Slashdot Mirror

saikou writes: "Slashdot already had an article about Comcast using transparent cache systems to track their cable modem users' browsing habits (purely for improvment of their networks, of course) and now here's the follow-up. Newsbyte posted yesterday a story about the lawsuit, demanding $100 per day of tracking for each customer. I guess even if it will work out, customers might get oh, say, $10. With rest being a fee for the lawyer(s) :)" Update: 05/25 12:37 GMT by T : burgburgburg points to a New York Times article about the case, and reminds you of two previous mentions of the controversial user-tracking effort (one, two).

blankmange writes "Newsbytes is carrying a followup on the DeCSS and 2600's court cases: "The Electronic Frontier Foundation and the First Amendment Project today asked the California Supreme Court to uphold a lower court's decision to permit publication of the source code for DeCSS technology, which circumvents digital copy protection systems." Maybe it's not over yet..."

The_THOMAS writes: "The company RealNames, which tried to make a buck off of the domain name gold rush by adding their own layer on top of the ICANN system, is going out of business (Full story here). To review, the RealNames system is a browser plugin which redirects a user who types 'cookies' in the IE address bar to Nabisco.com. The reason for the closure appears to be the decision by M$ to NOT renew their agreement with RealNames which expires in June."

mrbrown1602 writes "According to a NewsBytes article, a Florida man named Peter Frampton had his domain, PeterFrampton.com, taken away thru the quasi-juduicial process established by ICANN for domain name disputes because he shares his name with a washed up rock star from the 70s. A copy of the WIPO decision can be found here."

sparcv9 writes "According to the latest issue of Spyware Weekly, the Radlight media player not only searches your hard drive for Adaware, but will uninstall it if found. How do they attempt to legitimize this? By including a clause in their EULA that reads: 'You are not allowed to use any third party program (e.g Ad-aware) to uninstall application bundled with RadLight. Such programs will be removed. If you want to uninstall them, you may do so via Add/Remove in Windows' Control Panel.' Yes, that's right. Not only do they say you are not allowed to use Adaware to remove their bundled apps, but they will forcibly remove Adaware for you to make sure you don't!" There's also a Newsbytes story.

Dynedain writes "Senator Disney (aka Hollings) is apparently trying to get on techies' good side. ZDnet is reporting he is proposing a bill for 'net privacy' requiring opt-in agreements when companies want to sell 'sensitive' information (medical history, sexual preference, etc.) and opt-out agreements when selling non-sensitive (buying habits). US Chamber of Commerce is opposing this." Another article on Newsbytes notes that there are likely to be several privacy bills floating around, offering different levels of actual protection.

Peter BG Shoemaker writes: "Wired is reporting that Hollings has officially submitted his newly renamed SSSCA, carrying the moniker Consumer Broadband and Digital Television Promotion Act (CBDTPA). It carries all the provisions we've been worrying about...there is a new battlefield folks..." Newsbytes has another story. Reuters has a story about News Corporation and Disney lobbying in support of the bill. I haven't seen the exact text of the bill as introduced; it will probably be in Thomas tomorrow. Update: 03/22 00:12 GMT by M : Declan McCullagh has collected several documents pertaining to the SSSCA, errr, CBDTPA. He's got a faxed copy of the bill (barely legible; read it on Thomas tomorrow), plus statements from Hollings (read it!), the MPAA, the RIAA, and several lobbying groups for the tech industry, who seem less enthralled about it.

BuckMulligan writes: "This article describes a lawsuit brought by a spam company against a list brokerage warehouse for selling e-mail addresses of persons who didn't opt-in. What this means is that those marketing lists created by data brokers aren't even accurate enough for sending spam."

spoon00 writes: "AOL is collecting information on what Netscape 6 users are searching for on sites like google.com. IP address, the date Netscape was installed and a unique ID number are other bits of information AOL is also collecting."

sirsnork writes: "There is a story about John Gilmore running an open relay that is being used by a virus to propagate running over at Newsbytes. His defence? He wants his friends to be able to send email through his server from whereever they are. You'd think he'd know better." Gilmore has been skirmishing with Verio for some time over his open mail relay. Is it a good thing because it promotes the free flow of information? Is it bad for promoting the free flow of spam? Do the ethics change because someone writes a virus that uses the server to propagate? Interesting questions.

typecast writes: "Better bone up on Bulgarian trademark law before you register your next domain name. A U.S. federal court has ruled that laws protecting trademarks in foreign countries apply under the American Anticybersquatting Consumer Protection Act (ACPA) of 1999. (Note to the U.S. registrants of Quartz.com: watch out!)"

TheMatt writes: "The House has just passed the Tauzin-Dingell telecom deregulation bill. This was previously discussed here yesterday." All of the reports seem to agree that there are enough Senators opposed to it that it's not likely to pass this session.

