Slashdot Mirror

Carcass666 writes "It is usually good to use existing libraries, rather than reinventing the wheel, especially with open source. Unfortunately, sometimes we have to work with closed source implementations. Recently, we were diagnosing a .NET assembly and, after getting nowhere with the vendor, ran it through a decompiler. The code was a morass of SQL concatenation, sloppy type conversions, and various things that are generally thought of as insecure.

My question is: What are Slashdot readers' preferred tools for analyzing .NET and Java compiled libraries (not source code) for potential security vulnerabilities? Ideally, I would like to know if a library is a security liability before I code against it. For example, Microsoft used to have something called FxCop, but it hasn't been updated for current versions of the .NET framework."

First time accepted submitter Defenestrar writes "I've recently taken a job at a large state university where I manage the laboratories for a couple of departments. We have a good system to pro-rate costs for shared use of big ticket items, but don't have anything in place for small to medium expense pieces which don't require software control (i.e. AD user authentication logs). It is much more efficient to designate a common room for things like water purifiers and centrifuges, but log books have a history of poor compliance. Also, abuse or neglect of communal property has been an issue in the past (similar to the tragedy of the commons).

Do any of you know of good automatic systems to record user/group equipment usage which would allow for easy data processing down the line (i.e. I don't want to go through webcam archives). Systems which promote accountability and care are a bonus, but for safety reasons we don't want the room's door locked (i.e. no pin/badged access). Most of these systems also require continuous power — so electrical interlocks are not a good option either.

I call on you, my fellow Slashdotters, to do your best and get quickly sidetracked while still including the occasional gem in the comments."

benrothke writes "When it comes to measuring and communicating threats, perhaps the most ineffective example in recent memory was the Homeland Security Advisory System; which was a color-coded terrorism threat advisory scale. The system was rushed into use and its output of colors was not clear or intuitive. What exactly was the difference between levels such as high, guarded and elevated? From a threat perspective, which color was more severe — yellow or orange? Former DHS chairman Janet Napolitano even admitted that the color-coded system presented 'little practical information' to the public. While the DHS has never really provided meaningful threat levels, in Threat Modeling: Designing for Security, author Adam Shostack has done a remarkable job in detailing an approach that is both achievable and functional. More importantly, he details a system where organizations can obtain meaningful and actionable information, rather than vague color charts." Read below for the rest of Ben's review. Threat Modeling: Designing for Security author Adam Shostack pages 624 publisher Wiley rating 10/10 reviewer Ben Rothke ISBN 978-1118809990 summary Invaluable guide to create a formal threat modeling program Rather than letting clueless Washington bureaucrats define threats, the book details a formal system in which you can understand and particularize the unique threats your organizations faces.

In the introduction, Shostack sums up his approach in four questions:
1. What are you building?
2. What can go wrong with it once it's built?
3. What should you do about those things that can go wrong?
4. Did you do a decent job of analysis?

The remaining 600 densely packed pages provide the formal framework needed to get meaningful answers to those questions. The book sets a structure in which to model threats, be it in software, applications, systems, software or services, such as cloud computing.

While the term threat modeling may seem overly complex, the book notes that anyone can learn to threat model. Threat modeling is simply using models to find security problems. The book notes that using a model means abstracting away a lot of the details to provide a look at the bigger picture, rather than the specific item, or piece of software code.

An important point the book makes is that there is more than one way to model threats. People often place too much emphasis on the specifics of how to model, rather than focusing on what provides them the most benefit. Ultimately, the best model for your organization is the one that helps you determine what the main threats are. Finally, the point is not just to find the threats; the key is to address them and fix them.

The beauty of the book is that it focuses on gaining empirical data around threats for your organization. Rather than simply taking an approach based on Gartner, USA Today or industry best practices.

While the author states a few times that threat modeling is not necessarily a complex endeavor, it nonetheless does take time. He writes that threat modeling requires involvement from many players from different departments in an organization to provide meaningful input. Without broad input, the threat model will be lacking, and the output will be incomplete.

For those organizations that are willing to put the time and effort into threat modeling, the benefits will be remarkable. At the outset, they will have confidence that they understand the threats their organization is facing, likely spend less on hardware and software, and will be better protected.

Chapter 18 quotes programmer Henry Spencer who observed that "those who do not understand Unix are condemned to reinvent it, poorly". Shostack writes that the same applies to threat modeling. The point he is making is that there are ways to fail at threat modeling. The first is simply not trying. The chapter then goes on into other approaches which can get in the way of an effective threat modeling program.

Why should you threat model for your IT and other technology environments? It should be self-evident from an architecture perspective. When an architect is designing an edifice, they first must understand their environment and requirements. A residence for a couple in Manhattan will be entirely different from the design for a residence for a family in Wyoming. But far too many IT architects take a monolithic approach to threats and that's precisely the point the book is attempting to obviate.

As noted, threat modeling is not overly complex. But even if it was indeed complex, it is far too important not to be done. The message of the book is that organizations need to stop chasing vague threats and industry notions of what threats are, and customize things so they deal with their threats.

For those that still think the topic is complex, the book references Elevation of Privilege (EoP), an easy way to get started threat modeling. EoP is a card game that developers, architects or security teams can play to easily understand the rudiments of threat modeling.

Risk modeling is so important that it must be seen as an essential part of a formal and mature information security program. Having firewalls, IDS, DLP and myriad other infosec appliances can be deceptive in thinking they provide protection. But if they are deployed in an organization that has not defined the threats these devices are expected to address, they only serve the purpose of giving an aura of infosec protection, and not real protection itself.

