Slashdot Mirror

Security is never simple, The problem is that when you are securing a system you must secure the hole system against a planned attack. What this means? This means that is not only a choice of witch cryptographic algorithm you are going to use, this means that to create a secure system you must think about how keys are going to be created, how they are going to be exchanged, what side-channels might exists in the transaction and so on.

Just as an anecdote history, ssh was found to be leaking information about passwords, even if the attacker could not decrypt the data passing in the wire. The attacker would time the packets going out and in. If there were packets coming out the client side and none going in, this would mean that the data in this particular traffic was not being echoed and was probably a password. The timing between each packet leaving the client machine would show to the "bad guy" how "far" (in a sense) apart the consecutive keys were in the key board. With these timings he could plan his brute force attack, to try a much lower number of attempts.

The ssh hackers simply changed the software so it will transmit fake echo when you're in a no-echo situation, a simple fix. But this illustrate how something that most people would never think could turn into a bad problem. Secure systems must be very carefully planed and checked by third parties, the more the better. It aways easy to think about something that you would never break, that doesn't imply that it is secure.

sources:
http://www.crypto.com/papers/jbug-Usenix06-final.p df
http://www.securityfocus.com/columnists/375/2 (see the question "Did you develop any measure to fight timing based attacks?")

One answer to that would be "to make sure it doesn't happen again in the future." The best way to ensure that is to make sure all the other professors know that they'll be fired (regardless of tenure) if they do such a thing in the future, and the only way to demonstrate that is by firing this professor now.

You really don't know how it works, do you? It is NEARLY impossible to fire a tenured professor. In fact, in order to fire this one, he would have to be actively using or selling the SSNs.

Even worse, You may not be able to immediately fire an untenured professor for this, depending on how the contract with the union is written. In either case, I suspect you can't do anything to someone for having something stolen from their home.

Yes, the data security was very lax there, as it is at ALL major institutions, regardless of type. In fact, most universities have very good systems in place compared to, say, the military. You have probably heard of some of those cases, like that famed British hacker who hit 'Enter' at the password prompt and now faces hacking charges?

The Month of Kernel Bugs is the brainchild of a security researcher and contributor to the Metasploit Project who uses the moniker "L.M.H."

Already been done.

For the record, Diebold has only been in the election machine business since 2001. They only make direct-recording electronic (DRE) machines, and have never produced paper ballot readers or any other equipment other than electronic machines and electronic pollbooks. Here is a good historical overview of Diebold's election activities.

There are a number of points that are completely missed or misunderstood in the discussion of election hardware, and why so many jurisdictions have moved to such questionable devices. The story of what has happened is a case study in how the federal government creates a royal mess from good intentions.

After the debacle of Florida 2000 Congress passed the Help America Vote Act (HAVA), which was designed to prevent such a thing from happening again. Of course the problems in Florida were not caused by faulty election equipment but by poorly designed ballots.

Of all the parts to the eqatuation in FL 2000 (voting machines, ballots, election process, registration, administration, etc) it was the ballots that were at fault, and the administration of the resulting dispute that created the big issue. I still believe that if Al Gore had accepted (or insisted upon) a statewide recount of Florida rather than trying to game county-level results he would have won Florida, and the presidency.

Instead the POTUS (President of the US) was effectively elected by the Supreme Court. And that led rather directly to HAVA -- a federal law wherein the federal government assumes authoritah over the states on issues concerning election procedures, quite contrary to strict readings of the Constitution.

The Constitution clearly gives the states power to handle their own electoral affairs, but at the same time gives the federal government power to distribute funds, and to set requirements on the distribution. Through HAVA, Washington pledges a ton of money to each state and local jusrisdiction to upgrade their election hardware to something that is compliant with HAVA, but the requirements only apply to election for federal office -- ie President and Congress. But since it's too much trouble to maintain separate election system for fedreal and local offices, and too much money to ignore, all states are scrambling towards HAVA compliance.

