Slashdot Mirror

An anonymous reader writes: Late yesterday afternoon, Google announced plans to deprecate and eventually remove PKP support from the Chromium open-source browser, which indirectly means from Chrome... According to Google engineer Chris Palmer, low adoption and technical difficulties are among the reasons why Google plans to remove the feature from Chrome.

"We would like to do this in Chrome 67, which is estimated to be released to Stable on 29 May 2018," Palmer says. The proposal is up in the air, and users can submit opinions against Google's intent to deprecate, but seeing how little PKP was adopted, it's most likely already out the door. A Neustar survey from March 2016 had PKP deployment at only 0.09% of all HTTPS sites. By August 2017, that needle had barely moved to 0.4% of all sites in the Alexa Top 1 Million.

An anonymous reader writes: Netcraft confirms many U.S. Department of Defense websites, including a remote access service used by the Missile Defense Agency, are more vulnerable to man-in-the-middle attacks than most consumer websites. The weaker than previously-thought SHA-1 algorithm is the main culprit, with the DoD today being the most prolific user of SHA-1 signed SSL certificates, even though NIST banned new use of this signature algorithm two years ago. Most of the vulnerable certificates to be issued recently are used by .mil websites, which are operated by agencies, services and divisions of the DoD. All of these sites are consequently vulnerable to attack by enemy governments and criminals who can stump up enough cash ($75,000) to crack the certificates.

An anonymous reader writes: Netcraft confirms many U.S. Department of Defense websites, including a remote access service used by the Missile Defense Agency, are more vulnerable to man-in-the-middle attacks than most consumer websites. The weaker than previously-thought SHA-1 algorithm is the main culprit, with the DoD today being the most prolific user of SHA-1 signed SSL certificates, even though NIST banned new use of this signature algorithm two years ago. Most of the vulnerable certificates to be issued recently are used by .mil websites, which are operated by agencies, services and divisions of the DoD. All of these sites are consequently vulnerable to attack by enemy governments and criminals who can stump up enough cash ($75,000) to crack the certificates.

An anonymous reader writes: Netcraft confirms many U.S. Department of Defense websites, including a remote access service used by the Missile Defense Agency, are more vulnerable to man-in-the-middle attacks than most consumer websites. The weaker than previously-thought SHA-1 algorithm is the main culprit, with the DoD today being the most prolific user of SHA-1 signed SSL certificates, even though NIST banned new use of this signature algorithm two years ago. Most of the vulnerable certificates to be issued recently are used by .mil websites, which are operated by agencies, services and divisions of the DoD. All of these sites are consequently vulnerable to attack by enemy governments and criminals who can stump up enough cash ($75,000) to crack the certificates.

Rambo Tribble (1273454) writes "Netcraft is reporting that criminals are mounting massive phishing attacks through online dating sites. The scams are numerous and target multiple sites. Actual methods range from blackmail to 419-style scams. Characteristically, fraudsters hijack an existing account on one of the services, then use that as a portal to deliver a PHP script to compromise the site. 'The latest attacks make use of a phishing kit which contains hundreds of PHP scripts, configured to send stolen credentials to more than 300 distinct email addresses.' The BBC offers additional insights ."

angry tapir sends this IDG report: "After almost two decades of trailing the market leader, Microsoft's Web server software is coming close to rivaling the dominance of the Apache Web server, according to the latest Netcraft survey of Internet infrastructure. May saw an additional 9 million sites using Microsoft Web server software, increasing the company's share of the Web by 0.37 percent. In the same period, Apache's market share fell by 0.18 percent, despite gaining an additional 4.3 million sites. Microsoft is now just 4.1 percentage points behind Apache, which, as the most popular Web server software on the Internet, now powers about 37.6 percent of all sites."

First time accepted submitter jcdr writes "February's 2014 Web Server Survey by Netcraft shows a massive increase [in the share of] Microsoft's web server since 2013. Microsoft's market share is now only 5.4 percentage points lower than Apache's, which is the closest it has ever been. If recent trends continue, Microsoft could overtake Apache within the next few months, ending Apache's 17+ year reign as the most common web server."

darthcamaro writes "Apache has always dominated the web server landscape. But in August, its share has slipped below 50 percent for the first time in years. The winner isn't nginx either — it's Microsoft IIS that has picked up share. But don't worry, this isn't likely a repeat of the Netscape/IE battle of the late 90's, Apache is here to stay (right?)" The dip is mostly the result of GoDaddy switching to IIS from Apache. Which is to say GoDaddy hosts a whole lot of sites.

An anonymous reader writes "Netcraft confirms a recent increase in the number of malicious proxy auto-config (PAC) scripts being used to sneakily route webmail and online banking traffic through rogue proxy servers. The scripts are designed to only proxy traffic destined for certain websites, while all other traffic is allowed to go direct. If the proxy can force the user to keep using HTTP instead of HTTPS, the fraudsters running these attacks can steal usernames, passwords, session cookies and other sensitive information from online banking sessions."