Amazon has over 800 Disney World guide books. Anyone who is going to invest their time and money to spend a few days at Disney World knows they have to do their research in order to get the most out of their visit.

There are only a handful of books on this topic and Threat Modeling: Designing for Security is perhaps the finest of them. No tourist would be so naïve to go to Disney World uninformed. And conversely, no one should go into the IT world without adequate threat information.

Threat modeling provides compelling benefits in the ability to make better information security decisions, better focus on often limited resources, all while designing a model to protect against current and future threats.

For those serious about the topic, Threat Modeling: Designing for Security will be one of the most rewarding information security books they could hope for.

Reviewed by Ben Rothke.

You can purchase Threat Modeling: Designing for Security from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page.

jfruh writes "A vulnerability in Internet Explorer 9 and 10 that allows attackers to target banking login info, first reported on February 13, is being exploited in the wild, and attacks are spreading rapidly. Sites compromised by the malware run the gamut from U.S. Veterans of Foreign Wars site, to a site frequented by French military contractors, to a Japanese dating site. Microsoft has released a 'fix-it tool' but not a regular patch."

msm1267 writes "Researchers at Bromium Labs are expected to announce today they have developed an exploit that bypasses all of the mitigations in Microsoft's Enhanced Mitigation Experience Toolkit (EMET). Principal security researcher Jared DeMott is delivered a presentation at the Security BSides conference explaining how the company's researchers were able to bypass all of the memory protections offered within the free Windows toolkit. The work is significant given that Microsoft has been quick to urge customers to install and run EMET as a temporary mitigation against zero-day exploits targeting memory vulnerabilities in Windows or Internet Explorer. The exploit bypasses all of EMET's mitigations, unlike previous bypasses that were able to beat only certain aspects of the tool. Researchers took a real-world IE exploit and tweaked it until they had a complete bypass of EMET's ROP, heap spray, SEHOP, ASLR, and DEP mitigations."

Nerval's Lobster writes "As widely expected after last week's rumors, Satya Nadella has been named the new CEO of Microsoft. Nadella is Microsoft's third CEO, after co-founder Bill Gates and Steve Ballmer. He's been with the company for more than twenty years, eventually becoming executive vice president of its Cloud and Enterprise division; Nadella and his team were responsible for the creation of 'Cloud OS,' the platform that powers Microsoft's large-scale cloud services such as SkyDrive, Azure, and Office 365. Under his guidance, Microsoft's revenue from cloud services has grown by several billion dollars over the past few years. In his email to employees, Nadella said that he was 'humbled' by his appointment, and that he had asked Bill Gates to act as a close adviser in the months and years ahead." He devoted much of the rest of the email "to explaining his philosophy of technology, and how that will ultimately influence his leadership. 'The opportunity ahead will require us to reimagine a lot of what we have done in the past for a mobile and cloud-first world, and do new things,' he added. 'We are the only ones who can harness the power of software and deliver it through devices and services that truly empower every individual and every organization.' A lot of tech companies would disagree the assertion that Microsoft is the 'only' company capable of merging hardware and software into forms that businesses and consumers find appealing, but Nadella must do his best to reassert his company's position as a technology leader. Nadella indicated near the end of his email that he would follow through on the 'One Microsoft' strategy formulated under Ballmer, which includes a massive reorganization currently underway." Reader rjmarvin notes that "Nadella will take over as CEO immediately, allowing Steve Ballmer to retire early," and reader SmartAboutThings says that "John Thompson, a lead independent director for the Board of Directors, will take over the role of Chairman of the Board of Directors that Gates held."

theodp writes "Back in 2010, Bill Gates Sr. made the case for I-1098, an initiative for a WA state income tax that Gates argued was needed to address K-12 funding inequity, which he claimed was forcing businesses "to import technically-trained employees, while our own people are shut out of highly paid careers." Opposed by the deep-pocketed, high-tech studded Defeat 1098, the initiative was defeated. Four years later, some of the same high-tech leaders who records show funded Defeat 1098 — including Microsoft CEO Steve Ballmer ($425K), Microsoft General Counsel Brad Smith ($10K), Code.org founder Hadi Partovi ($10K), Amazon CEO Jeff Bezos ($100K), Microsoft Corporation ($75K) — have gotten behind groups like Mark Zuckerberg's FWD.us and Code.org, which are singing a similar Chicken Little tune, telling lawmakers that U.S. students will continue to be shut out of highly paid computer science careers without additional K-12 funding, and the U.S. will lose its competitive edge unless tech is permitted to import even more technically-trained employees. In a departure from Gates' income-tax based solution, Microsoft and Code.org argue that the-problem-is-the-solution, proposing that tech visa fees be used to fund K-12 CS programs. To 'accept that computer science classes are only available to the privileged few,' writes Code.org, 'seems un-American'. So, as some of the nation's biggest K-12 school systems turn to Code.org for CS education programs, should they expect the funding to come from taxes, H-1B tech visa fees, or the-kindness-of-wealthy-strangers philanthropy?"

mask.of.sanity writes "Life could become more difficult for fraudsters on Skype thanks to new research by Microsoft boffins that promises to cut down on fake accounts across the platform. The research (PDF) combined information from diverse sources including a user's profile, activities, and social connections into a supervised machine learning environment that could automate the presently manual tasks of fraud detection. The results show the framework boosted fraud detection rates for particular account types by 68 per cent with a 5 per cent false positive rate."