Anonymous Coward writes "It looks like after a few weeks of rumors, an exploit for PHP/Apache under Linux surfaced. Luckily, PHP.net has the patch ready to go. While the export only claims to work for PHP up to 4.0.5, php.net also releases a patch for 4.1.1, the (until yesterday), latest version of php. This patch makes a small edition to the part of the source code (rfc1867.c) that is used by the exploit."

d33l0w3 writes: "It looks like Sherman Austin is off the hook for now. For those of you who missed the previous slashdot posting, Sherman was arrested on Feb. 2 for the contents of his website raisethefist.com. This comes as more of a surprise than the FBI raid on his house." Just a couple of days ago, the government was planning to transfer him to California to face charges there, but now according to Newsbytes, those have been dropped. Read that link I just gave - there's quite a lot of interesting information that came out during the hearing. The attorney's concern about Austin being jacked around in "detention" for an indefinite period of time says a great deal about our judicial system.

d33l0w3 writes: "It looks like Sherman Austin is off the hook for now. For those of you who missed the previous slashdot posting, Sherman was arrested on Feb. 2 for the contents of his website raisethefist.com. This comes as more of a surprise than the FBI raid on his house." Just a couple of days ago, the government was planning to transfer him to California to face charges there, but now according to Newsbytes, those have been dropped. Read that link I just gave - there's quite a lot of interesting information that came out during the hearing. The attorney's concern about Austin being jacked around in "detention" for an indefinite period of time says a great deal about our judicial system.

ibirman writes: "According to Yahoo, the FCC has approved limited use of Ultrawideband (UWB) technology above 3.1 gigahertz. The article states that Sprint PCS among others has been campaigning to keep the minimum above 6 gigahertz claiming "interference". From what I have read, interference is not an issue, so I wonder what their real agenda is? Funny that the article does not mention that UWB could revolutinize high speed wireless networking." There's a Newsbytes story that decribes an upcoming ruling on DSL providers, which would exempt DSL carriers from the open-access requirements in place for most telephone services. There are a few links to statements on the front page of fcc.gov, but I don't see the actual orders for either of these yet.

mfb and others wrote in about a raid on the operator of raisethefist.com last week. It was first reported on Indymedia.org here and here, followed by an LA Weekly article. By far the best news piece so far is this one from Newsbytes.

Silverhammer writes: "InfoWorld is reporting that such luminaries as TRUSTe, ePrivacy Group, MSN, and DoubleClick are getting together to develop a "trusted senders" program to certify "commercial email" and "elevate" it above ISPs' and end users' spam filters. Why, you ask? Because they believe it's actually our fear of fraud that's hurting their response rates. Apparently all that stuff about invasion of privacy and theft of resources is just a big misunderstanding..." The Infoworld story linked above has the best information about this seal program, but CNet has another story including a quote forecasting 1400 pieces of spam per person per day in five years. Update: 01/31 17:02 GMT by M : The FTC is announcing a crackdown on spam.

Slashback tonight brings you word on a games contest, an update to the famous spider-goat hybrid which grossed you out months ago, bad news for Galileo's last days, passable news for anyone following the David McOwen story and more. Read on for the updates :)

Make sure you slip this into the fine print of your consulting contracts. Adn writes "Newsbytes is reporting in a story that David McOwen, who was facing some pretty serious charges will be let go with a fine as against a much harsher fate. If utilizing so called "unused cycles" for the greater good is a crime (I know he was not charged for that per se... but bear with me here) then makes you consider uninstalling all those SETI@Home Screensavers doesnt it? Also a larger question...If the law (in these kinds of cases) operates on the 'intent' of the accused, what is the justification for even considering it a crime?"

Playing games builds your mind and your hand-eye coordination. Bill Kendrick writes: "The results are in for the SDL Game Contest held by No Starch Press, Linux Journal and Loki Games.

First place was awarded to LBreakout by Michael Speck. Second place went to Tower Toppler by Andreas Roever. My own game, Vectoroids just barely made third place over another asteroids-style game, Rock Dodgers by Paul Holt.

Congratulations! The full list of games is listed on No Starch's results page."

Guaranteed not to be your average Slashdot book review! Alex Chiu writes "Hello. This is alex chiu. I have written an online book at http://superiching.com Teaching people how to communicate with God using I-Ching. This online book is free for everyone to read. It's at least 5 times bigger than alexchiu.com. If interested, please release this news."

You may remember Alex from the interview we did with him a little while ago -- truly a unique individual.

Flying blind and a long way from home. Vertigo01 writes: "According to this article on CNN.com, galileo has encountered some technical problems on its flyby of Io and "for unknown reasons, went into safe mode" ... (sounds like my last Win98 install) ... flight engineers hope to restore normal operation for the duration of Galileo's life, but it looks like we won't get any more pictures of Io out of her."

Victoria's Secret probably won't put this on the box. FortKnox writes "Spider Silk is long known to be one of the strongest biological structure made (5 times stronger than steel by weight). Biologists have already genetically engineered goats to produce spider silk in their milk. Now, they have successfully extracted the protein and "spun" the silk. The next, and final step, is to mass produce the silk to be available commercially. Move over kevlar, here comes something better! I want to have the first biologically built house! I wonder how insulated spider silk is...."