Diebold comes in because of a rather ill-thought clause in HAVA -- Section 301. This requires that HAVA-compliant hardware meet the needs of blind voters in allowing them to 1) cast a ballot without assistance, and 2) to review and change ballot selections before casting the ballot.

As of 2000, blind voters cast ballots with the assistance of two election judges (in jurisdictions that did not require Braille ballots). HAVA requires that all blind voters have audio ballots. Which means many effective and accurate voting systems and procedures are no longer valid.

Once HAVA was passed, Diebold saw a business opportunity in US election systems (they had previously sold electyion hardware to Brazil). Diebold could certainly deliver counting machines with audio capability, and naturally they theough that security requirements for ATMs were analogous to those for election systems.

The points of this whole rant are 1) Diebold gets a lot of deserved blame for producing faulty hardware, and a lot of undeserved blame for commiting mass electoral fraud (remember that they didn't have any election hardware in 2000); 2) All DRE machines (with or without paper trail) are subject to problems and errors; and 3) the voting process is sound, even if the equipment has flaws.

Make sure you vote on November 7, make sure if you're using a DRE machine that your vote is properly recorded, and make sure you have some sympathy for the sorely undertrained and underpaid election judges at your precinct.

And don't complain if you don't vote.

Credit where credit is due: this article is from SecurityFocus. The Register just scraped it.

http://www.securityfocus.com/news/11420

http://www.securityfocus.com/brief/161

Pretty stupid blunder.... but it applies only to version 5.10. Plus, it was already fixed by the time that securityfocus article hit the press last March.

I want to see some coverage of stupid holes in Linux

http://www.securityfocus.com/brief/161
http://www.eweek.com/article2/0,4149,1530875,00.as p
http://news.zdnet.co.uk/software/0,1000000121,3911 7586,00.htm

It is well worth reading the following: http://www.securityfocus.com/columnists/420/1 since it discusses the upcoming MS Windows Vista Eula which mainly appears to define what you can't do. This is a fairly easy read (3 pages) although if you follow the links you could waste the rest of the day.

From the article I think the best quote is " The draconian limitations I've discussed could only be enacted by a monopoly unafraid of alienating its users, as it feels they have no other alternative. Microsoft may yet learn, however, that there are limits to what its users will bear. "

For those who don't want to read the article I think it is best summed up by "You're hosed".

it's much more fun watching it reboot in QEMU (or VMWare, or perhaps Xen if you can get it to work, or...)

An anonymous reader writes (and /. copies into the lead-up to this story):

SecurityFocus reports an unpatched highly critical vulnerability in Firefox 2.0. This defect has been known since June 2006 but no patch has yet been made available. The developers claimed to have fixed the problem in 1.5.0.5 according to Secunia, but the problem still exists in 2.0 according to SecurityFocus (and I have witnessed the crash personally).

When I tried the link in the article Secunia points to as an exploit of that bug, I see that it tells me there are two testcases, one of which was fixed in Firefox 1.5.0.7 and 2.0 and the other is called "a denial-of-service condition that is an annoyance, but is not exploitable to compromise your system" but remains unfixed.

If security is the main reason users should switch to Firefox, how do we explain known vulnerabilities remaining unpatched across major releases?

This is the more important of the two questions and the easier to answer: security is not the main reason users should switch to any free software web browser (including, but not limited to, Firefox). Users should switch to a free software browser because users should switch to free software, and browsers are an important part of modern-day computing. Despite Mozilla's focus on "open source" values (speedy development, fewer bugs, other values that are designed to appeal chiefly to business managers) which are sometimes simply lies (as one can see with the bug that the anonymous poster brings up here), that's not the reason to value any free software. One ought to value Firefox as a contribution to a free society where people can treat friends as friends and build communities who share without having to do so in the dark in fear of being discovered as copyright infringers. Mozilla won't tell you this; they're too busy pushing aside software freedom for its own sake to talk about this. It's unfortunate they have not taken any time to teach their audience this while Microsoft worked on MSIE7. Ironically, software freedom is the one thing Firefox will always have over MSIE for as long as Firefox remains free software and MSIE remains proprietary; technical features can be reimplemented and even patented to prevent competition, but software freedom is something no proprietor can deliver. Catering to businesses who distribute free software can be helpful but such interests remain shallow.