In late November, Andy Wingo pushed a new register VM to Guile's (the GNU implementation of the Scheme language) master branch. It brought a number of performance improvements, but led to a bit of a conceptual mismatch between the compiler's direct-style intermediate language and the virtual machine. Earlier this week Andy Wingo announced a new continuation-passing style intermediate language for Guile. From the article: "To recap, we switched from a stack machine to a register machine because, among other reasons, register machines can consume and produce named intermediate results in fewer instructions than stack machines, and that makes things faster. To take full advantage of this new capability, it is appropriate to switch at the same time from the direct-style intermediate language (IL) that we had to an IL that names all intermediate values. ... In Guile I chose a continuation-passing style language. ... Guile's CPS language is composed of terms, expressions, and continuations. It was heavily inspired by Andrew Kennedy's 'Compiling with Continuations, Continued' paper. ... The optimizations I have currently implemented for CPS are fairly basic. Contification was tricky. One thing I did recently was to make all non-tail $call nodes require $kreceive continuations; if, as in the common case, extra values were unused, that was reflected in an unused rest argument. This required a number of optimizations to clean up and remove the extra rest arguments for other kinds of source expressions: dead-code elimination, the typical beta/eta reduction, and some code generation changes." The article describes the CPS language provided by Guile and explains the reasons behind choosing CPS over SSA or A-Normal Form. The Guile manual contains draft documentation. The new VM and Intermediate Language will be released with Guile 2.2, which should be out later this year.

Bennett Haselton writes with four big tips for anyone blessed by the holiday buying frenzy with a new laptop; in particular, these are tips to pass on to non-techie relatives and others who are unlikely to put (say) "Install a Free operating system" at the very top of the list: Here's Bennett's advice, in short: (1) If you don't want to pay for an anti-virus program, at least install a free one. (2) Save files to a folder that is automatically mirrored to the cloud, for effortless backups. (3) Create a non-administrator guest account, in case a friend needs to borrow the computer. (4) Be aware of your computer's System Restore option as a way of fixing mysterious problems that arose recently." Read on for the expanded version; worth keeping in mind before your next friends-and-family tech support call. > If you or a friend -- especially a non-techie friend -- received a laptop for Christmas, these are my favorite low-cost high-benefit tips that anyone can follow. They apply to any operating system, although I'm writing from a Windows-centric point of view.

Yes, a lot of this will be obvious stuff to techies, but I've found that if a human asks a techie "I just got a new laptop, can you give me any advice?", the answer frequently will (a) not cover these crucial bases, and/or (b) include a lot of unhelpful stuff to impress the listener. The following is a baseline for what I think a useful answer should consist of. (And if you're the techie, you may want to walk the laptop owner through following these directions, since I'm not actually spelling out what icons you have to click on, etc.)

(1) If you don't want to pay for an anti-virus program, at least install a free one.

Your PC probably came with a trial version of an anti-virus program that will stop working after a month unless you upgrade to the paid version. Of course you can do that if you want. Especially if you ever think you might want phone tech support for your anti-virus software, I expect it's better for a product that you've paid money for.

On the other hand, I know people who thought that if they didn't want to pay for the upgrade to their PC's default anti-virus program, their only option was to let it expire and let their computer run unprotected. If you don't want to pay for a non-free program, install a free one -- Wikipedia has a list of 15 different free or freemium anti-virus products for Windows. PC Magazine gave their "Editor's Choice" award for best free Windows anti-virus to Malwarebytes Anti-Malware 1.70 in 2013 and AVG Anti-Virus Free in 2012, so either of those will work.

(Yes, I know you guys know this. But pass the word on to your Mom or kid brother with the new laptop.)

(2) Save files to a folder that is automatically mirrored to the cloud, for effortless backups.

The era in which everybody talks about backing up, but nobody actually does it, should have ended completely in 2013. Old-style backups, even the incredibly easy options, still mostly required you stop what you were doing for a minute, connect to a remote server or connect a piece of hardware to your computer, and twiddle your thumbs while waiting for some copy process to execute. So nobody bothered.

With cloud-mirrored folders, there's no excuse any more. I found out about Dropbox by asking a mailing list, "I would really like it if there were an online backup service that let me open and close files from a local folder so that there was no delay, but as soon as I made any changes, would automatically be queued to be backed up over the network to a remote host," and my listmates said, "That already exists." Windows 8 comes with the similar SkyDrive service already built in.

You can read a detailed comparison of Dropbox vs. SkyDrive vs. Google Drive, but the key point is to use one of them to mirror one of your local folders to the cloud, and get into the habit of saving stuff to that folder. Obviously this may not apply to you if you have something special going on (if you're creating large multimedia files that won't fit within the several-gigabyte limit imposed by these services, or if your privacy concerns are great enough that you don't want to back up files online), but it's good enough for most people. The horror stories about people saving months or years of writing, and then losing it all in a hard drive crash, should never happen to anyone again.

(3) Create a non-administrator guest account, in case a friend needs to borrow the computer.

Some of my friends and relatives have no problem telling people, "No, I don't care if you need to check the weather, you can't touch my computer!" But if you can't resist the urge to be helpful if someone needs to borrow your laptop for a few minutes, then eventually one of those people will mess it up somehow -- either by installing a game, or visiting a website that installed malware on your computer, or just changing a system setting that you can't figure out how to change back.

When the day comes when someone needs to borrow your computer, you may be too rushed or might not know how to create an unprivileged non-administrator account that they can log in under. So go ahead and do it when your computer is brand new, while the thought is still fresh in your mind. Then if people who borrow your computer sign in under that account, in almost all cases, nothing that they do while logged in should interfere with your user experience when you log them off and log back in as yourself.