An anonymous reader writes "StartSSL has suspended issuance of digital certificates and related services following a security breach on 15 June. A trademark of Eddy Nigg's StartCom, the StartSSL certificate authority is well known for offering free domain validated SSL certificates, but also sells organisation and extended validation certificates."

An anonymous reader writes "Anonymous has claimed responsibility for distributed denial of service attacks against several anti-WikiLeaks websites this month. In a novel twist to the campaign, Mission Leakflood has started a new DDoS attack against fax numbers belonging to Amazon, MasterCard, Moneybookers, PayPal, Visa and Tableau Software. Some numbers have already stopped responding, and Twitter and PostFinance have since been added to the target list."

An anonymous reader writes "MasterCard's website has been hit by a distributed denial of service attack. Netcraft describes how the attack uses a voluntary botnet of LOIC (low orbit ion cannon) users to swamp sites with traffic. PostFinance, the PayPal blog and Swedish prosecutors have been targeted previously."

An anonymous reader writes "Netcraft posted two reports on the movement of the WikiLeaks website today. First the site was taken down by EveryDNS, who terminated the DNS provision for wikileaks.org. A few hours later, WikiLeaks moved to a Swiss domain (wikileaks.ch). Netcraft suggests this move could be because the wikileaks.org domain was registered with a US company, which could be influenced by the US government. The new wikileaks.ch site is hosted in Sweden, but redirects all of its traffic to France. Strangely, WikiLeaks has chosen to use EveryDNS again for their new domain." This follows Amazon's removal of WikiLeaks from their cloud hosting, which has the EFF and others worrying about free speech on the net as various hosting providers receive political pressure to censor certain content. Amazon claims their decision wasn't influenced by a government inquiry, while Tableau Software freely admits that a public request from Senator Joe Lieberman prompted them to take down WikiLeaks data visualizations.

An anonymous reader writes "Netcraft posted two reports on the movement of the WikiLeaks website today. First the site was taken down by EveryDNS, who terminated the DNS provision for wikileaks.org. A few hours later, WikiLeaks moved to a Swiss domain (wikileaks.ch). Netcraft suggests this move could be because the wikileaks.org domain was registered with a US company, which could be influenced by the US government. The new wikileaks.ch site is hosted in Sweden, but redirects all of its traffic to France. Strangely, WikiLeaks has chosen to use EveryDNS again for their new domain." This follows Amazon's removal of WikiLeaks from their cloud hosting, which has the EFF and others worrying about free speech on the net as various hosting providers receive political pressure to censor certain content. Amazon claims their decision wasn't influenced by a government inquiry, while Tableau Software freely admits that a public request from Senator Joe Lieberman prompted them to take down WikiLeaks data visualizations.

An anonymous reader writes "Mozilla pulled one of their Firefox add-ons earlier this week for containing a backdoor which stole passwords from its users. Netcraft has taken a closer look at how the rogue extension worked, and how it was discovered by chance rather than through any code review process. Mozilla are working on a new security model to stop this kind of backdoor happening again."

An anonymous reader writes "Netcraft writes about an ironic 'false start' for the Cyber Security Challenge UK website. The new venture touts itself as 'a programme of national challenges, designed by experts, to identify and nurture the UK's future cyber security workforce.' Unfortunately, the website appears to be vulnerable to a basic cross-site scripting vulnerability which was easily found by some Twitter users."

Jibbler writes "Following the recent Pwn2Own competition, in which Firefox, IE8 and Safari all fell quickly to exploits, Netcraft has observed a surge in popularity of the text-based Lynx browser. Netcraft points out that Lynx supports the latest cryptographic ciphers, and at least one online banking site has seen Lynx usage overtake that of Internet Explorer and Firefox. To boost Lynx's excellent security history, Netcraft has even developed a version of its anti-phishing toolbar for Lynx."

Jibbler writes "Following the recent Pwn2Own competition, in which Firefox, IE8 and Safari all fell quickly to exploits, Netcraft has observed a surge in popularity of the text-based Lynx browser. Netcraft points out that Lynx supports the latest cryptographic ciphers, and at least one online banking site has seen Lynx usage overtake that of Internet Explorer and Firefox. To boost Lynx's excellent security history, Netcraft has even developed a version of its anti-phishing toolbar for Lynx."

Glyn Moody writes "The February 2009 Netcraft survey is not the usual 'Apache continues to trounce Microsoft IIS' story: there's a new entrant — from China. 'This majority of this month's growth is down to the appearance of 20 million Chinese sites served by QZHTTP. This web server is used by QQ to serve millions of Qzone sites beneath the qq.com domain.' What exactly is this QZHTTP, and what does it all mean for the world of Web servers?"