"Maryland's security team then leaked the code to external people and used the incident to claim that Diebold's security is awful..."

There is no actual proof that it happened this way. References to labels and 'documents' don't connect these disks with Maryland. It could have happened anywhere along the chain. It isn't the first time Diebold software has leaked.

"A team led by Avi Rubin, technical director of the Information Security Institute at Johns Hopkins, examined the machines' source code, which a Diebold worker anonymously published on the Internet earlier this year"

"The FTP button gave total access to anonymous users, allowing anyone to download and apparently, upload to the server. The FTP site contained no copyright statement, asked for no user name, put locks on no directories. Visitors from anywhere in the world could simply walk in the front door."

"Last week's revelation by Diebold that its automated teller machines (ATMs) operated by two financial services customers were struck by the W32/Nachi worm"

http://www.securityfocus.com/bid/19181 It's not like Mozilla suite is untouchable either.

And for the people that voted my post yesterday as "redundant" without trying the URL, Microsoft has retaliated by releasing a new version of IE7 available at http://www.ie7.com./

ISPs that tolerate insecure computers need to get blocked. Blocked from everything. It COULD happen, if Comcast and AT&T both decide they've had enough.

This would have the added benefit of stopping a lot of spam.

Yes, RBLs didn't get rid of spam. But they sure did (do) help. And a good part of the reason they don't work better is botnets. (remember Blue Security?

-Daniel

This was forwarded by our Sec Admin tonight in case you haven't seen it: http://www.securityfocus.com/bid/20249

Members of the audience assumed that the two presenters were having a bit of fun, rather than actually criticizing the Mozilla browser's code.

"I wasn't pay much attention to what they said they had, because the whole thing was coming across as a comedy show," said Mark Loveless, security architect for Vernier Networks, who saw the presentation. "They had a whole bunch of things in there that was intended to be a joke, trying to get laughs. I didn't have any problems with the talk, I thought it was hilarious, and I didn't take is seriously."

The presentation came a week after security firm Symantec, the owner of SecurityFocus, released its bi-annual Internet Security Threat Report, which found--among other trends--that Mozilla's browsers had the most vulnerabilities. While 47 flaws were found in the open-source browser, only 38 were disclosed by Microsoft for its Internet Explorer browser during the same period.

However, the data also showed the Mozilla fixed its vulnerabilities much more quickly. The metric used by Symnatec, termed "window of exposure," measures the time a company takes to patch a flaw in its software, starting from the moment a public exploit is released for the vulnerability. Microsoft took nine days on average--the slowest time--to patch its browser, while Mozilla fixed the flaws in its browser in a single day on average--the fastest time.

Security focus is quoting Mozilla developer blogs to claim that the demo was a hoax. Dont know if the demo is a hoax or this report is a hoax. Another UK site too is claiming that it is a joke. But on the otherhand thousands of newspapers and websites and blogs are claiming that Firefox is so broken it is unfixable.

meh. screwed up the post. no coffee yet this morning.
exploit code

Gadi Evron's post on Bugtraq

  Third party fix.

See if you are vulnerable.

In other news, according to SANS, there is publicly available exploit code out there for the new setSlice bug. According to Gadi Evron's post, "there's a rootkit, some malware, and haxdor". There's a third party (easily reversable) fix , and a way to test if your browser is vulnerable here.

Isn't it plausible that your "anonymous" Hotmail accounts / multiple profiles could be cross-referenced by your IP address? Since ISP records are increasingly making their way into the public domain, such cross-referencing would seem inevitable.