David Harris writes: "Newsbytes and the folks over at DotcomScoop.com have good stories about VeriSign's proposal to start a "Wait Listing Service" (WLS) that would allow consumers to buy domain names before they expire. As with anything that has to do with VeriSign/Network Solutions the "WLS" ain't all it cracked up to be and there is opposition from the ICANN community. I'm not sure I like the idea of auctioning off domains before they expire either." CD: To quote Don Marti: "DNS is a consensus reality."

marcjw writes: "I don't see many of these (Linux virus alerts). In fact none in the six months or so since I've switched from MS. Maybe that's why this story from newsbytes caught my eye. At any rate, I'm not sure if this poses much of a threat to the general Linux community but it's always best to be forewarned."

acaird writes "According to this article at Newbytes, members of al Qaeda may have worked for Microsoft and planted "trojans, trapdoors, and bugs in Windows XP"." This stuff screams of hoax to me, but it is showing up on the Washington Post.

Newsbytes has a story about a critical vulnerability in all recent versions of Internet Explorer, which leaves your computer completely open any time you browse the web with IE. Microsoft has known about it since November 19; they refuse to provide any information about when a patch might be made available, if ever. This bug has been successfully handled by Microsoft's "Security through Obscurity" policies - since there's no public notice, Microsoft has no need to actually patch this hole which renders several hundred million computers vulnerable any time they access a web page or parse an HTML email.

For readers who care, this vulnerability results from Microsoft's integration of IE and the operating system. Files received via HTTP are supposed to be handled by examining the Content-Type header sent by the webserver - for instance, the Content-Type sent with this webpage is "text/html", identifying it as a text (non-binary) document which is marked up with HTML.

Netscape and most other browsers have no problem with this.

You will notice, however, that this method is rather different than how a Microsoft operating system determines how to handle a local file - by its three-letter extension. A file named "foo.txt" is handled as a text file, even if it is a binary image file that has been renamed for some reason.

Now, what happens when you integrate your web browser and your local browsing, say to render moot an anti-trust suit filed against your company? Will local files get a Content-Type? Will remote files be handled by examining their file extension?

IE handles files in an odd mish-mash of looking at the Content-Type sometimes for some purposes, looking at file extension sometimes for some purposes. It's hardly surprising that the bug-hunter in the above story has found a way to feed it a Content-Type at odds with the file extension - the Content-Type may be innocuous, but the extension says "execute me", so when the "integrated" IE engine gets ahold of it, the malicious content is automatically executed.

Now Microsoft has a problem. Because they chose to ignore the standard for handling downloaded files, Microsoft has painted themselves into a corner. If Microsoft suddenly changes how their browser handles downloaded files, tens of thousands (perhaps hundreds of thousands? any webpage which downloads files) of webpages "designed for IE" will have to be rewritten. No doubt this is the issue their programmers are wrestling with right now. It's a fundamental design issue - Microsoft designed their web browser with the goal of doing what was best for Microsoft (evading anti-trust charges) rather than doing what was best for their users. In fact a proper "fix" of this hole probably involves de-integrating their browser and local file handling to some extent.

If you routinely browse with Internet Explorer or read mail with Outlook, keep in mind that any web page you visit or any email you open can take over your computer, steal sensitive files, destroy your machine, anything. This has been true for at least two and half years. And keep in mind that you can't fix the problem, you must rely on Microsoft to do it, if they so choose. And keep in mind that Microsoft is in no hurry to do anything about it, because it doesn't even consider it a vulnerability. Happy browsing!

fwc writes: "According to this Newsbytes story, EResolution has decided to quit the Domain Name Dispute-Resolution business because its reputation for being fair has driven away its potential customers - the trademark holders who are filing the complaints. Apparently (and understandably) the trademark holders prefer to use those arbitrators who find for the trademark holder most of the time. Perhaps it is time for ICANN to rethink their policy."

Masem writes: "According to this Newsbytes story, a CA appeals court has issued a ruling that says that typical messages posted to internet message boards can not be considered as libel or slander, as they inheritently are framed as opinions and not as statements of fact. The case stems from rather negative comments posted by defendants about a computer reseller company on the internet; the company sued for libelous comments; lower courts did initially rule for the company, but the appeals court has overturned this. While not every message posted in a public forum is safe, the court's decision seems to convey that unless the message is framed as a form of fact, then any message posted to a public internet forum should be considered as opinion, and thus cannot be considered as a libelous comment."

There are various news articles out at most major news sites, but they're all based on this press release from the Department of Justice. The actual terms of the settlement will probably become public shortly, so I wouldn't spend a whole lot of time trying to dissect this press release. Just read it for generalities. In sum: for this whole multi-year case, which you will recall started when Microsoft refused to obey its earlier behavior restrictions, we have more behavior restrictions, lasting only five years. And if MS doesn't obey those, they'll ... be in effect longer. Update: 11/02 15:07 GMT by M : Here are the promised terms of the settlement. Now you can dissect them. :) Update: 11/02 15:53 GMT by M : The states are refusing to sign on.

xpccx writes in with a bit from NewsBytes, "NASA turned 43 this month and marked the occasion by releasing more than 200 of its scientific and engineering applications for public use. The modular Fortran programs can be modified, compiled and run on most Linux platforms." The software can be found at OpenChannelSoftware.com. At long last I am ready to prepare my own space mission. I wonder if a whiskey barrel is gonna be air tight after I launch it/me into space with a trebuchet. (It's this sort of unconventional thinking that should get me my job at NASA. Or at least get me put to sleep).