That's not a completely secure solution to stop someone from accessing private files on your computer. (There are many pages describing how to boot up a Windows machine from a Linux CD, in order to access files on the computer -- they are usually described as "disaster recovery" options, but they can also be used to access files on a PC without the password.) However, it will stop most casual users from messing up your computer while they borrow it.

(4) Be aware of your computer's System Restore option as a way of fixing mysterious problems that arose recently.

I say "be aware" because, unlike the other three tips, this may not ever be something that you have to actually do. However, intermediate-level computer users just need to understand what it means: to restore your computer's settings and installed programs to a recently saved snapshot, while leaving your saved files untouched. This means if your computer has started acting funny in the last couple of days, you may be able to fix the problem by restoring to a snapshot that was saved before the problems started.

Intermediate users sometimes confuse this with either (a) restoring files from backup, or (b) doing a system recovery (which generally refers to restoring your computer to the state in which it left the factory). So if you're the techie doing the explaining, make sure they understand the difference. (A system recovery will often fix problems, too, but then of course you'll have to re-install all your software; a system restore is more convenient since it only undoes the most recent system changes.)

So these are the first four things I would tell people who were the recipient of a new laptop. What would you tell them?

theodp writes "Perhaps people are reading too much into Apple CEO Tim Cook's 'Big Plans' for 2014, but hopes are high that the New Year will bring a biggie-sized iPad. Over at Forbes, Anthony Wing Kosner asks, Will The Large Screen iPad Pro Be Apple's First In A Line Of Desktop Touch Devices?. 'Rumors of a large [12.9"] iPad are many and constant,' notes ComputerWorld's Mike Elgan, 'but they make sense only if the tablet is a desktop for schools.' Elgan adds, 'Lots of schools are buying iPads for kids to use. But iPads don't make a lot of sense for education. For starters, their screens are too small for the kinds of interactive textbooks and apps that Apple wants the education market to create. They're also too small for collaborative work. iPads run mobile browsers, rather than full browsers, so kids can't use the full range of HTML5 sites.' Saying that 'Microsoft has fumbled the [post-PC] transition badly,' Elgan argues that 'the battle for the future of education is likely to be between whatever Google turns the Chromebook into against whatever Apple turns the iPad into.'"

theodp writes "The weeklong Hour of Code kicks off tomorrow, with Mark Zuckerberg and Bill Gates doing their part to address a declared nationwide CS crisis by ostensibly teaching the nation's schoolchildren how to code. But a recent NY Times Op-Ed by economist Paul Collier criticizing Zuckerberg's FWD.us PAC as self-serving advocacy (echoing earlier criticism) serves as a reminder that Zuckerberg and Gates' Code.org and Hour of Code involvement is the Yin to their H-1B visa lobbying Yang. The two efforts have been inextricably linked together for Congress, if not for the public. And while Zuckerberg argues it's 'the right thing to do', Collier argues that there are also downsides to the tech giants' plans to shift more bright, young, enterprising people from the poorest countries to the richest. 'An open door for the talented would help Facebook's bottom line,' Collier concludes, 'but not the bottom billion.'"

wiredmikey writes "A new Windows kernel zero-day vulnerability is being exploited in targeted attacks against Windows XP users. Microsoft confirmed the issue and published a security advisory to acknowledge the flaw after anti-malware vendor FireEye warned that the Windows bug is being used in conjunction with an Adobe Reader exploit to infect Windows machines with malware. Microsoft described the issue as an elevation of privilege vulnerability that allows an attacker to run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights."

rjmarvin writes "Microsoft today announced a web-based development environment for app creation to complement Visual Studio 2013, called Visual Studio Online. Microsoft Senior V.P. S. Somasegar says the new web-based IDE is designed for quick tasks related to building Windows Azure websites and services. Microsoft will be releasing the Visual Studio Online Application Insights service in a limited preview to show developers how to deploy and perform in conjunction with Visual Studio 2013's new features."

wiredmikey writes "Microsoft released an advisory today warning users about a new zero-day under attack in targeted campaigns occurring in the Middle East and South Asia. According to Microsoft, the vulnerability resides in the Microsoft Graphics component and impacts certain versions of Windows, Microsoft Office and Lync. The problem exists in the way specially-crafted TIFF images are handled. To exploit the vulnerability, an attacker would have to convince a user to preview or open a specially-crafted email message, open a malicious file or browse malicious Web content. If exploited successfully, the vulnerability can be used to remotely execute code. The vulnerability affects Office 2003, 2007 and 2010 as well as Windows Server 2008 and Windows Vista. Right now, Microsoft Word documents are the current vector for attack."

An anonymous reader writes with this excerpt from The Register: "The Windows 8.1 rollout has hit more hurdles: the new version 11 of Internet Explorer that ships with the operating system does not render Google products well and is also making life difficult for users of Microsoft's own Outlook Web Access webmail product. The latter issue is well known: Microsoft popped out some advice about the fact that only the most basic interface to the webmail tool will work back in July. It seems not every sysadmin got the memo and implemented Redmond's preferred workarounds, but there are only scattered complaints out there, likely because few organisations have bothered implementing Windows 8.1 yet." Also from the article: "Numerous reports suggest that IE 11 users can once again enjoy access to all things Google if they un-tick the IE 11 option to 'Use Microsoft Compatibility lists.'" And here's Microsoft KB work around.

