Slashdot Mirror

kv9 writes "The phpBB forum has been closed down after the host was cracked into, apparently because of an AWStats hole. Several blogs have been attacked using the same method. Commentary on Netcraft, The Reg and SecurityFocus"

A user writes, "A new vulnerability has been found in Mac OS X's Safari, which will launch Help.app and run an arbitrary script with a URL like 'help:runscript=...', assuming a known path (which is possible when Safari is set to automount disk images (which is the default)). A nice working demonstration is available on insecure.ws while the incident has been reported on Full-Disclosure."

An anonymous reader writes "An open source and freeware software development web site has released a patch to fix the URL spoofing vulnerability in Internet Explorer, which can be exploited by scammers who try to trick people into revealing details of online banking accounts or other private information." Naturally, the source for the patch is available as well. Update: 12/19 15:06 GMT by M : Sadly, the patch appears to contain a buffer overflow and some possibly-malicious code - see an analysis and news story, and this comment which suggests the patch author is trying to figure out who is taking advantage of the original vulnerability. Caveat patcher.

costela writes "LWN points out that the Gentoo project fired out an alert about one compromised rsync server." From the message itself: "However, the compromised system had both an IDS and a file integrity checker installed and we have a very detailed forensic trail of what happened once the box was breached, so we are reasonably confident that the portage tree stored on that box was unaffected." Update: 12/03 22:54 GMT by T : One more damage report: gibson writes "The Free Software Foundation recently discovered that its software host site was compromised a month ago. The compromise appears to be the same as the recent attacks on the Debian servers. The site is shut down until Friday while they install replacement hardware and verify the authenticity of the hosted source code."

petard writes "In a very interesting interview published by the Register, Bill Gates made several interesting claims about Longhorn. Many of them have been extensively covered recently, including plans to force users to patch automatically. Surprisingly, everyone seems to have overlooked his statement that Microsoft fixes bugs faster than Linux developers do. 'We've gone from little over 40 hours on average to 24 hours. With Linux, that would be a couple of weeks on average.' Either he's lying or woefully misinformed; their recent performance seems to be more on the order of 3+ months, or over 2000 hours."

Rob from RPI writes "You may remember the announcement about a company, or program, or both called Earthstation 5 who recently 'Declared War' on the MPAA. Well guess what? Turns out that it's got code in it that allows anyone to delete any file on your computer. I suggest that you un-install as soon as possible!"

Tonight's Slashback brings updates and clarifications to several previous Slashdot stories, so read on below for information on the (over-stated) recall of Segway scooters, the fate of RAV AntiVirus's Linux development team, VeriSign's Site Finder, the (latest) Lindows v. Microsoft scuffle, and more.

Linux antivirus developers join Kaspersky Labs prostoalex writes "The Linux development team of Romania-based RAV AntiVirus, acquired this June by US-based Microsoft, joined Russia-based Kaspersky Labs. This transition took place after Microsoft confirmed there will be no Linux or Novell version of antivirus software. Kaspersky Labs now works on RAV Migration program for Unix/Linux users, since the company officials deem this market as one of the fastest-growing."

VeriSign must love attention. talon77 writes "Netsys is reporting that a class action lawsuit has been filed against Verisign due to their Sitefinder. It's about time."

And Anonymous Brave Guy writes "VeriSign are in legal trouble yet again, this time for handing over a domain name to a former employee of the former holder. Also some interesting tidbits in here about the impact of the sex.com case, the fact that since July domain names are regarded as property under U.S. law, and the idea that VeriSign might themselves be held accountable for punitive damages awarded against someone who takes over a domain name improperly."

Piling on, Anonymous submits: "Verisign seems to have issues with returning proper response packets for DNS queries on unused domains, so we thought we would give them a quick reminder in case they forgot what the right answer was. You can find pictures here. (This was on their building in Mountain View, and the signs said 'Verisign/Netsol, as if people didn't hate you enough already... How greedy/stupid are you? [Made with figlet/vim/a2ps/poster.c]')"

Update: 10/02 00:37 GMT by T : And (ooops!) this part got chopped off: "Note that the Verisign web search is powered by Inktomi for search and overture for ads, both of which are now owned by Yahoo. You can always vote with your dollars and your clicks."