Kolargol00 writes "An outage affected the Mozilla.com website on the day the organisation launched its Guinness World Record attempt for downloads of the new Firefox 3 browser. The mozilla.com site was unreachable from around the world, occasionally responding with the message, 'Http/1.1 Service Unavailable.'" Since they decided to run their day from 1pm to 1pm Eastern time, the download day is actually still going, so you can still get Firefox and be part of the record.

Netcraft confirmed it ... Slashdot was dying for several hours (along with SourceForge, which shares a corporate overlord and router). Some planned downtime from our provider apparently didn't come back up quite as planned. Sorry for the inconvenience. On the upside, we're moving to a new network and hardware soon, so the site should be much faster and more stable rsn.

An anonymous reader writes "Netcraft has written about a website offering free phishing kits with one ironic twist — they all contain backdoors to steal stolen credentials from the fraudsters that deploy them. Deliberately deceptive code inside the kits means that script kiddies are unlikely to realize that any captured credit card numbers also end up getting sent to the people who made the phishing kits. The same group was also responsible for another backdoored phishing kit used against Bank of America earlier this month."

An anonymous reader writes "Netcraft has written about a website offering free phishing kits with one ironic twist — they all contain backdoors to steal stolen credentials from the fraudsters that deploy them. Deliberately deceptive code inside the kits means that script kiddies are unlikely to realize that any captured credit card numbers also end up getting sent to the people who made the phishing kits. The same group was also responsible for another backdoored phishing kit used against Bank of America earlier this month."

Channel Guy writes "According to a report from CRN, Microsoft plans to allow users of the Web Server SKU in Windows Server 2008 to 'run any type of database software with no limit on the number of users, provided they deploy it as an Internet-facing front-end server.' The previous limit was 50 users. Microsoft's partners expect the changes to go a long way toward making Windows Web Server 2008 more competitive with the LAMP stack, against which Microsoft has been making headway in recent months."

benjymouse quotes this month's netcraft survey "In the August 2007 survey we received responses from 127,961,479 sites, an increase of 2.3 million sites from last month. Microsoft continues to increase its web server market share, adding 2.6 million sites this month as Apache loses 991K hostnames. As a result, Windows improves its market share by 1.4% to 34.2%, while Apache slips by 1.7% to 48.4%. Microsoft's recent gains raise the prospect that Windows may soon challenge Apache's leadership position."

miller60 writes "The long-suffering customers of RegisterFly should soon be able to manage their names again after ICANN arranged for the transfer of its 850,000 domains to GoDaddy.com. ICANN terminated RegisterFly's accreditation back in March but it took a court order to pry the domains loose so they could be transferred to another registrar. For those just joining the story (see earlier discussions on Slashdot), RegisterFly is the New Jersey domain registrar that collapsed amid management chaos in February, leaving most customers unable to manage, renew, or transfer their domains. ICANN, which was widely criticized for its inability to do more for RegisterFly customers, expressed relief at the saga's apparent conclusion."

goombah99 writes "Netcraft is showing that an event happened in the Ohio 2004 election that is difficult to explain. The Secretary of State's website, which handles election reporting, normally is directed to an Ohio-based IP address hosted by the Ohio Supercomputer Center. On Nov. 3 2004, Netcraft shows the website pointing out of state to a server owned by Smartech Corp. According to the American Registry on Internet Numbers, Smartech's block of IP addresses 64.203.96.0 – 64.203.111.255 encompasses the entire range of addresses owned by the Republican National Committee. Smartech hosted the recently notorious gbw43.com domain used from the White House in apparent violation of the Presidential Records Act, from which thousands of White House emails vanished." Update: 04/25 01:24 GMT by KD : ePluribus Media published a piece called Ken Blackwell Outsources Ohio Election Results to GOP Internet Operatives, Again on election eve 2006, when a similar DNS switch to Smartech occurred. They have been investigating the larger story of IT on Capitol Hill and elsewhere for two years.

1sockchuck writes "ICANN says it will terminate RegisterFly's accreditation as a domain registrar if the company can't fix its problems within 15 days. The edict comes with RegisterFly in chaos and current management blaming a departed executive for its woes. The situation is complicated by the fact that RegisterFly sold some of its domains through a reseller agreement with eNom, and others using its own accreditation."

Frequent Slashdot contributor Bennett Haselton writes " From about 1996 to 2003, there were regular reports listing examples of sites stupidly blocked by blocking software. The genre has tapered off recently, probably as a result of the Supreme Court ruling in 2003 that the Children's Internet Protection Act (CIPA) was constitutional, requiring blocking software in schools and libraries that receive federal funds, despite all the evidence of over-blocking presented at the trial. The last high-profile story about a site blocked by blocking software was about the blocking of BoingBoing almost a year ago. But the lack of recent reports on blocking software errors doesn't mean that the software has gotten better." The rest of his essay follows.