slacknet writes: "Well, it looks like the government could be lifting the ban on taxes related to the Internet, CNN reports here. While the House of Representatives has already passed a two-year extension on the ban, the Senate has not. Newsbytes.com also has an article on this matter here. I'm sure I'm not the only one who thinks this probably isn't the best time economically to be discussing any sort of additional taxes." I think Newsbytes has it right - the federal ban is likely to be reinstated soon, they just didn't get around to it this week.

slacknet writes: "Well, it looks like the government could be lifting the ban on taxes related to the Internet, CNN reports here. While the House of Representatives has already passed a two-year extension on the ban, the Senate has not. Newsbytes.com also has an article on this matter here. I'm sure I'm not the only one who thinks this probably isn't the best time economically to be discussing any sort of additional taxes." I think Newsbytes has it right - the federal ban is likely to be reinstated soon, they just didn't get around to it this week.

AnonymousComrade writes: "In today's Newsbytes, there is an article about MediaBEAM GmbH, a German company that say they have developed Web server software that can detect whether a home browser is blocking banner ads or pop-ups. If the Web server detects blocking software, a message appears on the screen advising the 'free-loading' surfer that he has two choices if he wants access to the Web site's content: pay for it or be exposed to the ads. This sounds strange to me. Can they really include something in the download (Java or JS, I assume) that detects whether an ad picture has been downloaded or not? What if you have blocking S/W that not just blocks the download of the ad picture, but also modifies the HTML on-the-fly (a la the Proxomitron). Can they really distinguish this from a remote ad server that just isn't responding? And how long will it take before ad blocking S/W is updated to block this blocking-detection mechanism?"

AnonymousComrade writes: "In today's Newsbytes, there is an article about MediaBEAM GmbH, a German company that say they have developed Web server software that can detect whether a home browser is blocking banner ads or pop-ups. If the Web server detects blocking software, a message appears on the screen advising the 'free-loading' surfer that he has two choices if he wants access to the Web site's content: pay for it or be exposed to the ads. This sounds strange to me. Can they really include something in the download (Java or JS, I assume) that detects whether an ad picture has been downloaded or not? What if you have blocking S/W that not just blocks the download of the ad picture, but also modifies the HTML on-the-fly (a la the Proxomitron). Can they really distinguish this from a remote ad server that just isn't responding? And how long will it take before ad blocking S/W is updated to block this blocking-detection mechanism?"

A new worm seems to be running rampant Unlike Code Red, it attempts to hit boxes with many different exploits (including what looks like an attempt to exploit boxes still rooted by Code Red). It looks like each IP tries 16 attempts on its neighbors. There is also a new mail worm mailing WAV files or something with bits of what appears to be the registry... it may or may not be related. Got any words on this? Shut down those windows boxes and stop opening attachments. And make that 21. Got another one while writing this story. All my hits are coming from 208.n.n.n (where I am) I'm sure it'll keep moving to nearby boxes. Update: 09/18 16:40 GMT by J : It now has a name: "Nimda." More info here, here, and here.

Here are examples of the requests it's sending:

GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../ ..%c1%1c../winnt/system32/cmd.exe?/c+dir
GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir

While writing this story I was hit a total of 4 times, 16 GET attempts per attack. In only 4 minutes. Also of interest, My desktop has now been hit about 500 times today, all from 208.x.x.x IPs. This might be really bad. I still haven't read anything about this anywhere else, so you heard it here first ;)

Update Web servers compromised by this worm apparently attach a "readme.eml" to all web pages served... and due to a bug in IE5, it will automatically execute the file! Yay Internet Explorer!

typecast writes "A study of more than 3,000 UDRP decisions by a Canadian law prof. suggests that ICANN's domain-dispute resolution process may be even more unfair than Slashdot types already believe. This article says the study confirms organizations such as WIPO and the National Arbitration Forum decide most cases in favor of trademark holders. But it also says it's clear that individual arbitrators with strong "anti-cybersquatting" records are the ones most likely to be handed UDRP cases. A copy of the study and a minimal database of UDRP-panelist stats can be found at Geist's own UDRPInfo Web site."

A desire for information on Code Red and full disclosure, steganography, old game music, and an interesting bit on software patents are the reason you're reading tonight's Slashback.

Good things come in hidden pictures. Intrepid strongman Dug Song writes, in reaction to the "fairly thin" piece earlier today on Steganographic anlysis:

"The only cutting edge, practical work being done today in steganalysis and steganography is by Niels Provos, who gave a talk at HAL2001, and is also presenting at the USENIX security symposium tomorrow:

• http://www.citi.umich.edu/u/provos/papers/detecting/
• http://www.citi.umich.edu/u/provos/stego/

He's been developing several interesting tools to do steganalysis during the course of his universal stego engine development: (http://www.outguess.org/) including stegbreak (which can detect images produced by all popular stego tools -- except outguess), crawl (which he's used to download 2 million jpeg's from eBay to analyze), discern (his distributed computing platform), etc."