Just like cell-phone records are now commercially available, it's probably only a matter of time before someone starts selling databases that cross-reference IP addresses to online account aliases.

FAQ document here: http://blogs.securiteam.com/?p=640

Hmm... people don't often use Lynx (another text-based browser) anymore, yet it still has had vulnerabilites. This is depsite the fact that it doesn't have nearly as many features as pretty much any GUI based web browser. (note: feature count is merely speculation, IANA(Lynx expert))

I'd have to vote for Matrix Reloaded with "sshnuke": http://www.securityfocus.com/print/news/4831 .

Have you ever heard of IP Spoofing? It can take numerous forms. The second link describes how someone anywhere on the internet can use your IP number and have all the data sent to their computer. The technique will work even when your computer is powered off.

There is also the potential for someone to hijack your computer and use it to trade copyrighted material. Or they could hijack a router and use your IP number to evade detection. Or they could hijack your neighbor's computer and use a less sophisticated form of IP spoofing.

You may claim that these arguments are "ludicrous", but certainly someone who wishes to illegally stick it to the record companies would take some basic steps to cover their tracks (e.g. download the tools to perform the above-mentioned attacks).

Open wireless access points are attractive nuisances.

Someone can register with the copyright office as an Internet Service Provider to receive safe-haven from copyright claims due to the actions of people who use their network. But even without registering a person can still use the ISP defense.

there is a very logical way of establishing what the "p2p'er" was sharing was infringing

To prove copyright infringement, the plantiff must prove that the defendant exercised one of the copyright holder's six exclusive rights. In this case the RIAA is trying to prove distribution. To prove their case the RIAA must prove that the copyrighted work was actually distributed. It is not unreasonable to believe that the defendant put up a set of files which nobody ever tried to download, much less that they were successful. Certainly the RIAA must have tried to download the files as doing so would bolster their case in court. If they could not do so it is likely something is wrong with the defendant's system which prevents the 27 missing files from being transferred.

I had not even considered the free speech issue. That issue is even bigger than the child porn issue.

Whenever you hear anyone mention child porn, you must always consider the free speech issue, because almost any proposed solution for the child porn problem involves abridging the freedom of speech. As you've just discovered, it's an easy mistake to make.

Just as the USA PATRIOT Act was intended* to enable law enforcement to combat terrorism, but has been used for unrelated purposes, any law passed to combat child pornography will be used for unrelated purposes.

* Of course, some people believe that the USA PATRIOT Act was not actually intended to combat terrorism, but was in fact intended to restrict our civil liberties, using fighting terrorism as a cover to sell it to the American public. I would be surprised if significant portions of the bill hadn't already been drafted prior to 9/11/01, just waiting for a suitable justification to present itself.

RealVNC Remote Authentication Bypass Vulnerability

RealVNC is susceptible to an authentication-bypass vulnerability. This issue is due to a flaw in the authentication process of the affected package.

Exploiting this issue allows attackers to gain unauthenticated, remote access to the VNC servers.

Not to mention by default VNC is unencrypted... unless you tunnel it - and how might one tunnel it? Hmmmm...

Your link points out that IE7 is vulnerable but it will prompt you to run the ActiveX control before hosing your system. From the average user's point of view, they get a message asking to run something created and signed by Microsoft for the page to load. Tell me how many average users, even the relatively computer saavy, will allow the control to run?

Throwing a constant barrage of OS/browser security pop-ups on the screen does not make it secure. Making it so that at exploitable control can be completely removed and not just "effectively removed" from the system helps make the system more secure but this is just a workaround. If the control was designed to be able to grant system level privileges to a web page than it's time to go back to the proverbial drawing board.