One product that generated several reports over the years was "Bess, the Internet Retriever" from N2H2, which has since been bought out by Secure Computing, which also makes a blocking program called SmartFilter (the one that blocked BoingBoing) and now sells "SmartFilter, Bess Edition" which uses the same database as Bess. Different organizations and individuals published a series of investigative reports about Bess from 1997 until 2002, listing sites about gay rights, eating disorders, and other subjects that were blocked as "pornography". In Ben Edelman's supplemental report, submitted as testimony in the CIPA trial, he listed examples of erroneously blocked sites that he had reported to N2H2 in his first expert report, and which were still being blocked five months later.

Since Bess represents a set of data points showing how the accuracy of a blocking program can change, or not change, over the years, recently I began testing it again. I didn't know whether to expect it to be better or worse. On the one hand, advances in technology and greater revenue to censorware companies could have caused the software to improve. On the other hand, the number of Web pages, and the rate at which dynamic sites like blogs change content every day, has exploded. The result? I'm still tabulating data, but it looks as if the accuracy rate is roughly the same as it was in 2000, when about 30% of blocked sites were obvious errors. Then and now, I found most of the errors by starting with a large list of URLs culled from search engines and other sources, and simply running them through the software to see what was blocked.

Here is a partial list of some of the questionable categorizations made by Bess; as of this writing, all of the following sites are listed as "Pornography" when you look them up on Secure Computing's Bess lookup form. (This is not just a fluke of the lookup tool; I tested against a copy of the software that all of these sites really were blocked.) The "screen cap" link next to each site links to a snapshot of the results taken from the lookup form (you can check on http://database.n2h2.com/ to see if the page is still returning the same results, although the more obvious errors will probably be fixed after this article is published):

• The Electronic Frontier Foundation, Austin chapter (screen cap)
• Cretans of Houston (screen cap). That's Cretans, as in "people from the island of Crete". Not to be confused with the Cretins of Houston, located here.
• The Rhode Island Coalition Against Domestic Violence (screen cap)
• The website of the public art galleries of British Columbia, Canada (screen cap)
• Rail2000, now the Bay Rail Alliance, a consumer group lobbying for a San Francisco regional rail system (screen cap)
• Rainbow Service Organization, a gay rights advocacy group (screen cap)
• GardenMentors.com, a custom gardening services company in Seattle (screen cap)
• A web site for Catalina 380 series boats (screen cap)
• Open Source ERP, a site promoting open source software for enterprise resource planning and customer relationship management (screen cap)
• The Bryn Mawr Mainliners, a barbershop harmony group (screen cap)
• Timber Trails, an outdoor recreation site (screen cap)
• The MEFTA Institute: "Middle East Free Trade Areas for Business Peace" -- world peace through cheap oil! (screen cap)
• Topple Rummy, a (somewhat out-of-date) site calling for the ouster of Donald Rumsfeld (screen cap)
• The Alabama Network of Children's Advocacy Centers (screen cap)
• PSARA, a non-profit organization for training cruise travel agents (screen cap)
• Park Place Behavioral Health Care, a non-profit mental health care agency (screen cap)
• The Oklahoma chapter of the American Institute of Building Design (screen cap)
• The Boys & Girls Clubs of Metropolitan Phoenix (screen cap)
• CEMTACH -- Computational ElectroMagnetics Theory-Algorithm-Code-Hardware. "Our goal is to develop systems simulations capabilities based on time-domain computational electromagnetics methods." Thanks for clearing that up. (screen cap)
• Fund for Humanity, a San Francisco non-profit supporting environmental organizations and organizations that assist the poor. (screen cap)

A long-standing point of contention while earlier reports about Bess were coming out, was whether every site on their blacklist had been reviewed by a human before being blocked. In 1998 the CEO testified before Congress that "All sites that are blocked are reviewed by N2H2 staff before being added to the block lists." However in their 2002 annual report the company finally admitted that not all sites were reviewed before being blocked: "Through automated categorization or human review, Web sites are identified as fitting into one or more of our categories". At one point an N2H2 employee also told me that when one site is blocked, they will often block all sites hosted on that machine or at that IP -- which of course means that those sites are also not reviewed before being blocked. In any case, it's possible to access some of these sites by IP address, such as the BC Art Galleries site via this link, or the or the Rhode Island Coalition Against Domestic Violence via this link -- so if they're not sharing their IP with other sites, that wouldn't explain how they got blocked either. Smartfilter spokesperson Tomo Foote-Lennox said that one other blocked URL that I found, http://www.arbiol.org/, was the result of an experiment N2H2 once did with fully automated website ratings.

