gates told his employees he wanted to make 'reliable and secure' software Microsoft's 'highest priority.' If you don't buy Gates' ad-hocking promises of redemption there are other solutions, like creating a programming language that forces good code; going back to the days of intense peer-review, instead of relying on compilers; and intense planning, past the bungling paradigm of the bar napkin."

BrianWCarver writes: "The NY Times (free registration blah blah...) is reporting that a libel suit may establish a precedent of allowing online publishers to be sued not in the jurisdiction where their servers reside, but in the jurisdiction of the complaintant. A warden at a Virginia jail didn't like the way he was portrayed by several Connecticut-based online news outlets so he sued in his home state of Virginia. "If the district court decision stands, online publishers could be sued for defamation in any state or country that an online article is read." The article goes on to worry that this will cause publishers to self-censor their online publishing to avoid offending anyone in any jurisdiction, whatsoever, which if carried to its logical conclusion, means online publishing would simply cease." This may remind you of an earlier case in which an Australian businessman sued Dow Jones for libel. Update: 05/27 15:12 GMT by J : Jamie Love points out elsewhere that 60 countries, including the USA, are negotiating a treaty regarding Internet jurisdiction for libel and defamation.

bugninja writes "According to an article at News.com, Adobe wins 2.8M from Macromedia today for using some patented interface stuff in Flash. But this isn't the end, further legal battles could require that Flash be removed from Macromedia's list of "products for sale". We may not all be Flash lovers, but is it right to take a good product away from so many people who really do like it just because another company's product isn't taking over the market like they hoped it would?" Update: 05/03 13:29 GMT by J : Speaking of Flash, yesterday eEye discovered a very serious security hole in the version of Flash distributed with most copies of Windows. Go download the fixed release.

jaredcat writes "Ever wonder what would happen if the incredibly creative talents of Squaresoft and Disney got together? Well I never did, but that didn't seem to stop them. The first joint production of Square and Disney, Kingdom Hearts, was just released in Japan. Its an RPG with a Square CGI, a Square story, a Disney sense of humor, and Square and Disney charectars. If the opening movie is any indication of what's to come when Kingdom Hearts becomes available in the US, its going to be the best thing to hit the PS2 since, well, Final Fantasy X :)." Very positive review. Gotta admit, I'm intrigued. Update by J : Check out this review too, with a ton of screenshots, from the GIA: "By all rights [it] should be an awkward, conflated mess... instead, it's an epic piece of crossover fanfiction."

Anonymous Coward writes ""Yahoo is pulling a good one on everyone. As a matter of some changes on their system, they have kindly reset everyone's marketing preferences. So,when you signed into Yahoo for a Yahoo ID, you were given a chance to set what sort of notices you wanted yahoo advertisers to send to you, well, they just set EVERYTHING to Yes for you. The poster was kind enough to include instructions on how to turn these settings back. In related news, we've signed you all up for a /. newsletter! (I am so just kidding.) To change this...

Go to your Account Information screen (for each and every ID you have) and about mid screen you will see "Edit Your Marketing Preferences" link. Click on it and set them back to the way you want them, otherwise get ready for *LOTS* of advertising spam type emails from Yahoo's advertisers. Note also at the bottom, that you will be marked YES for 'By US Mail' and 'By Phone' as well."

In additional Yahoo News, smagruder writes: "Starting today, I noticed that Yahoo! stopped forwarding my mail and when I go to setup/change the POP Access/Forwarding settings, they display a page for me to give them money to get my mail forwarding back. The issue: In their recent widely distributed press release, Yahoo! said that this all would start on April 24, NOT March 28!"

Update: 03/29 20:24 GMT by J : Yes, of course Yahoo is a TrustE customer. For a small fee, TrustE certifies: "You can edit your Yahoo! Account Information, including your marketing preferences, at any time." Isn't that great? I can edit my marketing preferences that I had no reason to know existed! Thanks, TrustE!

Update: 04/07 11:54 GMT by J : Nine days later, Yahoo notified me that these preferences existed:

From: Yahoo! <yahoo_privacy@reply.yahoo.com>
To: [me]
Subject: Message from Yahoo! about changes to our Privacy Policy and your Marketing Preferences

[...]

In order to keep you up to date about our many new products
and services and how they might be of use to you, we have
created a new Marketing Preferences page

http://subscribe.yahoo.com/showaccount

within the Account Information area. It is designed to make
it easier for you to manage the marketing communications
you receive from Yahoo! and ensure you get the latest
relevant information to meet your needs. We have reset your
marketing preferences and, unless you decide to change
these preferences, you may begin receiving marketing messages
from Yahoo! about ways to enhance your Yahoo! experience,
including special offers and new features. Your new marketing
preferences will not take effect until 60 days after the date
of this mailing so you have plenty of time to decide what you
want to receive and what you don't. To change your
preferences, go to the Marketing Preferences page.