If it wasn't designed that way, then patch it when you first hear about it over a month ago and stop complaining about people releasing it to the public. I would rather have everyone know about it than have just Microsoft, a few security people, and several black hats knowing.

why not post these:

Linux Kernel SMBFS CHRoot Security Restriction Bypass
Linux Kernel SCTP Multiple Remote Denial of Service
Apple Mac OS X KExtLoad Format String Weakness
Mozilla Firefox JavaScript Handler Race Condition Memory Corruption Vulnerability

why not post these:

Linux Kernel SMBFS CHRoot Security Restriction Bypass
Linux Kernel SCTP Multiple Remote Denial of Service
Apple Mac OS X KExtLoad Format String Weakness
Mozilla Firefox JavaScript Handler Race Condition Memory Corruption Vulnerability

why not post these:

Linux Kernel SMBFS CHRoot Security Restriction Bypass
Linux Kernel SCTP Multiple Remote Denial of Service
Apple Mac OS X KExtLoad Format String Weakness
Mozilla Firefox JavaScript Handler Race Condition Memory Corruption Vulnerability

why not post these:

Linux Kernel SMBFS CHRoot Security Restriction Bypass
Linux Kernel SCTP Multiple Remote Denial of Service
Apple Mac OS X KExtLoad Format String Weakness
Mozilla Firefox JavaScript Handler Race Condition Memory Corruption Vulnerability

Not necessarily.

Some gPDF vulnerabilities.

I didn't find any Evince vulnerabilities in my limited search, but that doesn't mean there will not be one. You will most likely remain safe from 'sploits targeted towards Adobe users by not using the Adobe PDF reader, but that should be obvious.

You mean these seals?

http://www.bbvforums.org/cgi-bin/forums/board-auth .cgi?file=/1954/36510.html#

Previously ... on Diebold TV:

http://midnightspaghetti.com/newsDiebold.php

http://www.equalccw.com/dieboldtestnotes.html

http://www.votergate.org/

http://www.securityfocus.com/news/7517

http://www.archive.org/details/TheCageBushKerry

One thing commonly done with bots is scan for other machines to infect. If the next machine is doing something important, and becomes unresponsive, etc., then that's just too bad. Botherds don't really care who is injured by their actions, so long as they make money. In this case:

"In searching for more computers to infect, the bot software used by the group caused trouble amongst some systems at Northwest Hospital: doors to the operating room failed to open, pagers did not work, and computers in the intensive care unit were disrupted, the statement said. The hospital used backup systems to continue to treat and care for patients."

http://www.securityfocus.com/brief/204

I'm not saying this sort of thing is never blown out of proportion. It can be, especially when DoJ needs a headline. But billions of dollars are being lost, lives severely impacted by identity theft, etc. I'd say that the courts are often too lenient.

Of course the distribution of vulns is not constant over O/Ses. I never said it was. I'd say that OSX and Windows aren't really that different from the security design and exploitability point of view.

I'll only claim that the lack of infections is not primarily due to lack of vulnerability and it is more due to lack of motivation - and that is related to marketshare.

Firefox has had plenty of vulnerabilities (and I'm willing to bet it has plenty more unreported ones)- why haven't the baddies bothered installing their malware using them? Those vulnerabilities are definitely exploitable.

Why? I say it's because the malware people can't achieve what they want - lots of infections.

Why? The overall market share is lower and the sub-monoculture shares are even lower.

What I mean by sub-monoculture shares are machines that can be exploited by the same binary/exploit. An exploit on windows tends to work across many versions of Windows. Whereas an exploit on say one linux distro might not work on other distros.

If OSX actually got really popular, things could change significantly - since it is likely that an exploit could work across multiple versions of OSX, and OSX has lots of preinstalled software that an infector could use (applescript, perl etc).

The sort of hackers who are not interested in lots of infections and are interested in just taking over specific machines are more likely to be the sort to take it over _unnoticed_ - go in, get what they want, get out (often all in a few seconds).

The sort who are interested in fame just have announce OSX vulnerabilities from time to time and they do, but they don't have to release an _exploit_ to get their fame. They could write an actual exploit, but they don't have to release it to get their fame or bother infecting a single machine in the wild. All they need to do is publish and show up here:

http://www.securityfocus.com/cgi-bin/index.cgi?o=0 &l=30&c=12&op=display_list&vendor=Apple

Go look, plenty of exploitable bugs. Be glad there's that avenue for such people.

