Slashdot Mirror

Why would they bother when the NSA can do it for them?

Guess who has been spying as a subcontractor? Verisign!

Welcome to MITM country.

The CALEA law covers data now, so virtually all of the USA Internet traffic can be effectively bugged, and there are no trustable third parties for SSL links. Where secure encryption is concerned, you are on your own.

Heh. The head of the IETF receives compensation from both Verisign and the NSA.

I'll add to that. Thirty seconds of Google provides this caveat article:

12 issues you need to know about software-as-a-service
http://www.networkworld.com/news/2007/073107-softw are-as-a-service-12-things.html

What's the first one?

"Don't use software-as-a-service for any application your company cannot do business without - unless you're sure the vendor can support it better than you. "You shouldn't get SaaS for any application where your entire company is depending on that application running successfully all the time, and you feel that you could not get the reliability or the performance that you require except by controlling it yourself," says consultant Amy Wohl."

What did I say?

"XenSource has been in the news twice this week -- Monday they release a product, then Tuesday they get bought for $500m by Citrix. Here's Network World's take on the buyout and on the product. It looks like the product is packaging new releases of several of their components -- there's a 64-bit hypervisor version 3.1 that uses the Intel and AMD hardware tricks, APIs, management tools, and XenMotion, which lets you move running virtual machines around. According to Xen's product page, the free-beer XenExpress version gets the hypervisor, APIs, and some of the management tools, but not the fancier management or XenMotion, and it's somewhat crippled in terms of capacity (max 4 VMs, 2 CPUs, 4GB RAM, while the commercial versions support 128GB total RAM, larger VMs, and unlimited VMs and CPUs.)

(But will it run Linux?) It will run Linux -- one of the data sheets implies that Linux only runs in 32-bit mode, while Windows can run 64-bit. Perhaps there's more documentation that provides more details."

http://www.networkworld.com/news/2007/081507-citri x-xensource-desktop-server-virtualization.html?nlh tspec=081507specialalert1&

"XenSource has been in the news twice this week -- Monday they release a product, then Tuesday they get bought for $500m by Citrix. Here's Network World's take on the buyout and on the product. It looks like the product is packaging new releases of several of their components -- there's a 64-bit hypervisor version 3.1 that uses the Intel and AMD hardware tricks, APIs, management tools, and XenMotion, which lets you move running virtual machines around. According to Xen's product page, the free-beer XenExpress version gets the hypervisor, APIs, and some of the management tools, but not the fancier management or XenMotion, and it's somewhat crippled in terms of capacity (max 4 VMs, 2 CPUs, 4GB RAM, while the commercial versions support 128GB total RAM, larger VMs, and unlimited VMs and CPUs.)

(But will it run Linux?) It will run Linux -- one of the data sheets implies that Linux only runs in 32-bit mode, while Windows can run 64-bit. Perhaps there's more documentation that provides more details."

http://www.networkworld.com/news/2007/081507-citri x-xensource-desktop-server-virtualization.html?nlh tspec=081507specialalert1&

"XenSource has been in the news twice this week -- Monday they release a product, then Tuesday they get bought for $500m by Citrix. Here's Network World's take on the buyout and on the product. It looks like the product is packaging new releases of several of their components -- there's a 64-bit hypervisor version 3.1 that uses the Intel and AMD hardware tricks, APIs, management tools, and XenMotion, which lets you move running virtual machines around. According to Xen's product page, the free-beer XenExpress version gets the hypervisor, APIs, and some of the management tools, but not the fancier management or XenMotion, and it's somewhat crippled in terms of capacity (max 4 VMs, 2 CPUs, 4GB RAM, while the commercial versions support 128GB total RAM, larger VMs, and unlimited VMs and CPUs.)

(But will it run Linux?) It will run Linux -- one of the data sheets implies that Linux only runs in 32-bit mode, while Windows can run 64-bit. Perhaps there's more documentation that provides more details."

http://www.networkworld.com/news/2007/081507-citri x-xensource-desktop-server-virtualization.html?nlh tspec=081507specialalert1&

The submitter ("When not blogging, I am a Network World news editor and write the 'Net Buzz column.") is just linking to his crappy blog, which is just whoring his employer.

The submitter ("When not blogging, I am a Network World news editor and write the 'Net Buzz column.") is just linking to his crappy blog, which is just whoring his employer.