Hushing up is not such a good answer sometimes ... Reader Brian McWilliams <brian@pc-radio.com< notes regarding the thread on Slashdot about the costs of full disclosure, "you might want to add an update linking to this story Newsbytes did a couple days ago about the Richard Smith posting. Contains responses from eEye & full disclosure advocates, as well as some more ammo from Smith."

Smith doesn't take kindly to being blamed for damages caused by security holes he publically aired.

So you want to patent "bacon and eggs"? I guess that's OK then. You recently read about the McAffee patent on a seemingly overbroad stretch of computing transactions. Well, it's raised quite a few eyebrows among people interested in a fair computing marketplace. geoa points to this article in which "Neil McAllister in The Gate takes too long to say we shouldn't let another monopoly in the playpen."

It was soooo old ... For everyone enjoying the recent upswing in retro computing interest, Silicon Avatar writes with another tidbit: "Although not necessarily new news, I found a link today when someone mentioned Roland MT-32 to me. Starting with Space Quest IV, Sierra games were written to use either the Adlib soundcard or the Roland MT-32 'soundcard.' Quest Studios seems to have repository of MANY of those songs, including the 'lounge tape' I once had but lost!"

Put that in your souped up underclocked emulator and smoke it.

Da_Big_G writes: "Newsbytes is carrying this story about how Verisign (owner of Network Solutions) is accusing other registrars (particularly register.com and Tucows/OpenSRS) of impropriety in transferring domains. This is in response to those registrar's complaints over Verisign's new transfer procedure which makes it nearly impossible to transfer a domain away from NetSlo." sally_tor supplied more URLs: Verisign's complaint letter, and a draft response in the making. So let's get this straight: Verisign charges 5 times more than other registrars do, provides much worse service (for instance, my preferred domain registrar provides DNS service, email redirection, prompt web-based changes - all for $12/year), is now interfering with transfers by requiring additional "confirmations" via a system that doesn't accept those confirmations, holds onto domain names after they expire so that it can a) sell the names themselves for inflated prices and b) sell the service of watching for the names to expire, and they have the gall to complain that people are leaving them for other registrars!

Da_Big_G writes: "Newsbytes is carrying this story about how Verisign (owner of Network Solutions) is accusing other registrars (particularly register.com and Tucows/OpenSRS) of impropriety in transferring domains. This is in response to those registrar's complaints over Verisign's new transfer procedure which makes it nearly impossible to transfer a domain away from NetSlo." sally_tor supplied more URLs: Verisign's complaint letter, and a draft response in the making. So let's get this straight: Verisign charges 5 times more than other registrars do, provides much worse service (for instance, my preferred domain registrar provides DNS service, email redirection, prompt web-based changes - all for $12/year), is now interfering with transfers by requiring additional "confirmations" via a system that doesn't accept those confirmations, holds onto domain names after they expire so that it can a) sell the names themselves for inflated prices and b) sell the service of watching for the names to expire, and they have the gall to complain that people are leaving them for other registrars!

stuccoguy writes: "The New Jersey Appeals Court issued an opinion protecting the anonymity of an Internet poster. In a victory for privacy online, the court established a four step series of guidelines for courts and ISPs faced with requests to compromise the identity of anonymous posters." The lawyers Newsbytes contacted seem to think it likely that this procedure will be taken up by other courts.

A few more stories about "Smart Tags" (see round 1 if you missed it) -- Liza writes: "According to Newsbytes, a new feature in IE 6.0, "Smart Tags," which inserts hyperlinks into pages so that users can get more information about a concept or company, could violate both copyright law and federal rules prohibiting deceptive and unfair business practices. Microsoft says site operators could insert a metatag disabling Smart Tags, so concerned publishers could avoid them. Interesting questions!" Meanwhile, ZDNet has a nice piece examining smart tags in action.

BoKnowsBeer writes: "H.R. 1486 - Sponsor: Rep Grucci, Felix J., Jr.. Title: To amend section 254 of the Communications Act of 1934 to require schools and libraries receiving universal service assistance to block access to Internet services that enable users to access the World Wide Web and transfer electronic mail in an anonymous manner." Grucci is quoted as saying privacy sites are used to recruit children into militant, pro-environmental causes. I want some of what he's been smoking. Meanwhile, Representative Billy Tauzin, who has forgotten that he lives in the U.S., put forward HR 2420, which will eliminate all of the requirements on the Baby Bell companies which keep them from destroying the competing exchange carriers, and finish off any remaining competition from DSL carriers such as Covad and Northpoint, which would no longer be permitted to lease space in the telcos' Central Offices for their DSL equipment. But the CLEC's are rallying - they went to their congressmen, handed them the requisite bags of cash, and got their own bill to rally behind.

typecast writes "It's taken nearly 10 months, but this story says JumpTV is finally just some not-so-short hearings away from what could be an entirely legal (in Canada) version of iCraveTV. But the company says it probably won't wait for the hearings to end to begin Webcasting off-the-air TV signals live on the Net ... using its technology to reduce that iCraveTV-like "leakage" into the U.S. If JumpTV's border control technology can keep the MPAA out, could it keep French Nazi hunters away from Yahoo!'s servers?"