If you are going to say the vulns are not in the OSX kernel, well there haven't been that many bugs in the Windows kernel either - the hackers you should be worried about aren't going to bother debating which is Apple code and which is not, to them what's important is what runs/exists on all their targets.

Lastly, OSX is definitely safer to use than Windows. But the sort of safety is "living in a safer neighborhood" safety. Not living in a fortress safety.

Uh which year are you in? 2001? Reasonably recent IIS versions have had far fewer exploitable bugs than reasonably recent apache versions. IIS4 was really crap, but stuff after that got immensely better. If you look at the recent 2006 vulnerability, it really isn't a big deal. There are so many conditions for it before it can be exploitable and even classed as a problem (requires attacker to have valid logon credentials etc etc).

( BTW if you add PHP (the popular "ASP" equivalent ) to apache, you end up in swiss cheese land... )

Just because there have been no viruses etc in the wild does not mean that OSX is more secure (from the software quality POV - it's _safer_ in _practice_ for now of course).

For example: there have been plenty of exploitable firefox bugs[1], why hasn't anybody bothered installing spyware etc using them? Yeah, why?

I suggest that if a homogeneous firefox share approaches or goes past 50% you'll start to see malware being installed using firefox exploits. By homogeneous I mean - same exploit will work on that entire "share" (think monoculture).

An IE sploit is likely to easily work across multiple windows versions, but an exploit that works on Firefox on Ubuntu Hoary might not work on Firefox on SuSE 9.1, heck even an exploit that works on SuSE 9.1 might not work on SuSE 10.1 - same reason why you're more likely to have more problems running the same binaries on different Linux distros, than the same thing with Windows.

Remember also desktop market share is very different from server market share. Desktop usage and users are very different from server usage and admins.

Desktop users don't even need IE or Firefox bugs to install trojans - many seem to actually manually install them.

Once you start to have enough of those "shoot both feet" users in OSX land, I think the spyware/zombieware etc people are going to do a few of those in python/perl too. It doesn't matter if the AV people can detect them - because (I believe) one can write such malware really fast and test them against the AV software faster than the AV people can figure out ways of detecting them without too many false positives. Might even be able to semi-automate the process...

[1] If you don't believe me go look for firefox vulnerabilities here: http://www.securityfocus.com/vulnerabilities

Well, I don't see how launchd helps with security. Replacing several well tested unix apps with a single proprietary app isn't what I'd call "secure".

Plus we find these:

http://www.securityfocus.com/bid/18724
http://www.securityfocus.com/bid/13899

Well, I don't see how launchd helps with security. Replacing several well tested unix apps with a single proprietary app isn't what I'd call "secure".

Plus we find these:

http://www.securityfocus.com/bid/18724
http://www.securityfocus.com/bid/13899

Let's face it, the ONLY platform vulnerable to attacks of any kind, is MS. As seen in this article.

Hmmm.... oh yes, let's not forget that there aren't ANY kind of security notices concerning anything on linux.

Nope, definitely NOTHING about linux, or Mac OSX for that matter.

Nope, all those systems, in fact, antyhing but Windows is absolutely bulletproof. Yeap.

So, who's going to jump on the bandwagon with me and bash Microsoft because it's cool? Nevermind that these other products have flaws too, we'll just bash MS so much that no one will ever know we have problems over here with *nix systems and with MacOSX.

/sarcasm OFF

But you are right. These are not facts. Let's keep our eyes wide shut.

One could argue that the fact that we find these disfunctions is proof positive that the nuclear safety process is working, but the truth is that there is a hudge gap between the reality of the danger and the supposed nuclear safety : it's only because of various counter powers that these disfunctions are known. The nuclear industries are closely linked to the military industries and to say the least the field lacks in transparency

I should also point that if you sticked to a scientific and factual approach of the problem, you would certainly realize that defining something as safe once and for all clearly is not a good safety procedure. Err , let's just hope you are not in charge here !