TFSummary links to TFA:
http://www.pclaunches.com/software/olympic_committ ee_chooses_xp_over_vista.php

which just regurgitates the story from
http://www.networkworld.com/news/2007/080807-vista -wireless-kept-off-core.html

Why not link directly to the source instead of some blogger collecting Adsense? Network World has got advertising too, of course, but at least they earned it by doing the work and researching a story instead of just plagiarising it like a Picquepaille.

And for fuck's sake "installing XP on it's machine".
"It's" == "It is". Possessive is "Its".

The direct link is http://www.networkworld.com/news/2007/080807-vista -wireless-kept-off-core.html (and the blog's source isn't much longer).

Sounds like Microsoft is expecting some flak over their insecure operating systems. Probably related to those millions of Windows systems pwnd by .. somebody, and available for launching attacks.

There's a current worry in the security community that somebody is building up assets of pwnd systems. Somebody is acquiring the capability to do something big. But who, or why, isn't known. The assets being accumulated are more than a spammer needs.

There must be a fine for failing to be cranky or cynical about this.

http://www.networkworld.com/community/node/17908

Try http://www.networkworld.com/community/node/15991 instead.

It wasn't that long ago that the author of Microsoft Word was banned from a bunch of casinos (temporarily) for what he described as being too lucky at video poker.

http://www.networkworld.com/community/node/17709

Immunity, which buys but does not disclose zero-day bugs, keeps tabs on how long the bugs it buys last before they are made public or patched. While the average bug has a lifespan of 348 days, the shortest-lived bugs are made public in 99 days. Those with the longest lifespan remain undetected for 1,080 days, or nearly three years, Aitel said.

Immunity, which buys but does not disclose zero-day bugs, keeps tabs on how long the bugs it buys last before they are made public or patched. While the average bug has a lifespan of 348 days, the shortest-lived bugs are made public in 99 days. Those with the longest lifespan remain undetected for 1,080 days, or nearly three years, Aitel said.

And if you just can't get enough wonders today, here is another such list: "The 7 Wonders of the Internet."
http://www.networkworld.com/community/?q=node/1680 6&page=0%2C0&t51hb=

Yes, of course it will hold up in court. If they could have found a way to null the Microsoft/Novell deal they would have done it. Not sure it's really necessary anyway. The Microsoft Subnet blog points out that ultimately the market will decide who wins. Dekstop virtualization technologies and things like Google apps will make all of this a who-cares five years from now anyway, least from an OS perspective. The desktop will be some version of something running on some version of something else and we'll all be logged onto the Internet to be writing documents.

I think it is awesome what Miguel has done, but why is SlashDot so slow in posting news. This story came out last week. http://www.networkworld.com/news/2007/061907-linux -microsoft-browser-plug-in.html

I'm not sure how kosher this change is in terms of the fair use laws (not limited to the US) or the archiving law

plus the Finnish courts have ruled that a DVD's protection scheme is ineffective. (http://www.networkworld.com/news/2007/052807-finn ish-court-rules-dvd-drm.html?inform)

Ask and ye shall receive:

http://blog.washingtonpost.com/securityfix/2006/03 /when_macs_attack.html

http://lwn.net/Articles/222153/

http://www.networkworld.com/community3/?q=node/534 4

http://blogs.securiteam.com/index.php/archives/304

http://www.shadowserver.org/

I can continue for pages and pages if you wish. You know, search engines are useful tools at times ;) Now granted, most of it comes from exploits in 3rd-party apps, such as Apache, PHP, SQL, etc. But...knowing this, and how there are botnets running with Apache priviledge levels.....kind of dumps that whole "don't run as root in *nix" argument right into the toilet. As long as people are people, they can be socially-engineered to offer up their passwords for whatever reason (I'm looking at you, OSX users). Relying on a popup password entry box for security is just as silly as allowing a Windows machine to sit un-patched on the internet.

I am actually quite surprised that more OSes don't have some sort of application firewalling/sandboxing built into them, instead of relying on concepts like UAC or root permissions that are worthless if all it takes to bypass them is someone typing a password into a popup box, clicking Allow (and how many people do we know that use blank or short, all alphabetical passwords, hmmmm?), or running insecure application software that is always accessible via the internet.

I think our government has corrupted itself with the granting and enforcing of monopolies in this area.

Yes, long ago — when granting monopoly to AT&T...

It was inevitable that Verizion would skimp on copper to fund their build-out of FIOS. The suprise is that so few people seem to care, or even know, how badly we're being screwed.