Anonymous Coward writes ""Yahoo is pulling a good one on everyone. As a matter of some changes on their system, they have kindly reset everyone's marketing preferences. So,when you signed into Yahoo for a Yahoo ID, you were given a chance to set what sort of notices you wanted yahoo advertisers to send to you, well, they just set EVERYTHING to Yes for you. The poster was kind enough to include instructions on how to turn these settings back. In related news, we've signed you all up for a /. newsletter! (I am so just kidding.) To change this...

Go to your Account Information screen (for each and every ID you have) and about mid screen you will see "Edit Your Marketing Preferences" link. Click on it and set them back to the way you want them, otherwise get ready for *LOTS* of advertising spam type emails from Yahoo's advertisers. Note also at the bottom, that you will be marked YES for 'By US Mail' and 'By Phone' as well."

In additional Yahoo News, smagruder writes: "Starting today, I noticed that Yahoo! stopped forwarding my mail and when I go to setup/change the POP Access/Forwarding settings, they display a page for me to give them money to get my mail forwarding back. The issue: In their recent widely distributed press release, Yahoo! said that this all would start on April 24, NOT March 28!"

Update: 03/29 20:24 GMT by J : Yes, of course Yahoo is a TrustE customer. For a small fee, TrustE certifies: "You can edit your Yahoo! Account Information, including your marketing preferences, at any time." Isn't that great? I can edit my marketing preferences that I had no reason to know existed! Thanks, TrustE!

Update: 04/07 11:54 GMT by J : Nine days later, Yahoo notified me that these preferences existed:

From: Yahoo! <yahoo_privacy@reply.yahoo.com>
To: [me]
Subject: Message from Yahoo! about changes to our Privacy Policy and your Marketing Preferences

[...]

In order to keep you up to date about our many new products
and services and how they might be of use to you, we have
created a new Marketing Preferences page

http://subscribe.yahoo.com/showaccount

within the Account Information area. It is designed to make
it easier for you to manage the marketing communications
you receive from Yahoo! and ensure you get the latest
relevant information to meet your needs. We have reset your
marketing preferences and, unless you decide to change
these preferences, you may begin receiving marketing messages
from Yahoo! about ways to enhance your Yahoo! experience,
including special offers and new features. Your new marketing
preferences will not take effect until 60 days after the date
of this mailing so you have plenty of time to decide what you
want to receive and what you don't. To change your
preferences, go to the Marketing Preferences page.

A user writes "A development team at the University of Illinois Champaign-Urbana has released a 3-dimensional file browser called 3DOSX as a test of the feasibility of the technology. This program uses OpenGL to render a file system as a series of floating 'platters' interconnected by semi-translucent beams of light." I tried this on my old PowerBook G3/400, first from the source and then from the disk image, and then realized I don't have the required OpenGL-accelerated video card. Doofus am I! Be not like me! (However, it does work, albeit very slowly, on a new iBook/600). J adds: Nice and fast on an old G4/500 with a Radeon.

(outer-limits) writes "In a significant ruling in a California court, a judge has ruled the standard EULA licensing agreement to be invalid. This must be the biggest upset in software licensing ever. No more are we powerless End Users of software, having to agree to every restriction a software company makes (Expect an appeal on this, though)." Note that this is about the resale of bundled software, so it's not like EULAs are dead, but this ruling could have broad effects. Update: 02/12 03:45 GMT by J : Yeah, this is a repeat - sorry.

tarpitt writes: "According to this article in the LA Times, repeated software flaws in Microsoft products has begun to raise concerns that they 'threaten the stability of a major piece of the world economy and to raise questions about Microsoft's future.' Flawed security is seen as a stumbling block to accepting Microsoft sponsored on-line services. It is also driving discussion about making software manufacturers liable for damages caused by flawed products." This piece in eWeek on troubles with XP's automatic updates is an interesting companion; releasing often doesn't seem to be enough. Update: 01/15 15:00 GMT by J : Bruce Schneier's January Crypto-Gram came out this morning, and is also topical: "Microsoft treats security vulnerabilities as public relations problems. Until that changes, expect more of this kind of nonsense..."