Ohio uncappers peer at the ToS. Mike writes "Looks like Broadband Reports has posted a follow up to what happened to those Ohio Cable broadband users who had FBI agents confiscate their hardware for uncapping their modems (See original BBR story here, Slashdot story here). Looks like most of the offenders settled for fines and community service, but one took the case all the way, and eventually got it overturned because the cable company's AUP failed to clearly mention their legal stance on uncapping."

Thorn-in-side lessons, part IIXIIXV. jlechem writes "Lindows and Microsoft are at it again. Wired News is running a story about Lindows refusing to take down the settlement website reported on by Slashdot earlier. CEO Michael Robertsone stated 'Our plan is to continue to offer the MSfreePC service in spite of your threats. If required, we will be a voice in the courtroom defending a consumer's right to use technology and an online process to secure their settlement claims.'"

MPAA Scratches Oscar Screeners xstein writes "In a follow up to this story, the major studios have agreed to go along the MPAA's proposal to stop sending out screener tapes and DVDs to Academy members. The agreement would include MPAA's seven studio members, Disney, WB, Sony, Universal, 20th Century Fox, Paramount, and MGM, as well as their affiliates, which include New Line, Miramax, Focus Features and Sony Pictures Classics. Dreamworks, although not an MPAA member, also agreed to the ban. This move scratches a longstanding tradition, and is seen to hurt smaller, independent-minded movies distributed by MPAA members the most, though may allow truly independent studios such as Lions Gate to gain extra attention with their screener tapes. E! Online and Salon.com have the scoop."

Phantom Offices? Ray B writes "On September 18th, Slashdot posted about an article on the Phantom video game console. Of particular note in the primary article investigating the Phantom's founder(s), was that the company did not even have physical offices.

Just four days later, the Phantom email Newsletter #2 is issued, with the first bit of news being:

"Infinium Labs recently signed a five-year lease on 10,000 sq. ft. of prime office space to locate its corporate offices in the Centre Pointe Building in downtown Sarasota, Florida. The Centre Pointe offices are in close proximity to many of the company's early investors, its corporate legal counsel and the industrial design firm that is developing the Phantom Game System(TM) prototypes"

Coincidence or damage control?"

Well, start with the Python then and work your way up. Wolfbone writes "A recent edition of 'Global Business,' a BBC World Service programme available here in RealAudio form, contains an admission that the BBC cannot afford to put it's entire archive online, contradicting an earlier Slashdot story and the BBC's own report. Even though it only has 11.56 Petabytes of the stuff, some of it recorded on wax cylinders, it would be too expensive, apparently, to keep their earlier promise. The rest of the programme is about the more general problems of long term archiving of data and how some organizations still don't trust digital electronic formats and prefer to stick with paper and microfiche."

Segway recall: in and out in 10 minutes! ptorrone writes "I got my Segway HT updated today, the 'recall' is a simple software update, it took 10 minutes and that was about it. To clarify what the recall is ...the HTs are not being sent back, Segway has people in each state of the USA and they update them. So far all owners have been notified and thousands have updated. The update makes it harder for people to ride after numerous low battery alerts (3 people out of 6,000 thought something else). Here are my pictures from the update procedure."

Tonight's Slashback brings updates and clarifications to several previous Slashdot stories, so read on below for information on the (over-stated) recall of Segway scooters, the fate of RAV AntiVirus's Linux development team, VeriSign's Site Finder, the (latest) Lindows v. Microsoft scuffle, and more.

Linux antivirus developers join Kaspersky Labs prostoalex writes "The Linux development team of Romania-based RAV AntiVirus, acquired this June by US-based Microsoft, joined Russia-based Kaspersky Labs. This transition took place after Microsoft confirmed there will be no Linux or Novell version of antivirus software. Kaspersky Labs now works on RAV Migration program for Unix/Linux users, since the company officials deem this market as one of the fastest-growing."

VeriSign must love attention. talon77 writes "Netsys is reporting that a class action lawsuit has been filed against Verisign due to their Sitefinder. It's about time."

And Anonymous Brave Guy writes "VeriSign are in legal trouble yet again, this time for handing over a domain name to a former employee of the former holder. Also some interesting tidbits in here about the impact of the sex.com case, the fact that since July domain names are regarded as property under U.S. law, and the idea that VeriSign might themselves be held accountable for punitive damages awarded against someone who takes over a domain name improperly."