I don't notice it either, really. By 2004 the majority of US Internet users were using broadband.

But even if we are underserved, the increase in FIOS (fiber!) penetration over copper is a good thing... It is a superior technology, what's wrong with Verizon preferring it?

Yeah, I know it looks like some dodgey mailer script, but it just uses Javascript form elements to fill in bits of their standard printer page, instead of making a proper URL. Of course GET vs. POST is not checked ;-)

At Erion we have been using IPv6 for many years. This includes using Vista with IPv6 since the early betas of Vista. We have had very few problems. Non of the problems we have experienced have been related to faults in the IPv6 stack.

The article doesn't provide enough detail to be able to analyse the alleged problems with Vista and IPv6. However, I suspect that they are not really problems with Vista or IPv6. As another comment has observed the author is 24 orders-of-magnitude out in the difference between the number of IPv4 addresses and the number of IPv6 addresses. This does not instill confidence in the accuracy of the rest of the article.

Regarding the printer problems, it is extremely unlikely that these are caused by IPv6. As any IT administrator knows there are many reasons why printing can go wrong. If the corruption was caused by IPv6 then it wouldn't just affect printing, it would affect all other network services too.

The ICMP issue described in the article does not make sense. ICMPv6 is IPv6's version of ICMP. It carries out the functions that ICMP carries out in IPv4 plus many new functions only found in IPv6. Applications interface to ICMP (and IP) using the socket API. The way in which applications use the socket API is largely the same for IPv4 and IPv6. Not only this but the socket API is almost identical across all operating systems supporting IPv6, not just Vista. This means that ICMP errors are exposed to applications through the socket API. It is hard to understand what the author means here.

I hope my comments above make it clear why I suspect that the conclusions drawn in the article are wrong.

At Erion we have a lot of experience of implementing IPv6. We have found that IPv6 is reliable and stable across many platforms. Indeed, it is in widespread use around the world. We have found that problems with IPv6 are more often to do with misconfiguration of naming services, routing and transition mechanisms than anything to do with IPv6 itself. We always recommend that anyone interested in implementing IPv6 undertakes IPv6 training. For further information see http://www.ipv6training.com/ and http://www.ipv6consultancy.com./ On the subject of IPv6 and Vista I gave a recent presentation at SambaXP on this subject. You can find that at http://www.ipv6consultancy.com/ipv6blog/?p=8.

Personally, I am very pleased that Vista and Windows Server 2008 (Longhorn) support IPv6 as their default stack. We have many clients who are keen to implement IPv6 but have held back due to the limitations in IPv6 support in Windows operating systems. I suspect that the release of Windows Server 2008 will increase the usage of IPv6 in two very different ways. Firstly, organisations who are not interested in IPv6 will implement it as a side-effect of implementing Windows Server 2008. Secondly, organisations who are keen to use IPv6 but have been held back by the lack of IPv6 support in AD will be able to move ahead with IPv6 AD support in Windows Server 2008.

Bricks and mortar Bank of America is not going to fuck over customers

Now THAT is funny.
Bank of America hit Gloria Carlo, 51, a single mom from the South Bronx, with a lawsuit demanding $23,312.04. It's money the bank claims she overdrew in a two-month home-shopping spending spree after already exhausting $38,000 from her own savings.

Bank of America Corp. and Wachovia Corp. are among the big banks notifying more than 670,000 customers that account information was stolen in what may the biggest security breach to hit the banking industry.

Users of the Bank of America's Visa Buxx prepaid debit cards are being warned that they may have had sensitive information compromised following the theft of an unencrypted laptop computer.

Given how "well" Russian Government organizes things it'd be an utter failure. Please remember, there are many people and groups in the whole world that are quite capable of doing it by themselves. What, do you think the government has nothing else to do than to issue covert demands for every dial-up user to ping particular Estonian servers?
Estonia (and some mass media) simply find it useful to blame everything on Russian government now. Russian companies refuse to buy their products because customers stopped buying them? Blame Kremlin. If a giant meteor were to strike the capital right now, there'd be a couple of experts saying that "Nobody can prove it wasn't a covert Kremlin operation".

Of course you also have to think about it from the other point of view. If there was a symbol for all US soldiers that died in combat, that marked their graves in another country, and that country would then decided to just move it somewhere else, because they want to put a highway on top of that last resting place... Would Americans grin and bear it? No? Loud screams from politicians asking for sanctions? Regular people doing everything they can to protest it? Net bot herders making statement and then bragging about "squashing the embassy N servers" between themselves?
Would the US government have to encourage people to do it?