Foote-Lennox added, "In general, we find that schools are VERY sensitive to under-blocking. The would rather block a whole lot of useful reference sites to avoid exposing one porn site." Probably true, although keep in mind we're talking about liability issues, not actual moral outrage. (If they were really morally outraged, they'd be trying to keep kids away from uncensored Internet access everywhere, not just in school! That is in fact the approach that schools take with things like drugs, which do inspire moral outrage because they really are harmful.) Perhaps what is needed is a law explicitly shielding schools from all liability for what students do or see on the Internet at school, if the faculty had no knowledge of it.

(Obligatory interstitial advertisement for common sense: I still don't see what the big deal is about porn anyway. Ask yourself: Why is it harmful to see a picture of a naked person, or even a picture of people having sex? And try to find an answer to that question that doesn't involve, "Lots of other people think so." That includes all variations like "Our society has determined...", "We as a people have decided...", which are just re-phrasings of "Lots of other people think so." I submit that if you disallow those variations of grownup-peer-pressure as an excuse, most people can't really come up with any reason at all.)

OK, flame-retardant suit off, lab coat back on. Previous reports have listed absurd examples of sites blocked by Bess, and looking at any one of those examples or the ones listed here, I'd say that in terms of public policy discussions -- specifically, whether a blocking software company should be trusted to decide what students can look at -- any one of these blocked sites would be more significant than, say, the blocking of BoingBoing which got so much attention. BoingBoing got blocked because of a non-sexual picture of a bare breast on the cover of one of the books they reviewed -- and in fact they were blocked only in the "nudity" category, which includes only "non-pornographic images of the bare human body". So the block on BoingBoing really only revealed that Secure Computing was a bit heavy-handed. (The real problem is that SmartFilter has the category for non-pornographic nudity blocked by default, even though the CIPA filtering law certainly doesn't require schools to block non-pornographic artistic images!) On the other hand, the fact that EFF Austin and the Rhode Island Coalition Against Domestic Violence are currently blocked as "Pornography", suggests that in many instances the blocking companies have nobody at the controls at all. To focus on stupid-but-not-completely-insane blocks like BoingBoing is letting them off easy.

So why did the laundry lists of blocked sites released over the years never become as widely known as BoingBoing, or the guffaw-inducing examples like "Beaver College", which had to change their name in part because of students reportedly being blocked from accessing their website? I think it's because the news favors a good "punch line" -- a fact that anybody can understand that makes us feel smarter than the computers making these dumb mistakes. "Oh, I get it, it was blocked because it was called Beaver College!" But the "punch line" anecdotes are precisely the ones that let the blocking companies off lightly, because it gives them a plausible-sounding excuse for making an error. On the other hand, when the Rhode Island Coalition Against Domestic Violence gets blocked as "Pornography", that could probably force the blocking company to answer some tough questions if it got more press, but there's no good punch line there, so the story just fizzles.

So, while I'm looking through the rest of the data, let me try and come up with some punch lines for reporters to make these blocked sites newsworthy. OK: Why was GardenMentor.com blocked? To keep kids away from all the dirty bitches and hoes! Get it? Ha ha! Why was the Catalina 380 yachting site blocked from kids? Because teens are too vulnerable to pier pressure! Hey, where are you going?

zbuffered writes, "Today, Mozilla made public bug #360493, which exposes Firefox's Password Manager on many public sites. The flaw derives from Firefox's willingness to supply the username and password stored on one page on a domain to another page on a domain. For example, username/password input tags on a Myspace user's site will be unhelpfully propagated with the visitor's Myspace.com credentials. It was first discovered in the wild by Netcraft on Oct. 27. As this proof-of-concept illustrates, because the username/password fields need not be visible on the page, your password can be stolen in an almost completely transparent fashion. Stopgap solutions include avoiding using Password Manager and the Master Password Timeout Firefox extension, which will at least cause a prompt before the fields are filled. However, in the original case detailed in the bug report, the phish mimicked the login.myspace.com site almost perfectly, causing many users to believe they needed to log in. A description of this new type of attack, dubbed the Reverse Cross-Site Request (RCSR) vulnerability, is available from the bug's original author."

1sockchuck writes "There are now more than 100 million web sites on the Internet, according to Netcraft, whose monthly web server survey has reached 101.4 million sites. From the article: 'The 100 million site milestone caps an extraordinary year in which the Internet has already added 27.4 million sites, easily topping the previous full-year growth record of 17 million from 2005. The Internet has doubled in size since May 2004, when the survey hit 50 million.'" This is a far cry from the August 1995 results that just cleared 18,000.