TypeCast writes "When you've got Canada's elbow room, perhaps you can squeeze in a 'disk drive' 5,000 miles in diameter. But the plan by Canada's CANARIE researchers for a Wavelength Disk Drive (WDD) within optical networks suggests all of Universal Music's library would still make for a tight squeeze as light-speed storage. Here's a white paper on the WDD for those who aren't afraid of MS Word documents."

TeacherReviews.com writes: "According to this article at Newsbytes, AOL has been aware that users' screen names and credit cards can be stolen from not only AIM 4.3, but earlier versions of the instant messenger as well. This problem, which allegedly can happen to any AIM user, was first made public by Inside-AOL.com months ago, but AOL decided not to respond until this Thursday under increased pressure from Inside-AOL.com and other media." This is just the kind of news I could do without, having recently been persuaded to register with AIM and give GAIM a try.

thehawk writes: "In what could be a landmark decision in the area of online privacy rights, a New Hampshire court granted the father of a public school student the right to obtain Internet usage records of all students who used computers and Web access supplied by the school district. The district was also ordered not to withhold records that may be requested in the future and was forced to pay plaintiff's attorney's fees...." The New York Times also has a story on this.

The records in question are log files created by the schools' proxy servers of what URLs are accessed by the student body. The school district in question isn't censoring Internet access with any sort of censorware product (they use teachers to monitor what students are accessing), and the parent would like to prove that the students are accessing porn sites. I do not believe it is an invasion of privacy to access these records; if there was an invasion of privacy, it occurred when the school district collected the records on their students, not when someone else requested to see them.

Some comments of mine that didn't make it into the Times article: I hope that this situation casts some light on Internet usage at public facilities. Many, many Internet services are set up to create detailed log files by default -- proxy servers, Web servers, various login mechanisms and authentication mechanisms, etc. These records are being collected, and they are just lying around on machines or tape backups here and there, and they are, if the entity that collected them is a public entity, public records accessible under FOI laws. If you want to prove that your local school/library shouldn't be censoring the Internet, request the records. (I'll help! E-mail me.) If you want to prove that your local school/library should be censoring the Internet, well, I won't help, but I still support your right to get access to public files.

And while this situation is about records collected by public entities, the same records are routinely collected by private entities as well. Is your Web access going through a proxy server at your ISP? (The answer is more likely to be "yes" than "no," by the way -- a proxy can be installed that is transparent to the end-user.) Then your ISP is collecting detailed records of every single URL you access through their service. How long are these records being retained? Who is the ISP selling them to? Do you know?

bugnuts writes: "A pseudo-cyber-squatter is showing typical mentality of greed by suing ICANN for defamation. ICANN warned that TLDs were not decided, because some companies were selling preregistered domains with no clue what those domains will be. The suit claims that this warning was defamatory." Now I've seen it all - scammers suing ICANN for warning people about their scam.

I took some time over the last few days to sample what kind of political speech is censored by a typical filtering software package. The result is a report released jointly by EPIC (EPIC's copy) and Peacefire (Peacefire's copy). The software this time is N2H2 Bess, and if you're an American K-12 student, there's roughly a one-in-three chance you're forced to surf the net with its 'help.' It bans political speech ranging from campaign finance reform to the Second Amendment to Minnesota newspapers' election coverage.

My favorite block was the Traditional Values Coalition. Can I say "you reap what you sow" or would that just be rude?

In other news:

(an unrelated) Coalition To Promote Voluntary Net Filtering, Standards

"A new coalition of high-tech companies and industry groups is hoping to shift the focus of the national debate over Internet filtering by promoting the value of filtering software as an exclusively voluntary parental tool. ... the Committee on Internet Management and Safety will tout the value of filtering products while at the same time opposing legally mandated filtering."

Did they say "exclusively voluntary"? Good on 'em! Let's have a real debate about the value of this software, so that people can make up their own minds rather than having the government decide what's best for our schools and libraries. A level playing field would be a lot better than what we have now.

Do you remember the Piranha debacle back in April? Welcome to Part II. Last Tuesday, it was revealed that Microsoft SQL Server 7.0 is shipped with a default password - just like Red Hat's piranha module. Unlike Piranha, SQL Server is very common software for large e-business websites. Unlike Piranha, the vulnerable software has been shipping for months. Unlike Red Hat, Microsoft refuses to take responsibility for their mistake, which, unlike Red Hat's, has resulted in actual documented break-ins, some at high-profile websites. So why haven't you read about it?

Because unlike Red Hat, Microsoft is getting a pass by the media.

Piranha is web clustering/failover software that was released in April by Red Hat without much QA. It somehow went out the door with a default password ("Q") and without docs explaining in big bold caps that it must be changed. If you installed the Piranha RPM without reading the docs carefully, you had a security hole on your site.

The hole allowed an attacker to come in over port 80 and execute arbitrary commands as the Piranha user, which would have been the web user. Typically that's a nonprivileged "nobody" account. While this is never good, let's just note for the record that this is a read-only exploit unless the webserver is very poorly configured.

The media flipped, in a word, out.