An anonymous reader writes that although many Linux users (and others) are at home with OpenOffice and LibreOffice, typical organizations are as addicted as ever to MS office formats. In 2011 13% of organizations had OpenOffice variants installed on some computers. Today that number has dipped to 5% according to Forrester Research. ... The poll included [shows totals] over 100% as many organizations have multiple versions of offices installed. Also surprising, Office 2003 is alive kicking and screaming as almost 1/3 of companies and governments still use it even though EOL for Office 2003 ends with XP on the same date! The good news is online cloud-based platforms are gaining traction with Google Docs and Office 365 which are not so tied to Windows on the client."

UnknowingFool writes "After reports of update problems including bricking of some devices, Microsoft has pulled the 8.1 update for RT from their store while they investigate. 'Microsoft is investigating a situation affecting a limited number of users updating their Windows RT devices to Windows RT 8.1. As a result, we have temporarily removed the Windows RT 8.1 update from the Windows Store. We are working to resolve the situation as quickly as possible and apologize for any inconvenience. We will provide updates as they become available.' While update problems are not new to software, could this be a consequence of Microsoft not releasing 8.1 RTM to developers? Developers may have experienced problems earlier and alerted Microsoft before it went live."

jones_supa writes "Final releases of Visual Studio 2013, .NET 4.5.1, and Team Foundation Server 2013 are now available. As part of the new release, the C++ engine implements variadic templates, delegating constructors, non-static data member initializers, uniform initialization, and 'using' aliases. The editor has seen new features, C++ improvements and performance optimizations. Support for Windows 8.1 has been enhanced and the new XAML UI Responsiveness tool and Profile Guided Optimization help to analyze responsiveness in Windows Store apps. Graphics debugging has been furthered to have better C++ AMP tools and a new remote debugger (x86, x64, ARM). As before, MSDN and DreamSpark subscribers can obtain the releases from the respective channels, and the Express edition is available zero cost for all."

hypnosec writes "Microsoft paid out over $28,000 in rewards under its first ever bug-bounty program that went on for a month during the preview release of Internet Explorer 11 (IE11). The preview bug bounty program started on June 26 and went on till July 26 with Microsoft revealing at the time that it will pay out a maximum of $11,000 for each IE 11 vulnerability that was reported. Microsoft paid out the $28k to a total of six researchers for reporting 15 different bugs. According to Microsoft's 'honor roll' page, they paid $9,400 to James Forshaw of Context Security for pointing out design level vulnerabilities in IE11 as well as four IE11 flaws. Independent researcher Masato Kinugawa was paid $2,200 for reporting two bugs. Jose Antonio Vazquez Gonzalez of Yenteasy Security Research walked off with $5,500 for reporting five bugs while Google engineers Ivan Fratric and Fermin J. Serna were each handed out $1,100 and $500 respectively."

Nerval's Lobster writes "In its second announcement of the kind, Microsoft revealed [Friday] that it received more than 37,000 requests for information on customers of its Skype, Azure and other services from law enforcement agencies around the world. The count does not include requests made using "National Security Letters" issued by the FBI or other U.S. federal agencies that have the force of a warrant or subpoena, albeit without the oversight or control provided by the courts that issue those sorts of orders. During the first six months of 2013, Microsoft received 37,196 requests that covered a total of 66,539 customer accounts. The company refused to provide any information in response to 21 percent of those requests. It provided "non-content data" in response to 77 percent of the requests – non-content data usually includes information such as names or basic subscriber information rather than information on the content of messages or other details describing online activity of those customers. In 2.19 percent of cases, however, Microsoft reports having provided "customer content data" – which includes the content of messages or data stored in accounts owned by Microsoft companies. Ninety-two percent of requests for customer content came from U.S. law-enforcement agencies."

An anonymous reader writes "Microsoft is investigating a new remote code execution vulnerability in Internet Explorer and preparing a security update for all supported versions of its browser (IE6, IE7, IE8, IE9, IE10, and IE11). The company has issued a security advisory in the meantime because it has confirmed reports that the issue is being exploited in a 'limited number of targeted attacks' specifically directed at IE8 and IE9."

Dr. Richard Feynman's lectures on physics have been iconic standards of physics education for the past five decades. Videos of the series were put online at Microsoft Research a few years ago, but now the entirety of Volume 1 is available over simple HTML (mirror). In a letter to members of the Feynman Lectures Forum, editor Mike Gottlieb said, "It was an idea conceived many years ago, when through FL website correspondence I became aware of the many eager young minds who could benefit from reading FLP, who want to read it, but for economic or other reasons have no access to it, while at the same time I was becoming aware of the growing popularity of horrid scanned copies of old editions of FLP circulating on file-sharing and torrent websites. A free high-quality online edition was my proposed solution to both problems. All concerned agreed on the potential pedagogical benefits, but also had to be convinced that book sales would not be harmed. The conversion from LaTeX to HTML was expensive: we raised considerable funds, but ran out before finishing Volumes II and III, so we are only posting Volume I initially. (I am working on finishing Volumes II and III myself, as time permits, and will start posting chapters in the not-too-distant future, if all goes as planned.)"

rjmarvin writes "Cities are taking coding to the streets through projects like Code for America and CityNext, working with governments on multiple levels to better serve constituents with mobile and cloud technologies. The 'Peace Corps for geeks' is using technology to make everyday life in cities run more smoothly, providing a way to 'connect technologists and designers with their government to solve important problems and reimagine how government could work.'"