An anonymous reader writes, "Netcraft has discovered that the social networking site MySpace appears to have been compromised by phishers who have presented a spoof login form on the main site. This modified login form submits the victim's username and password to a remote server hosted in France." From the article: "The hackers have engineered a fake login form on MySpace's own web site. Netcraft has notified MySpace of the issue, although it currently remains live. Because the fraudulent login page is hosted on MySpace's own servers and does not exhibit any signs of external content, such as cross-site scripting or open redirects, it is convincing and even security-conscious users are at risk of becoming victims. The attack is launched from a profile page, where the username is login_home_index_html, and uses specially-crafted HTML in order to hide the genuine MySpace content from the page and instead display its own login form." This Washington Post story from a few months back explains what's in it for the phishers.

miller60 writes "In a dangerous combination of unpatched exploits, hackers have used a previously undiscovered security hole in cPanel to hack the servers of a hosting company and use hundreds of hijacked sites to infect Internet Explorer users with malware using the unpatched VML exploit. cPanel, whose hosting automation software is used by many large hosting companies, has issued a fix. It's a local exploit, meaning the attacker must control a cPanel account on the target hosting provider."

miller60 writes "In a dangerous combination of unpatched exploits, hackers have used a previously undiscovered security hole in cPanel to hack the servers of a hosting company and use hundreds of hijacked sites to infect Internet Explorer users with malware using the unpatched VML exploit. cPanel, whose hosting automation software is used by many large hosting companies, has issued a fix. It's a local exploit, meaning the attacker must control a cPanel account on the target hosting provider."

1sockchuck writes to mention a Netcraft article wondering who should bear the brunt of phishing costs. A group of customers with the Bank of Ireland recently had $202,000 drained from their accounts by phishers. The bank initially resisted the request to refund their money, but allowed it after a suit was threatened. From the article: "The Bank of Ireland incident is one of the first public cases of a bank seeking to force phishing victims to accept financial responsibility for their losses, but it likely won't be the last. Phishing scams continue to proliferate, as Netcraft has blocked more than 100,000 URLs already in 2006, up from 41,000 in all of 2005. Financial institutions continue to cover most customer losses from unauthorized withdrawals. But after several years of intensive customer education efforts, the details of phishing cases are coming under closer scrutiny, and the effectiveness of anti-phishing efforts taken by both the customer and the bank are likely to become an issue in a larger number of cases." So, should a bank be forced to pay back a customer who has lost money to phishers? Or is it ultimately the customer's responsibility to make educated use of technology?

I spend a lot of time with my head buried in code, and every time I pick my head up it feels like the future is closer than I thought. So I like coming to OSCON. A week of looking ahead leaves me more confident I won't get future shock anytime soon. OSCON, like all conferences, is aimed at corporations, the intangible entities that send humans as their proxies. But open source has its roots in individuals working outside the corporation for their community of programmers. Are the two cultures coming together, or colliding? And how will the "open source ideal" evolve, as the chief social act of programming changes from trading disks of source code to processing each others' data and mashing up web APIs?

I'm an open-source programmer who's lucky enough to be paid by a corporation. Between sessions this week I'm working on turning Slash's metamoderation into a plugin, making Slash more useful for other site admins. I'm a human first and employee second. And I'm concerned about how the community based around this software ideal of not welding shut the car's hood is going to hold together.

Markets aren't designed for goods with zero cost of reproduction, but because property is such a powerful tool for efficiency and prosperity, societies have been artificially constructing markets for creative works since even before the founders wrote up their support for "science and the useful arts." Often, markets in ideas work pretty well.

There have been three societal "bow shocks" in the collision between programming and capitalism. The first hit in 1976 when Bill Gates insisted that charging for software made sense. The second was in the late 90s when open source proved better than corporate hierarchy at certain types of development. And then there's the one that's about to hit now, when web services and interoperability concerns obviate open source licenses.

There's a growing understanding here that web services are big: that the laptops and desktops of the future will rely not on software goods that have been bought for those machines, but software services that run on a server a thousand miles away. Google calls its Ajax web services "the world's largest platform."

Yesterday, Tim O'Reilly hosted a stimulating all-day series of panels and talks on web services and "Web 2.0" generally. The most interesting part of the discussion was about tying web services together. Web mashups are hot. It's hard to look at a list of websites offering an API -- Google Maps, Yahoo Geocoding, eBay, craigslist, Flickr, YouTube -- and not start thinking about great ways to combine them. Interoperability plus programming creativity equals... well, something pretty neat, we're hoping.

But a web services API doesn't necessarily offer the freedom that might seem analogous to open source, which is why Tim is also putting out the call for an "open services" definition. Flickr offers its corporate API to some sites, and refuses to permit it to others. Zooomr was judged to be too much of a potential competitor, so Zooomr users don't get to copy the photos they've uploaded to Flickr. [Update: Sorta. Read that comment thread to see important context for Flickr's decision. To be clear, given that context, Tim thinks Flickr found a good answer, and I tend to agree.]