Now tell me, what's the difference?

I would think the more important thing would be Pentagon's readiness to bomb the source of cyberattacks, which means that a group of bot herders can decide which country Pentagon will be bombing next.

The fact is that Microsoft is late to the party with their Microsoftized version of sudo. That's really what UAC is, after all: sudo with a fancy display mechanism (to make it hard to spoof) and extra monitoring to pick up on "suspicious" behavior.'"

No it's not! Not at all. First of all, let's define what sudo should do: Act as a barrier that data and application execution must pass. UAC does not fit the definition.

"Vista features such as UAC or Protected Mode Internet Explorer that are dependent on limited user privileges -- which Microsoft calls Integrity Levels (IL) -- are designed to allow some IL breaches.

Because the boundaries defined by UAC and Protected Mode IE are designed to be porous, they can't really be considered security barriers, he said. "Neither UAC elevations nor Protected Mode IE define new Windows security boundaries,"

Thank you Mark Russinovich for stating what's been clear for quite some time. http://www.networkworld.com/news/2007/021407-micro soft-uac-not-a-security.html

I wish, for once, everyone and their grandmother would stop assuming Microsoft's security proclamations are reliable information.

Here's a more detailed follow-up on this story: http://www.networkworld.com/news/2007/042607-cisco -nac-unversity-portland.html?t51hb

See this update page linked to the original post referenced above:

http://www.networkworld.com/community/?q=node/1460 0

Is it just me, or do I see a small rash of anti-Google stories here on /. today? Something else about how Google can't figure out how to handle a 12 gig database? Are you kidding me?

At least for most corners of the globe. Original settings back, too. http://www.networkworld.com/community/?q=node/1460 0

From the statement: "Root cause is currently under review, but service for most customers was restored overnight and RIM is closely monitoring systems in order to maintain normal service levels."

http://www.networkworld.com/community/?q=node/1416 9

here is a good link for the lazy http://www.networkworld.com/columnists/2007/041607 backspin.html

I am a long-time user of TT software (CD ROM version, and for the past four years, the Web version). I was always a little suspicious of your company's promises about security and now I can see that I was right to be skeptical.

So Bob, could you clarify exactly what happened with this customer in Nebraska? You said that the vulnerability does not affect the TurboTax Online application, yet the user in Nebraska says she was able to access other people's returns using your online service, and one of your employees has confirmed the incident.

Can you definitely confirm that NO ONE besides these three people were affected? Or do you just assume no one else was affected, because no one else reported this flaw? Do you have log files or other records which would be able to definitely confirm whether anyone else's record was viewed?

Also, a user on this thread reports that he noticed some poor security practices that your company had in place in its communications and policies earlier this year; is the Nebraska incident related to this? Did Intuit address the concerns that he brought up (he says no one ever got back to him)?

It's not gotten to that point yet.

True, but they seem to be playing on the proverbial greased incline. Some of which isn't really Google's fault but is more a result of them being so big and having to make choices between evils. e.g. China

I particularly liked the "Lego Rule." ... Also, I have "this friend" who's about to turn 50, has never played a video game in his life, and has three young children who are soon to graduate from noggin.com to the real thing. I'm not, I mean he's not, going to be one of those anything-goes guys. Any advice for this type?

http://www.networkworld.com/community/?q=node/1360 4

Plagiarism has been confirmed officially by Google, Sohu and IDG news reporter Sumner Lemon.

Google admits word database came from third party - Network World

http://www.networkworld.com/news/2007/040907-updat e-google-admits-word-database.html

An earlier report by the same reporter: Sohu to Google: Take down copycat software
http://www.networkworld.com/news/2007/040707-sohu- to-google-take-down.html

Google China's Official Apology to Sohu.com (in Chinese)
http://googlechinablog.com/2007/04/blog-post.html

Plagiarism has been confirmed officially by Google, Sohu and IDG news reporter Sumner Lemon.