evilpaul13 submitted linkage to news about an X-Box Emulator. It requires a pretty high end video card and a DVD player, and doesn't yet support joysticks, but it does emulate 3 of the X-Box games (which is what, half the games available for the system yet? :) Todays PS2 Addiction: Tony Hawk 3. But I still am tempted to get an MSX-Box if only to handle my DOA addiction. UPDATE by HeUnique:Is this emulator a fake? according to these messages in the XBox Hacker web site - this is a fake one. Could someone actually try it? Update: 01/13 by J : The consensus in our comments is that this is a hoax, and the paranoid would do well to treat it as a trojan or virus. Sorry.

zTTTz writes "The US District court ruled that it was not only unconstitutional to ban violent video games from public arcades, but also ruled that the city of Indianapolis pay $318,000 in legal fees to the video game industry. This will probably make other cities think twice about trying to censor video game content again." Update 17:45 GMT by J : We covered the Indianapolis story previously in July 2000, October 2000, and March 2001. Check out NCAC's open letter, too. We haven't bothered covering the recurring news of declining real-world violence (while video games just get more gruesome and explicit), mostly because it's the same story over and over.

Ramsed writes: "On cnet Petr Hrebejk and Tim Boudreau wrote an article claiming that the current Microsoft Monopoly will be replaced by an 'Open Monopoly'; a monopoly of Open Source. They are explaining why big companies like IBM support this. In their view, it's inevitable this 'Open Monopoly' will win in the end, and that apart from the current monopolist, everyone will be better of, because of lower barriers for participation, software better targeted at its users and lower development costs. Profit should be made with support and consultancy." Update: 10/28 13:42 GMT by J : Little-known fact -- for important stories, slashdot sometimes runs duplicates to see who's still awake on a weekend. Nice work to those of you who caught it. See you next week. *sigh*

Armin Herbert writes: "According to this mail from Rafal Wojtczuk and a german article on Heise Online, there's a new severe bug in all Linux Kernels, from 2.2.0 up to 2.4.10, which allows users to become root on your system. Kernel 2.4.12 fixes this problem, and RedHat, Caldera and other distributors already supply patches for their Kernels. See Bugtraq for more information." Important notes for anyone running a multi-user system. Update: 10/19 16:12 GMT by J : If I'm reading Nergal's writeup correctly, 2.4.10 is still vulnerable to the local DoS, but not to the local root exploit. Separate issues. And as pheared points out, there is one unverified report of a custom 2.4.12 being vulnerable as well; please try the exploit on your system and let us know what you find. This is a big one, you can expect the kiddies have already added this to their rootkits. Update your systems now!

A new worm seems to be running rampant Unlike Code Red, it attempts to hit boxes with many different exploits (including what looks like an attempt to exploit boxes still rooted by Code Red). It looks like each IP tries 16 attempts on its neighbors. There is also a new mail worm mailing WAV files or something with bits of what appears to be the registry... it may or may not be related. Got any words on this? Shut down those windows boxes and stop opening attachments. And make that 21. Got another one while writing this story. All my hits are coming from 208.n.n.n (where I am) I'm sure it'll keep moving to nearby boxes. Update: 09/18 16:40 GMT by J : It now has a name: "Nimda." More info here, here, and here.

Here are examples of the requests it's sending:

GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../ ..%c1%1c../winnt/system32/cmd.exe?/c+dir
GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir

While writing this story I was hit a total of 4 times, 16 GET attempts per attack. In only 4 minutes. Also of interest, My desktop has now been hit about 500 times today, all from 208.x.x.x IPs. This might be really bad. I still haven't read anything about this anywhere else, so you heard it here first ;)

Update Web servers compromised by this worm apparently attach a "readme.eml" to all web pages served... and due to a bug in IE5, it will automatically execute the file! Yay Internet Explorer!

Lord_Pall writes: "There's a very good article on SecurityFocus about a Dutch cryptographer. He apparently has cracked the HDCP video encryption standard, but won't release the research for fear of reprisals under the DMCA." Update: 08/15 06:10 PM by J : Meanwhile, see Keith Irwin's paper which has been released despite the DMCA. Update: 08/15 07:00 PM by J : And someone else points out this old thing. Everyone who hasn't written a paper on cracking HDCP raise your hand.

Lord_Pall writes: "There's a very good article on SecurityFocus about a Dutch cryptographer. He apparently has cracked the HDCP video encryption standard, but won't release the research for fear of reprisals under the DMCA." Update: 08/15 06:10 PM by J : Meanwhile, see Keith Irwin's paper which has been released despite the DMCA. Update: 08/15 07:00 PM by J : And someone else points out this old thing. Everyone who hasn't written a paper on cracking HDCP raise your hand.