As Flickr says, and they have a very good point, "why should we burn bandwidth and CPU cycles sending stuff directly to [a potential competitor's] server?" That makes sense from a corporate point of view, but a user who's uploaded a thousand of their photos might be puzzled why it's no longer exactly "their" data. Is that a right that user should have, or not? I ran into Julian Cash, who vehemently argues that it is; he's started MoveMyData.org to try to build a client-side way for users to route around APIs, to suck down "their" data and maybe reupload it to other sites. No code yet, but he's looking for volunteers.

AttentionTrust goes even further, starting off its manifesto with "you own your attention and can store it wherever you wish." That's something I hadn't considered before but it has an interesting ring to it. They have a Firefox extension I haven't tried yet (does it work? post comments).

Interoperability is a concern even without the web. Yesterday morning, Danese Cooper got a half-hour to grill Bill Hilf, Microsoft's General Manager of Platform Strategy, on Microsoft's relationship with open-source. Some think that's the same relationship as the butcher to the hog, and Bill's job is to persuade them Microsoft has no such intentions.

Asked directly, in the context of embrace-extend-extinguish and web APIs that can be crushed at any time, "why should we trust Microsoft?", Bill's answer was to look at the company's actions: "consistent action, over time, in the right direction."

I sat down with him afterwords to probe into this a little more (with someone from Waggener Edstrom standing nearby). He has some examples of Microsoft working with open-source projects like JBoss and SugarCRM, but I asked for specifics of how we know Microsoft isn't going to try to kill more-directly competing projects like Mono or OpenOffice by eliminating interoperability, possibly with patents, at any random time in the future. The only real sign I got was the Covenant Not to Sue (over patents) that came with the OpenXML format earlier this year. That's a step in the right direction. I don't think it's a terribly big one.

I asked if we'd see more steps from Microsoft disavowing patents as weapons against open-source projects. Obviously that's a big risk for a company to take, but one that's probably necessary to convince skeptics Microsoft is friendlier than the butcher. While Bill couldn't make any promises, he affirmed the CNS was "not a one-off... and not just to placate people." I'll keep an eye out for more action in the right direction.

Exciting as the opportunities are for different projects' software working together, one thing's for sure: the remote sites that run their algorithms and store your data leapfrog open source licensing. The server a thousand miles away can run software with its hood welded shut, with no obligations to the open-source community that come along with the benefits. Today, while some companies are trying to build goodwill with that community, there is nothing like a GPL for web services. No one's discovered a legal foundation that would establish open services, openly shared web services, with the same kinds of rights that we insist on in open-source code. No one's even sure what "open services" might mean, indeed, there's no consensus that we even need such a thing.

Even the FSF is unable to decide how v3 of the GPL should read. And I'm not smart enough to know if the GPL is even the right tool for this. Maybe tacking clever licensing terms on top of copyright's restriction is a temporary hack whose time has passed (you know, like the RIAA). Maybe the next hack to build a community of software sharing and tinkering will have to be totally different.

I don't think I know the answers but maybe one of you does. If you have thoughts about the open-source community in the age of capitalism, please post them to this story. If you're at OSCON and want to chat about it, email me (or AIM 'jamiekzoo' if you catch me online). At the end of the week, I'll have more updates on what's happening here -- it's not all philosophy and futurism.

miller60 writes "Phishing scammers are actively exploiting a security flaw in the PayPal web site to steal credit card numbers belonging to PayPal users. The scam tricks users into accessing a URL hosted on the genuine PayPal site, which presents a valid 256-bit SSL certificate confirming that the site belongs to PayPal. However, some of the content on the page has been modified by the fraudsters via a cross-site scripting technique, and victims are redirected to a spoof site that requests their account details."

Doctor Memory writes "Netcraft's June 2006 web server survey is out, and it shows IIS taking a dramatic upturn, at the expense of Apache. One of the biggest reasons cited is domain registrar Go Daddy switching to IIS for the domains it "parks". The report does go on to note that IIS is also making solid gains in active sites (including some large blog hosts), and further notes that it appears that large hosting companies are dropping Linux." Statistics are fun to play with, of course, but note that Apache's market share is approximately 30% higher than IIS's at the moment.

miller60 writes "Apache has overtaken Microsoft as the leading developer of secure web servers, according to Netcraft's monthly SSL survey. Apache now runs on 44.0% of secure web sites, compared to 43.8% for Microsoft. Apache's recent gains are attributed to the inclusion of mod_ssl in version 2, and strong growth of SSL-enabled sites in non-US markets where Apache has stronger market share."