Piling on, Anonymous submits: "Verisign seems to have issues with returning proper response packets for DNS queries on unused domains, so we thought we would give them a quick reminder in case they forgot what the right answer was. You can find pictures here. (This was on their building in Mountain View, and the signs said 'Verisign/Netsol, as if people didn't hate you enough already... How greedy/stupid are you? [Made with figlet/vim/a2ps/poster.c]')"

Update: 10/02 00:37 GMT by T : And (ooops!) this part got chopped off: "Note that the Verisign web search is powered by Inktomi for search and overture for ads, both of which are now owned by Yahoo. You can always vote with your dollars and your clicks."

Ohio uncappers peer at the ToS. Mike writes "Looks like Broadband Reports has posted a follow up to what happened to those Ohio Cable broadband users who had FBI agents confiscate their hardware for uncapping their modems (See original BBR story here, Slashdot story here). Looks like most of the offenders settled for fines and community service, but one took the case all the way, and eventually got it overturned because the cable company's AUP failed to clearly mention their legal stance on uncapping."

Thorn-in-side lessons, part IIXIIXV. jlechem writes "Lindows and Microsoft are at it again. Wired News is running a story about Lindows refusing to take down the settlement website reported on by Slashdot earlier. CEO Michael Robertsone stated 'Our plan is to continue to offer the MSfreePC service in spite of your threats. If required, we will be a voice in the courtroom defending a consumer's right to use technology and an online process to secure their settlement claims.'"

MPAA Scratches Oscar Screeners xstein writes "In a follow up to this story, the major studios have agreed to go along the MPAA's proposal to stop sending out screener tapes and DVDs to Academy members. The agreement would include MPAA's seven studio members, Disney, WB, Sony, Universal, 20th Century Fox, Paramount, and MGM, as well as their affiliates, which include New Line, Miramax, Focus Features and Sony Pictures Classics. Dreamworks, although not an MPAA member, also agreed to the ban. This move scratches a longstanding tradition, and is seen to hurt smaller, independent-minded movies distributed by MPAA members the most, though may allow truly independent studios such as Lions Gate to gain extra attention with their screener tapes. E! Online and Salon.com have the scoop."

Phantom Offices? Ray B writes "On September 18th, Slashdot posted about an article on the Phantom video game console. Of particular note in the primary article investigating the Phantom's founder(s), was that the company did not even have physical offices.

Just four days later, the Phantom email Newsletter #2 is issued, with the first bit of news being:

"Infinium Labs recently signed a five-year lease on 10,000 sq. ft. of prime office space to locate its corporate offices in the Centre Pointe Building in downtown Sarasota, Florida. The Centre Pointe offices are in close proximity to many of the company's early investors, its corporate legal counsel and the industrial design firm that is developing the Phantom Game System(TM) prototypes"

Coincidence or damage control?"

Well, start with the Python then and work your way up. Wolfbone writes "A recent edition of 'Global Business,' a BBC World Service programme available here in RealAudio form, contains an admission that the BBC cannot afford to put it's entire archive online, contradicting an earlier Slashdot story and the BBC's own report. Even though it only has 11.56 Petabytes of the stuff, some of it recorded on wax cylinders, it would be too expensive, apparently, to keep their earlier promise. The rest of the programme is about the more general problems of long term archiving of data and how some organizations still don't trust digital electronic formats and prefer to stick with paper and microfiche."

Segway recall: in and out in 10 minutes! ptorrone writes "I got my Segway HT updated today, the 'recall' is a simple software update, it took 10 minutes and that was about it. To clarify what the recall is ...the HTs are not being sent back, Segway has people in each state of the USA and they update them. So far all owners have been notified and thousands have updated. The update makes it harder for people to ride after numerous low battery alerts (3 people out of 6,000 thought something else). Here are my pictures from the update procedure."

veg writes "In the last few hours there have been several reports of a new ssh bug, with an exploit seemingly in the wild. Oh god not again... The lengths some people will goto to try and damage Theo's pride." Update: 09/17 00:24 GMT by T : friscolr writes "Hot on the heels of rev 1 of the buffer.adv advisory, here is revision 2, which fixes more than revision 1 did. Also see the 3.7.1 release notes."