Piranha: A Case Study

On April 25, Computerworld announced that the "backdoor password ... could allow an attacker to compromise a Web server and deface and destroy a Web site." Informationweek and Internetweek both warned about "a back-door security flaw that carries ISS's highest danger rating." MSNBC/ZDNET ran the story as "Red Hat Linux open to backdoor password" and explained "there's a backdoor account in Red Hat's Linux that would let a computer intruder access and alter files." The Standard's early report on April 25 wasn't too bad but attacked -- as all reports did to some degree -- the strawman myth that open source is inherently secure. At least it didn't use the word "backdoor." Newsbytes was pretty much the same.

"Backdoor" implies that the flaw was deliberately inserted, by a thoughtless or even malicious programmer. Why did most stories incorrectly use that word? Mostly because that was how it was described in the press release. A security firm called Internet Security Systems found the flaw on April 24 and sent out a security advisory that used the term four times by the end of the first paragraph.

ISS also made some interesting statements when speaking to the press about the vulnerability. Oft-quoted was a line about open-source being both a blessing and a curse (the media loves "on the one hand, on the other hand"). I also liked this comment from their research director:

"There's limited quality assurance in the open-source environment," says Rouland, "because open-source software is basically a bunch of peoples' hobby."

Of the early stories about Piranha, the best one I found was Henry Kingman's ZDNet piece on April 24 (both early and accurate: amazing). CNET's on April 25 wasn't bad either, though they let ISS lay down the anti-open-source and pro-Microsoft propaganda a little thick.

In the days to come, the story didn't change much except to note that Red Hat -- correctly, as it turned out -- denied the seriousness of the vulnerability and tried to explain that it wasn't really a backdoor. Inter@ctive Week's Charles Babcock did such a piece on May 1.

Computer Reseller News still called it a backdoor on April 27. And NetworkWorldFusion's report and Informationweek's followup both came out on May 1, both got the important facts right, but both still called it a backdoor.

ClieNT Server News ran an article in their May issue explaining "Red Hat Red-Faced." I'm not about to pay to read the whole thing. The free synopsis that's available smirks at how "embarrassed" the company must be, and ends: "It seems that Red Hat left a back door in," dot, dot, dot.

The Standard had a second, fair piece that eschewed the term and even, after quoting the line about open-source being a "hobby," gently suggested otherwise.

But the gold stars go to just two good reports. SecurityFocus' Elias Levy, on May 1, turned the spotlight on ISS by pointing out how they "...can make headlines by using the right jargon, even when it's wrong." And Linux World News' Liz Coolbaugh, who had weighed in a few days earlier, questioning the media's coverage in her story "Red Hat Security Hole Not a 'Backdoor'."

If you find any more stories about Piranha, post them below. The Red Hat-bashing pretty much came to a halt a week later, when a little Microsoft-specific email virus named "ILOVEYOU" did a few billion dollars' worth of damage.

(Breaking news: all charges dropped; to quote 10,000 Maniacs, "who ya wanna blame?")

Microsoft SQL Server 7.0

You've heard about the SQL Server vulnerability, right? The one found on Tuesday, six days ago?

Well, no, you probably haven't, unless you read NTBugtraq. Even the maintainer of SecurityPortal's Microsoft Security Digest missed it this week (don't worry: I dropped him a note, he added it).

As the cracker Herbless describes it:

"It has come to light that it is now common knowledge that MS-SQL has a blank 'sa' password by default. This seems to affect a _lot_ of servers on the internet."

A default password vulnerability? Sounds familiar, doesn't it?

Here's Herbless's description and exploit code, posted to BugTraq last Tuesday. And here's Microsoft's acknowledgement, posted on Thursday.

Herbless wasn't kidding when he said it affected a lot of servers. If you're running SQL Server 7.0, with a firewall that doesn't block its port, and you haven't changed the sysadmin password, you're vulnerable.

As he described it to me, unlike Piranha's vulnerability which gave read-only access as an unprivileged user, this one typically gives access as "BUILTIN\System." I don't speak NT, so he had to describe to me what this is: "god-like powers ... greater that those of even the 'Administrator' user."

In other words, you have been 0wn3d.

You may be thinking that this is a vulnerability. Go back and read Microsoft's acknowledgement again. They say quite clearly, "The code does not exploit a vulnerability."

Does it confuse you that what was previously a "backdoor" is now not even a "vulnerability"? That threw me for a loop too -- as well as some of Microsoft's other disclaimers, which only make sense when you realize you're reading non-sequiturs about the newer version SQL Server 2000 (the vulnerability only affects SQL Server 7.0).

All will become clear, though, once you read this story from vnunet.com -- the only media story I've seen, by the way. The fault lies with the website administrators:

"Hacked websites 'didn't read the manual'

"Microsoft has blamed administrator error, rather than a bug in its software, for leaving hundreds of websites running SQL server open to attack this week."

Did they say hundreds? Yes, hundreds, at the very least. And did they say "hacked websites"? Yes -- this is not a theoretical vulnerability with no known attacks, like Piranha was.