Today Microsoft announced that CEO Steve Ballmer will be retiring within the next 12 months. He said, "There is never a perfect time for this type of transition, but now is the right time. ... My original thoughts on timing would have had my retirement happen in the middle of our company’s transformation to a devices and services company. We need a CEO who will be here longer term for this new direction." Ballmer, 57, has been Microsoft's CEO since taking over the role from Bill Gates in January, 2000. The company's board of directors has formed a committee to find a replacement for Ballmer, and he will continue his duties until a new CEO is found. Questions about Ballmer's fitness to remain CEO have been circulating for the past several years, particularly after the company struggled to get a foothold in the mobile market. It will be interesting to see how this affects Microsoft's stock price. Upon retirement, Ballmer will be able to cash out hundreds of millions of dollars worth of Microsoft stock.

Nerval's Lobster writes "Microsoft plans to raise the price of the Datacenter edition of the upcoming R2 release of Windows Server 2012 by 28 percent, adding to what analysts call a record number of price increases for enterprise software products from Redmond. According to licensing data sheets available for download from the Windows Server 2012 R2 Website (PDF), the price of a single license of Windows Server 2012 R2 Datacenter will be $6,155, compared to $4,809 today—plus the cost of a Client Access Licenses for every user or device connecting to the server. News of the increase was posted yesterday by datacenter virtualization and security specialist Aidan Finn, a six-time Microsoft MVP who works for Dublin-based value added reseller MicroWarehouse Ltd. and has done work for clients including Amdahl, Fujitsu and Barclays. The increase caps off a year filled with a record number of price increases for Microsoft enterprise software, according to a Tweet yesterday from Microsoft software licensing analyst Paul DeGroot of Pica Communications."

Freshly Exhumed writes "Microsoft advises that a cryptographic problem in the PEAP-MS-CHAPv2 protocol used in Windows Phone 8 to provide WPA2 authentication allows a victim's encrypted domain credentials to be collected by an attacker posing as a typical WiFi access point. Redmond further states that this problem cannot be patched, although a set of manually entered configuration changes involving root certificates on all WP8 phones and on WiFi access points will apparently address the issue. WP7.8 phones are likewise vulnerable."

Freshly Exhumed writes "Microsoft advises that a cryptographic problem in the PEAP-MS-CHAPv2 protocol used in Windows Phone 8 to provide WPA2 authentication allows a victim's encrypted domain credentials to be collected by an attacker posing as a typical WiFi access point. Redmond further states that this problem cannot be patched, although a set of manually entered configuration changes involving root certificates on all WP8 phones and on WiFi access points will apparently address the issue. WP7.8 phones are likewise vulnerable."

Trailrunner7 writes "Microsoft is expanding its MAPP program that shares attack and protection information with other security vendors and will now be sharing some data with incident responders, as well. The new system will enable organizations such as CERTs and internal IR teams to exchange information on specific attacks and general threats. Now, Microsoft is expanding and changing the MAPP program so that more people will have access to some of the data and the information will be available earlier. Until now, MAPP members get access to patch data 24 hours before the release. Microsoft will be giving that information to MAPP companies three business days before Patch Tuesday going forward. The new MAPP for Responders program is an extension of the existing system and is designed to allow incident response teams to share information among themselves and to benefit from the threat intelligence that Microsoft has, as well."

jones_supa writes "While service packs are out of style for the Windows operating system, Microsoft has pushed out another service pack (SP2) for both Office 2010 and SharePoint 2010 products. According to the company, they provide key updates and fixes across servers, services and applications including security, stability, and performance enhancements and better compatibility with Windows 8, Internet Explorer 10, Office 2013, and SharePoint 2013. The updates are available through Windows Update and as separate downloads."

itwbennett writes "The only thing that's noteworthy about Microsoft CEO Steve Ballmer's recent disclosure that the company has one million servers in its data centers is that he decided to disclose it — most of the industry giants like to keep that information to themselves, says ITworld's Nancy Gohring. But just for fun, Amazon Web Services engineer James Hamilton did the math: One million servers equals 15–30 data centers, a $4.25 billion capital expense, and power consumption of 2.6TWh annually, or the amount of power that would be used by 230,000 homes in the U.S. Whether this is high or low, good or bad is impossible to know without additional metrics."

MojoKid writes "Microsoft is smarting in the wake of the Guardian's discussion of how chummy it's gotten with the NSA over the past few years, and the company wants permission to clarify its relationship with the federal government. To that end, the company has sent a follow-up letter (PDF) to the Attorney General's office, asking it to please address the petition it filed in court back on June 19. Redmond is undoubtedly cringing at the accolades being heaped on Yahoo and its repeated court battles on behalf of its users, and wants an opportunity to clear the air. But Microsoft has gone farther than simply asking the government to hurry up and rule on its petition — it has also issued a series of clarifying remarks regarding its relationship with the NSA. Microsoft refutes some of the Guardian's claims strongly. It insists it does not provide encryption keys or access to Outlook's encryption mechanisms, and that the government must petition MS to provide information via the legal process."

curtwoodward writes "Steve Ballmer's attempt to reorganize Microsoft into a more focused company will define his legacy as CEO. So you'd think the wordsmiths in Redmond would take a little time ensuring their message was crystal-clear, right? Not exactly. Ballmer's big, gung-ho memo to Microsofties, posted on the company's website, is chock full of nonsense and corporate executive doublespeak — or, as Ballmer might say, `high-value experiences' that will `involve repartitioning the work' and `drive partners across our integrated strategy and its execution.' Huh?" Honest language in corporate communications is a rare quality. I suspect there's a special language-butchering training course that most C-level executives enthusiastically complete.