veg writes "In the last few hours there have been several reports of a new ssh bug, with an exploit seemingly in the wild. Oh god not again... The lengths some people will goto to try and damage Theo's pride." Update: 09/17 00:24 GMT by T : friscolr writes "Hot on the heels of rev 1 of the buffer.adv advisory, here is revision 2, which fixes more than revision 1 did. Also see the 3.7.1 release notes."

maedls.at writes "Here is a short description of the Vulnerability:Passwords of MySQL users are stored in the "User" table, part of the "mysql" database, specifically in the "Password" field. In MySQL 4.0.x and 3.23.x, these passwords are hashed and stored as a 16 characters long hexadecimal value, specifically in the "Password" field. Unfortunately, a function involved in password checking misses correct bounds checking. By filling a "Password" field a value wider than 16 characters, a buffer overflow will occur. For details and proof of concept see: http://lists.netsys.com/pipermail/full-disclosure/ 2003-September/009819.html"

D4C5CE writes "The number of European countries enacting their ignorance of the sad experiences from Four Years under the DMCA has just risen to 5, as the Upper House (Bundesrat, incidentally) of the German Parliament on Friday failed to veto (sorry, some press releases are only available in heavily spin-doctored German Legalese at this point in time) and is hence considered to have consented to the adoption by the Lower House (Bundestag) of a federal law implementing the dreaded DMCA's European sibling known as EU Copyright Directive 2001/29/EC." Read on for more on the copyright laws being considered around the EU.

D4C5CE continues: "Earlier implementations have been reported from Austria, Denmark, Greece and Italy.
Legal scholars consider the directive itself an invalid "monstrosity", and the German law unconstitutional. In fact, this legislation is viewed as so terribly awful that even from the U.S., the EFF tried to prevent it in a rare intervention overseas.

Declaring that the circumvention rather than the use of Copy Protection is a Crime, the German parliament threatens to make things even worse by adopting a "second stage" with further steps to impose DRM and additional levies later this year, but unsurprisingly, all of the issues that DMCA-style laws have become notorious for are already there: Overbreadth, overprotection of technical measures, and Chilling Effects aplenty.

Record companies eagerly awaiting this "lex Bertelsmann" have already caused ISPs to send out warning letters to P2P users for alleged copyright infringement, and are expected to take legal action against individual users of file-sharing networks, following in the footsteps of RIAA.

Confirming the fears expressed by Alan Cox on Slashdot, computer gurus will soon find no place left to go even on the European side of the pond, and the Free-X "Independence Day" XBox exploit posted by one brave German just in time before this dismal day may well have been one of the very last legal disclosures in this part of the world as well."

dave1212 writes "Still too early to tell, but there seems to be a screen saver password exploit in Mac OS X. It was discovered and postedon the Full Disclosure list earlier today. Theories, personal tests, and rumours abound, with some success stories, and the possibility that it could affect all Cocoa programs. Speculation points toward a 2048 character buffer, with people using the emacs shortcuts Ctrl-K and Ctrl-Y to fill the text field in under half a minute."

An anonymous reader writes "Free-X have released an exploit for the Xbox that will let you get Linux on the machine without any hardware mods at all... Microsoft is already threatening them with legal action. Here's the Free-X statement. Free-X say they had been trying to contact MS for a month but were ignored, which is why they've released the exploit. Should be interesting to watch this one."

Ant writes "Synopsis: Opera, Mozilla & Netscape with javascript enabled are vulnerable to remote command execution. This has been tested on Microsoft, and many many Unices. Macintosh may also be vuln. Ironically enough, IE is unaffected." Update: 06/08 23:56 GMT by H : The problem seems to be one in the Java security model itself; but the evidence seems to be that if you turn off JavaScript, you turn off the vulnerability. Update: 06/09 00:56 GMT by T : According to this followup message from Mozilla security group member Daniel Veditz, the problem is actually one that's already been fixed in Mozilla 1.3, and not a remote command execution vulnerability at all. (Thanks to reader Jared Klett and others.)

Call Me Black Cloud writes "A hacker calling himself "Hack4Life" swiped 3 unpublished vulnerability reports from a company working with CERT and posted them to the Full Disclosure mailing list. A couple of days later, he did it again (while promising weekly leaks). Wired also has a story, including a link to one of the postings."