All this month, Herbless has been cracking into websites like the National Transportation Safety Board and leaving edgy political messages (while backing up the original files and telling the admins how to close the holes). He confirmed to me that all his attacks, including the Fish and Wildlife Service, the UK's Adult Learning Inspectorate, and the Commonwealth Telecommunications Organisation, were done by exploiting Microsoft SQL Server.

Just to make the story that much better, according to Herbless, the default configuration of SQL Server 7.0 also has logging turned off -- in which case a successful attack would leave few if any tracks.

Sites are lucky if their webpages are hijacked; that way they know to fix the problem, format and reinstall. But some of those "hundreds" of websites running the vulnerable installation have surely been cracked by black hats who quietly installed Back Orifice or a similar remote-exploit program. They can set an SQL Server password, but it won't help them: they'll still be 0wn3d.

The proper fix would be to force the password to be changed before the software can be used, as piranha now does. Wayne Sowery of MIS Corporate Defence Solutions confirmed for me that "versions up to SQL Server 2000 do not ask for the SA password during installation ... we also tried various install options such as 'typical' and 'custom,' neither prompted for a new SA password." Incidentally, he too questions whether this is properly described as a "vulnerability," but I'm not sure what else it could be called.

The lesson here is that the media doesn't treat security reports very fairly. Some organizations have their own selfish reasons to push one agenda or another. (Like Slashdot? You bet. But you know where we stand.)

The motive doesn't have to be that devious, though sometimes, of course, it is. If a reporter gets to write a story that questions a core belief of Linux zealots -- whether or not it's actually a core belief, and whether or not they're actually zealots -- that will be much more attractive than simply reporting security news. The nitty-gritty of security news, after all, is rather dry.

So next time you see a biased polemic about system security, or even a small media feeding frenzy about the latest exploit, take a moment to ask why it's being reported outside of the admins' mailing lists. Open source software is still a new idea to many in the traditional news media, and that means that it's a hook for them to hang any kind of story on -- good or bad.

frinsore, John Leeming and several other readers passed on word of the decision of a French court that Yahoo is responsible for making it impossible for French citizens to access auctions featuring Nazi-related items. As John writes, "It appears France is now defining censorship on U.S. Web sites; in particular, Yahoo! and its auction sites. For all those who have in the past believed immunity of action exists because you live in a different country or under different laws, this CNN/Reuters article is an interesting glimpse into future international jurisdiction problems for the Internet, and why we need to watch for the manner in which governments decide to deal with it." Here's NewsBytes' coverage of the same story.

If you're using Microsoft Internet Explorer running on Microsoft Windows, turn off Javascript now. Your cookie file is readable by any hostile website. Or, if you'd like to see the security hole in action, leave Javascript on and check it out: "Open Cookie Jar." (read more)

Peacefire webmaster Bennett Haselton is on a roll. After discovering yesterday's Hotmail hole, today he's published his discovery that MSIE's Javascript contains a bug that allows any hostile website to obtain your cookies.

Essentially the bug is that MSIE's Javascript is not very smart about determining which domain you're coming from. If the URL you're looking at has its "/" characters replaced by the hex representation "%2f", it can be fooled into thinking your path is actually a very long machine name. Because it interprets that path wrongly, a well-placed ".yahoo.com" in the URL can make Javascript think it should be using Yahoo's cookies - and Javascript can be told to deliver those cookies back to the hostile server.

Bennett and I believe the bug is confined to the Javascript code in MSIE, but we have not done extensive testing to determine this. For now, at least, we believe turning off Javascript will be sufficient to eliminate this security hole.

Or, you could migrate to another browser or operating system...

We have only tested this with IE 5, and Windows 95/98. Reports of success or failure with other versions would be welcome.

After Bennett explained to me how this works, I wrote a short CGI script to demonstrate what lurks in cookie files. Instead of silently stealing your private information and squirreling it away for later use, it echoes that information back to you (and then forgets it, of course). Updated: That script has been rewritten by and is now hosted at securityspace.com. For best results, first go log into amazon.com, type your zip code into hollywood.com, and visit playboy.com. Then go visit securityspace's general info page and click the "click here."

Newsbytes and CNET have picked up this story and have good writeups.

Soko writes "One American on the ICANN board so far, folks. Newsbytes has this report. " We could do worse than Vint Cerf, but there's still some concern among U.S. polticians that "we" don't have enough representation. From the story: "House Commerce Committee Chairman Thomas Bliley, R-Va., last week said that it would be 'unfortunate' if the United States were underrepresented on the ICANN board. Because the United States still has the majority of Internet users and businesses and because of the nation's leadership role in inventing and promoting the Internet, the US should be well represented on the ICANN board, he said."

AOL bought Netscape to gain an advantage by integrating the features of its portal with the browser, something that Netscape's been doing with its Netcenter portal. This would allow AOL to move back to being a proprietary, fee-based online service... something MSN tried and failed at. Interestingly, there will be little for Barksdale and Andressen to do, once AOL takes over... Time to set up a Mozilla based startup? In related news, Sun's McNealy disputed Microsoft's claim that the Sun-AOL-Netscape deal changes anything about the DOJ court case. Update I wonder what all this will do for newhoo, and Red Hat, both of whom have received Netscape investments.