Nerval's Lobster writes "Microsoft's big reorganization has begun. Rumors had persisted for weeks that Microsoft CEO Steve Ballmer was planning a massive, once-in-a-lifetime reorganization of the company he's been running for quite some time. Now the plan is out in the open, and things are going to change in huge ways. Microsoft will coalesce around 'a single strategy as one company,' CEO Steve Ballmer wrote in a really lengthy memo posted on Microsoft's Website, 'not a collection of division strategies.' The company's product portfolio — from Windows and Xbox to enterprise applications — will be regarded and operated upon in a holistic manner. Ballmer wants this 'one company' approach to extend how Microsoft handles its advertising, marketing and consumer-service operations. Ballmer also wants to knock down the walls that have slowly grown between Microsoft's various divisions, at least as far as engineering's concerned. The new 'engineering culture' will apparently facilitate collaboration 'across the company,' with an emphasis on cross-group contributions (and maintaining secrecy, of course, for the giant projects). Read on for much more on how Microsoft is reorganizing all its internal groups, as well as a rundown of who's in and who's out on the executive level."

SmartAboutThings writes "On the upcoming Patch Tuesday on July 9, Microsoft is going to bring some notable security updates, that will mostly deal with fixing issues in remote code execution vulnerabilities, which allow attackers to breach in. The security updates will be applied to all Windows versions Microsoft is still supporting (from XP to Windows 8.1)"

otaku244 writes "Since 1998, Microsoft TechNet has been a mainstay for all system developers attached to the Microsoft platform, given the ease of access to almost every product the company has produced. Unfortunately, the days of a cheap, unlimited Microsoft development stack are coming to an end."

SmartAboutThings writes "Microsoft has just announced the next version of DirectX, 11.2, on its website. But the real 'problem' is that it is going to be exclusive to Windows 8.1 and next generation consoles — Xbox One and Play Station 4. This is not news, as DirectX 11.1 was exclusive to Windows 7 & 8. But is this going to help Microsoft convince people to ugprade or will make them angry?"

theodp writes "The latest round of patents granted by the USPTO included one for Cartoon Face Generation, an invention which Microsoft explains 'generates an attractive cartoon face or graphic of a user's facial image'. Microsoft adds, 'The style of cartoon face achieved resembles the likeness of the user more than cartoons generated by conventional vector-based cartooning techniques. The cartoon faces thus achieved provide an attractive facial appearance and thus have wide applicability in art, gaming, and messaging applications in which a pleasing degree of realism is desirable without exaggerated comedy or caricature.' A Microsoft Research Face SDK Beta is available. Hey, too bad Microsoft didn't have this technology when they generated Bob from Ralphie!"

An anonymous reader writes "German IT magazine Heise reports (original in German) that the Ministry of Education in Schwerin had a Conficker virus infection on 170 machines, that was dealt with by simply throwing them on the trash. Other German authorities have now decided that 'the approach taken is not up to the principle of efficiency and economy' and that the 187,300 Euro invested in this radical form of virus removal were inappropriate. The ministry had earlier estimated the cost of cleaning their desktops and servers by more conventional means to 130,000 Euro."

Pikoro writes with news that Foxconn's parent company has entered into an agreement to pay Microsoft royalties for every Android device they manufacture, joining a rather long list of companies licensing patents for Android/Linux from Microsoft. From the BBC: "Microsoft has secured a patent deal with the world's biggest consumer electronics manufacturer to receive fees for devices powered by Google's Android and Chrome operating systems. Hon Hai — the parent company of Foxconn — said the deal would help prevent its clients being caught up in an ongoing intellectual property dispute. Microsoft says that Google's code makes use of innovations it owns. Google alleges its rival's claims are based on 'bogus patents.' 'The patents at issue cover a range of functionality embodied in Android devices that are essential to the user experience, including: natural ways of interacting with devices by tabbing through various screens to find the information they need; surfing the web more quickly, and interacting with documents and e-books.'"

msm1267 writes "Microsoft announced last night that it has stopped pushing a security update originally released on Patch Tuesday because the fix is causing some PCs to blue-screen. Microsoft recommends users uninstall the patch, which is also causing compatibility issues with some endpoint security software. MS13-036 was part of this week's Patch Tuesday update. It addressed three vulnerabilities in the Windows Kernel-Mode Driver, which if exploited could allow an attacker to elevate their privileges on a compromised machine. Users began reporting issues earlier this week with some systems failing to recover from restarts, or applications failing to load, after the patch was installed."

msm1267 writes "Microsoft announced last night that it has stopped pushing a security update originally released on Patch Tuesday because the fix is causing some PCs to blue-screen. Microsoft recommends users uninstall the patch, which is also causing compatibility issues with some endpoint security software. MS13-036 was part of this week's Patch Tuesday update. It addressed three vulnerabilities in the Windows Kernel-Mode Driver, which if exploited could allow an attacker to elevate their privileges on a compromised machine. Users began reporting issues earlier this week with some systems failing to recover from restarts, or applications failing to load, after the patch was installed."