Proliferation of nuclear power will lead to chernobyl like problems, if not only statistically then in the same way that the US power grid is failing : safety brings no short term profit.

But in all your arrogance and pride for your technology i doubt that you can stand back from this nuclear fiction, untill a disaster happens. In your backyard maybe ?

Security processes have no zero default, and you know it. Nuclear safety is a myth. What is the risk ? Don't ask. What are the benefits ? Trust us. The reality is that we shall leave our fate in the hands of the nuclear goons, despite the wastes, despites the risk, despite the damage already done but most of all despite the fact that this energy is over used and wasted in mainly illogicals and ineficient ways. Only the fake sense of safe and infinite energy that the nuclear industries promess permits such a waste of energy, and this has other dramatic effects. One simple example : excessive packaging. Very expensive energy wise, very destructive (plastics, heavy metals in paints, chemical tratement of paper et al), mostly useless.

And keep the insults to yourself, nuclear monger, because be it reason or unfortunately disaster, time is on my side.

Never?

http://search.securityfocus.com/swsearch?query=may nor&sbm=bid&submit=Search%21&metaname=alldoc&sort= swishrank

"Then your computer will blow up and we'll all die"

Your not real bright are you?

http://www.securityfocus.com/columnists/402

Let me configure your monitor for you.
You don't know the half of it (IT).

Do they know something we don't know?

Some Crackers have been doing this for a while, (we are way behind) look within your disk formats and OpenFirmware/Mac, Bios/PC, crack once - stay forever.
Time to start really paying attention, look for "bad boot blocks" for pre boot networking prefs.

This guy's got a clue:

http://www.securityfocus.com/columnists/402

Check the comments too.
Think about an intentional miconfig of your monitor settings (UNIX) now.

Required reading:
Reflections on Trusting Trust
Ken Thompson

http://www.acm.org/classics/sep95/

Intel PRO/Wireless Network Connection drivers are prone to multiple remote code-execution vulnerabilities.

An attacker within range of a vulnerable Wi-Fi station can trigger these issues to corrupt memory to execute code with kernel-level privileges.

A successful attack can result in a complete compromise of the affected computer.

so defeat their efforts to track you posting anonymously from wireless access points using this mac address changer. Remember kids, when privacy is outlawed, only outlaws will have complete privacy.

Yes, I'm not new here, but people need to RTFM, including the submitter. From the Ars article, just a little further than halfway down:

The goal of the treaty is not to let the Chinese crack down on dissidents living in America, however, and so countries may refuse to cooperate with requests that involve a "political offence" or if a country believes the request would "prejudice its soverignty, security, ordre public or other essential interests." The US Department of Justice has already announced that "essential interests" would allow the US to refuse any request that would violate the Constitution.

Before all this Diebold was well known for making ATMs. However, that's completely different from the division that makes voting machines. Diebold acquired Global Election Systems in 2002. ATMs are generally secure devices with reliable paper receipt printers and security that's been refined over decades of attack and defence. Just look at the rigorous security requirements for the PIN entry keypad. In comparison, Global Election Systems has been completely amateurish in their approach to security. I would agree that Diebold, as a company, probably isn't conspiring to throw the elections. They're just hucksters charging Cadillac prices for their Yugo quality junk. However, the result of all this amateurish security is that it only takes one or two malicious insiders to hack an election. This is even more troublesome when you consider the lack of criminal background checks on employees and executives of these companies. Diebold and ES&S are both known to have employed convicted felons.

How long will it be before there is no such thing but and open source AV? There is just no way a closed source AV will be able to adapt as fast as the virus-sphere. especially when you read about these highly targeted Trojans coming from China and Russia. http://www.securityfocus.com/news/11222 I have Clam AV on an Astaro box (linux based UTM) and I've always been pleased with the perfromance.