miller60 writes "Open source evangelist Bruce Perens has launched OpenSourceParking, a service designed to boost domain parking on open source software. The project is a response to a large gain by Microsoft in the April Netcraft survey, with Windows' share jumping 5 percent as domain registrar Go Daddy moved 4.5 million parked domains from Linux to Windows Server 2003. To regain that share, Perens is calling on open source users to park undeveloped domains at OpenSourceParking, with the advertising revenue being used to fund political advocacy efforts on behalf of open source software. Parking-for-profit has grown into a significant business in recent years. Despite ambivalence over the value of these sites, Perens appears to believe it merits a focused effort for the open source community."

miller60 writes "Open source evangelist Bruce Perens has launched OpenSourceParking, a service designed to boost domain parking on open source software. The project is a response to a large gain by Microsoft in the April Netcraft survey, with Windows' share jumping 5 percent as domain registrar Go Daddy moved 4.5 million parked domains from Linux to Windows Server 2003. To regain that share, Perens is calling on open source users to park undeveloped domains at OpenSourceParking, with the advertising revenue being used to fund political advocacy efforts on behalf of open source software. Parking-for-profit has grown into a significant business in recent years. Despite ambivalence over the value of these sites, Perens appears to believe it merits a focused effort for the open source community."

vjmurphy writes "Connectivity to the massively-multiplayer online role-playing game World of Warcraft servers and web site appears to have had some difficulties over the past week. Their hosting is provided by AT&T." That includes my raid's dying twice in MC due to 4000 latency, and also a soft reset of MC. Good work, AT&T.

miller60 writes "Netcraft is reporting that 'domain registrar Joker.com says its nameservers have been hit with a massive DDoS attack, causing outages for customers. More than 550,000 domains are registered with Joker, meaning the outages could be widely felt. It's not clear why the DDoS is succeeding, as most registrars have implemented sturdy DDoS protection since the attack on the root nameserver system back in 2002.' Some security experts have warned in recent weeks about DNS recursion attacks as previously discussed here on Slashdot, which can amplify the power of attacks launched from botnets."

1sockchuck writes "A Chinese bank's servers are being used in phishing attacks against U.S. institutions, apparently the first time one bank's infrastructure has been used in attacks on other banks. A hacked server from China Construction Bank Shanghai Branch is hosting pages spoofing Chase and eBay. The scam is one of numerous sites using a social engineering hook promising a $20 reward for recipients who complete a survey about the bank's online services. It then asks for your account login and password - so it can deposit the $20 in the correct account, of course. Plus your Social Security number, mother's maiden name etc."

chris81 writes "For the first time ever, the Apache Web Server is powering more than 50 million websites, according to Netcraft's Web Server Survey for October. Although relative share fell by 0.67 percent, the total number of sites powered by Apache grew to over 52 million. Microsoft's IIS finished second with more than 15 million sites served."

miller60 writes "Netcraft's Web Server Survey reports that a large gain in web sites in October makes 2005 the strongest year ever for Internet growth. The web has added 17.5 million sites so far this year, eclipsing the previous annual best of 16 million during the dot-com boom in 2000. And that's with two months left in the year. Is this growth for real? Web hosts targeting the small business market (like Yahoo Small Business and Go Daddy) report that business is booming, suggesting that web-wary local businesses are finally going online. But some of the the growth is likely due to domain name business models, with speculators buying large numbers of domain and placing advertising on them."

1sockchuck writes "Exploits are already circulating for at least two (and possibly four) of the Windows security holes addressed in Microsoft's updates on Tuesday. Several working exploits have been released for a new vulnerability in Windows Plug and Play technology, which could be used to spread a worm targeting Windows 2000 machines, according to eEye security, which has released a free scanner to help network admins identify vulnerable computers."

miller60 writes "ICANN is lifting restrictions on VeriSign's pricing of .net domains as of Jan. 1, 2007, eliminating a cap that dictated the amount VeriSign could charge registrars for each .net domain. The cap, now at $4.25 per name, expires at the end of 2006. The pricing details were not included in a draft contract published by ICANN prior to the bidding process, but negotiated after VeriSign prevailed in a controversial evaluation by Telcordia. VeriSign must give six months before any price change, allowing time to lock in current pricing with multi-year renewals."

miller60 writes "A bunch of popular PHP-based blogging and content management apps are vulnerable to a security hole in the PHP libraries handling XML-RPC, which could allow a server compromise. Affected apps include Wordpress, Drupal, PostNuke, Serendipity, phpAdsNew, phpWiki and many more. The presence of the security hole in a large number of programs is among the factors leading the Internet Storm Center to warn that the environment is ripe for a major Internet security event."

miller60 writes "Netcraft reports that the Internet grew by 2.7 million sites in June, the second-largest gain in the history of its Web Server Survey. With growth of 10 million sites in the first half of the year, 2005 should easily surpass the existing annual growth record of 16 million sites from the dot-com boom year of 2000. The growth of small business web sites, blogs, domain name businesses and online advertising are all cited as factors in the strong gains."