Nerval's Lobster writes "Microsoft might want a piece of the mini-tablet market. The company has lowered the minimum screen resolution for Windows 8 tablets, from 1,366 x 768 pixels to 1024 x 768 pixels. "This doesn't imply that we're encouraging partners to regularly use a lower screen resolution," it wrote in an accompanying newsletter. "We understand that partners exploring designs for certain markets could find greater design flexibility helpful." As pointed out by ZDNet's Ed Bott—cited by other publications as the journalist who first noticed the altered guidelines—that lowered resolution "would allow manufacturers to introduce devices that are in line with the resolutions of the iPad Mini (1024 x 768) and the Kindle Fire and Google Nexus 7 (both 1280 x 800)." Whatever the contours of the smaller-tablet market, it's certainly popular enough to tantalize any potential competitor. But if Microsoft plunges in, it will face the same challenges that confronted it in the larger-tablet arena: lots of solid competitors, and not a whole lot of time to make a winning impression. There are also not-inconsiderable hardware challenges to overcome, including processor selection and engineering for optimal battery life."

wiredog writes "Microsoft has released a report of all the subpoenas and other requests it got from law enforcement in 2012, and the way it responded to them. This is similar to the Google Transparency Report."

theodp writes "'Someday, and that day may never come,' Don Corleone says famously in The Godfather, 'I'll call upon you to do a service for me.' Back in 2010, filmmaker Lesley Chilcott produced Waiting for 'Superman', a controversial documentary that analyzed the failures of the American public education system, and presented charter schools as a glimmer of hope, including the Bill & Melinda Gates Foundation-backed KIPP Los Angeles Prep. Gates himself was a 'Superman' cast member, lamenting how U.S. public schools are producing 'American Idiots' of no use to high tech firms like Microsoft, forcing them to 'go half-way around the world to recruit the engineers and programmers they needed.' So some found it strange that when Chilcott teamed up with Gates again three years later to make Code.org's documentary short What Most Schools Don't Teach, kids from KIPP Empower Academy were called upon to demonstrate that U.S. schoolchildren are still clueless about what computer programmers do. In a nice coincidence, the film went viral just as leaders of Google, Microsoft, and Facebook pressed President Obama and Congress on immigration reform, citing a dearth of U.S. programming talent. And speaking of coincidences, the lone teacher in the Code.org film (James, Teacher@Mount View Elementary), whose classroom was tapped by Code.org as a model for the nation's schools, is Seattle teacher Jamie Ewing, who took top honors in Microsoft's Partners in Learning (PiL) U.S. Forum last summer, earning him a spot on PiL's 'Team USA' and the chance to showcase his project at the Microsoft PiL Global Forum in Prague in November (82-page Conference Guide). Ironically, had Ewing stuck to teaching the kids Scratch programming, as he's shown doing in the Code.org documentary, Microsoft wouldn't have seen fit to send him to its blowout at 'absolutely amazingly beautiful' Prague Castle. Innovative teaching, at least according to Microsoft's rules, 'must include the use of one or more Microsoft technologies.' Fortunately, Ewing's project — described in his MSDN guest blog post — called for using PowerPoint and Skype. For the curious, here's Microsoft PiL's vision of what a classroom should be."

Dystopian Rebel writes "A Stanford comp-sci student has found a serious bug in Chromium, Safari, Opera, and MSIE. Feross Aboukhadijeh has demonstrated that these browsers allow unbounded local storage. 'The HTML5 Web Storage standard was developed to allow sites to store larger amounts of data (like 5-10 MB) than was previously allowed by cookies (like 4KB). ... The current limits are: 2.5 MB per origin in Google Chrome, 5 MB per origin in Mozilla Firefox and Opera, 10 MB per origin in Internet Explorer. However, what if we get clever and make lots of subdomains like 1.filldisk.com, 2.filldisk.com, 3.filldisk.com, and so on? Should each subdomain get 5MB of space? The standard says no. ... However, Chrome, Safari, and IE currently do not implement any such "affiliated site" storage limit.' Aboukhadijeh has logged the bug with Chromium and Apple, but couldn't do so for MSIE because 'the page is broken" (see http://connect.microsoft.com/IE). Oops. Firefox's implementation of HTML5 local storage is not vulnerable to this exploit."

walterbyrd writes with news that Nikon is the latest company to agree to pay Microsoft for the privilege of using Android on its devices — as you might expect from Nikon, the devices in this case are cameras. (Microsoft's press release.)

isoloisti writes "An article by some Microsofties in the latest issue of Computing Now magazine claims we have got passwords all wrong. When money is stolen, consumers are reimbursed for stolen funds and it is money mules, not banks or retail customers, who end up with the loss. Stealing passwords is easy, but getting money out is very hard. Passwords are not the bottleneck in cyber-crime and replacing them with something stronger won't reduce losses. The article concludes that banks have no interest in shifting liability to consumers, and that the switch to financially-motivated cyber-crime is good news, not bad. Article is online at computer.org site (hard-to-read multipage format) or as PDF from Microsoft Research."

Billly Gates writes "Microsoft is advising users to stick with other browsers until Tuesday, when 57 patches for Internet Explorer 6, 7, 8, 9, and even 10 are scheduled. There is no word if this patch is to protect IE from the 50+ Java exploits that were patched last week or the new Adobe Flash vulnerabilities. Microsoft has more information here. In semi-related news, IE 10 is almost done for Windows 7 and has a IE10 blocker available for corporations. No word on whether IE 10 will be included as part of the 57 updates."

Billly Gates writes "Microsoft is advising users to stick with other browsers until Tuesday, when 57 patches for Internet Explorer 6, 7, 8, 9, and even 10 are scheduled. There is no word if this patch is to protect IE from the 50+ Java exploits that were patched last week or the new Adobe Flash vulnerabilities. Microsoft has more information here. In semi-related news, IE 10 is almost done for Windows 7 and has a IE10 blocker available for corporations. No word on whether IE 10 will be included as part of the 57 updates."