Google admits word database came from third party - Network World

http://www.networkworld.com/news/2007/040907-updat e-google-admits-word-database.html

An earlier report by the same reporter: Sohu to Google: Take down copycat software
http://www.networkworld.com/news/2007/040707-sohu- to-google-take-down.html

Google China's Official Apology to Sohu.com (in Chinese)
http://googlechinablog.com/2007/04/blog-post.html

Ignore Microsoft, he says, because "Microsoft is Dead."
His take: http://www.paulgraham.com/microsoft.html
Mine: http://www.networkworld.com/community/?q=node/1356 1

Oh, the EU has fined so many companies for price fixing, I don't even know where to begin--Bayer & Chemtura, Siemens, Dow, escalator firms, Heineken, Aventis, animal feed companies, the Deutsche Post, many vitamin producers, Nintendo and, of course, the well known case of Microsoft.

I'm not saying that none of these fines are unjustified but I am saying that, if I may opine, the EU has been issuing a lot of fines. With this recent Apple one, it does seem as though Apple had no choice and if they aren't given an alternative to losing their contracts with record companies for the sake of running one Europe encompassing store, then I don't blame them. On the surface, the EU Commissions seem to be discouraging big businesses from selling things like XBoxes, PS3s or iTunes inside all of the countries. Is this a good thing or a bad thing? I guess time will tell ...

I'm sorry, bit TiSP is a blatant rip-off of DSL technology that I introducted about a decade ago:
http://www.networkworld.com/community/?q=node/1324 0

A link on the same site on the same page has a product that will actualy make it to market this year:

http://www.networkworld.com/community/?q=node/1102 6

Bruce Sterling talked about sugar based energy sources 15 years ago in one his books. -- It is not a commercial product yet.

... when I read a story like this, I usually try to stop and ask myself, "What if I did live there? Would this kind of craziness make more sense?" I cannot imagine that it would, but, like I said, I don't life in New York. ... BTW, if you haven't read the article, you really should just to catch the part about the "wireless bicycle."

http://www.networkworld.com/community/?q=node/1287 4

Several discussions of Linux Botnets:

http://lwn.net/Articles/222153/
http://blogs.securiteam.com/index.php/archives/815
http://www.networkworld.com/community/?q=www.deb.r adcliff.com

Without getting into if CALEA is applicable in the RIAA versus the world scenario; there has actually been a good bit of debate concerning how/if it applies to networks provided by universities.

It would appear that Uncle Sam has more or less said, "it depends". For more details see the following:

http://www.networkworld.com/news/2006/050106-calea .html

http://www.acenet.edu/AM/Template.cfm?Section=HENA &Template=/CM/ContentDisplay.cfm&ContentID=17276

http://connect.educause.edu/blog/lgesner/calea_upd ate_higher_ed_reporting_due_dates_announced/16659

Here's what I make of this whole flap -- not much: Clinton, Obama, the ad's maker (now out of a job), his employer and the press are all just playing their roles ... and the play is a farce. No one's really outraged by that video clip (especially Clinton). And no one really believes it's out of bounds. They're all just reading from the script. ... Of course, that's what high-stakes presidential politics is all about these days. More on this theme on my blog if anyone cares:

http://www.networkworld.com/community/?q=node/1275 7

Theres a couple of things that make me queasy about all this. Its dirt easy to say that something is not innovative after you see it.

This at least is a quantifiable statement. Look at the comparable technology and if its not priced below it then perhaps they are being unreasonable.

"When you talk about an operating system, if Dell is going to install it and test it, it takes a lot of work" before getting it ready for the marketplace, including having training and support in place.

He is looking for ways to re-energize the company's sales and financial performance after several disappointing quarters.

They shouldn't be allowed to sue Wikipedia unless they are accusing Wikipedia of the damage itself.

Cisco doesn't make the hardware components that go into their VoIP devices or anyone else's. They do sell VoIP phones, both in the consumer market as Linksys and in the enterprise market. But really Cisco regards VoIP as just another application that increases demand for their real products, the big-iron infrastructure needed to support it all. Cisco wants to turn the iPhone into an application on top of Cisco's infrastructure. It seems likely that future versions of the iPhone will have VoIP support, so Cisco wants to ensure that the iPhone will be compatible with their infrastructure. The scenario is that you can walk into work, connect to the corporate WiFi and use the iPhone like your desk phone. Certain Nokia phones have apparently had this ability for about a year. More information here.

I liked it better here:
http://www.attrition.org/postal/z/033/0871.html

Article giving details here:
http://www.networkworld.com/community/?q=node/9999

The subject line of their e-mail reads - "Acunetix Accepts the Network World Challenge" - but, as you'll see, that claim isn't any more supportable than the company's press release, which they at least have the good graces to concede was "apocalyptic."

http://www.networkworld.com/community/?q=node/1150 1