Slashdot Mirror

← Back to Domains

Domain: securityfocus.com

Stories and comments across the archive that link to securityfocus.com.

Stories · 365

  1. "Super-DMCA" Outlaws Ph.D. Thesis

    Yro · Censorship · · posted by CmdrTaco · from the so-much-for-researhc dept. · 556 comments
    zenquest writes "SecurityFocus reports in this article that a recently-enacted Michigan law makes the graduate work of Niels Provos illegal. (His honeyd project was discussed here a few months back.) According to the article, "Among other things, residents of the Great Lakes State can no longer knowingly "assemble, develop, manufacture, possess, deliver, offer to deliver, or advertise" any device or software that conceals "the existence or place of origin or destination of any telecommunications service." It's also a crime to provide written instructions on creating such a device or program. Violators face up to four years in prison." Provos has had to move his website and research papers to a server in the Netherlands. Similar bills are under consideration in seven states, and have become law in six others. The EFF has more information about the individual states. So, does this mean that Caller-ID block now illegal, as well?"

  2. SecurityFocus Series: U.S. information Security Law

    Yro · Privacy · · posted by timothy · from the bear-in-mind dept. · 2 comments
    An anonymous reader writes "SecurityFocus is running a series on Information Security laws in the United States. The first two articles are already available. Given the topics discussed on /. lately, and given that this review covers some of our favorite federal laws, it might be worth a read."

  3. SecurityFocus Series: U.S. information Security Law

    Yro · Privacy · · posted by timothy · from the bear-in-mind dept. · 2 comments
    An anonymous reader writes "SecurityFocus is running a series on Information Security laws in the United States. The first two articles are already available. Given the topics discussed on /. lately, and given that this review covers some of our favorite federal laws, it might be worth a read."

  4. SecurityFocus Series: U.S. information Security Law

    Yro · Privacy · · posted by timothy · from the bear-in-mind dept. · 2 comments
    An anonymous reader writes "SecurityFocus is running a series on Information Security laws in the United States. The first two articles are already available. Given the topics discussed on /. lately, and given that this review covers some of our favorite federal laws, it might be worth a read."

  5. Snooping on VOIP

    Yro · Privacy · · posted by michael · from the nothing-better-to-do dept. · 141 comments
    EvilAlien writes "SecurityFocus is running an article on a joint Justice Department and FBI filing to the FCC which asks for broader communications interception powers: FBI seeks Internet telephony surveillance. The move is very similar to the Lawful Access Consultation launched by the Canadian Government in August 2002. Both initatives discuss technological challenges and fears of communication "safe havens" for criminals on broadband services such as Internet, VoIP, and wireless services. Holes in existing legislation, such as Communications Assistance for Law Enforcement Act (CALEA), can provide unintended exclusions for services such as Free World Dialup."

  6. Too Cool For Secure Code?

    Developers · Security · · posted by michael · from the java-for-everything dept. · 465 comments
    An anonymous reader writes "Looks like not everyone believes Linux is the monolith of security folks might like us to think. Jon Lasser raises some interesting points in this article over at Security Focus. Though it has to be said, that whilst he focuses on the Linux/Unix side of things, a good proportion of programmers (no matter what they work on) are guilty of similar conceit to some extent."

  7. Microsoft To Teach Undergrads About Secure Computing

    It · Security · · posted by timothy · from the step-one-unplug-your-power-cord dept. · 348 comments
    gcondon writes "The Register is reporting that Microsoft is teaming up with the University of Leeds to teach students how to write secure code. Given the sheer number of programming errors that can lead to security vulnerabilities, it probably makes sense to learn from the company that has tried them all." UndercoverBrotha points out that University of Leeds is one of several venues: "Microsoft is planning to offer 11-week courses at Universities around the world."

    Update: 03/24 18:00 GMT by J : Another report worth reading is Writing Software Right, which requires a free but annoying registration at Technology Review. This regards automated methods of finding software errors (not security specifically). Sun's "Jackpot" is discussed, a lint that also "identifies general instances of good or bad programming."

    And Microsoft's efforts in this field are explained as well -- the company "paid more than $60 million in 1999 to acquire Intrinsa, maker of a bug-finding tool called Prefix. The program, which sifts through huge swaths of code searching for patterns that match a defined list of common semantic errors, helped find thousands of mistakes in Windows and other Microsoft products." As a Microsoft QA person says, "Our challenge is to get our software to the point that people expect it to work instead of expecting it to fail."

  8. Making Encryption A Special Circumstance

    Yro · Encryption · · posted by timothy · from the more-numerous-the-laws dept. · 45 comments
    heby writes "According to an article at SecurityFocus, the U.S. Justice Department is apparently planning to criminalize encryption when used during the commission of a felony under federal law. If you think you have nothing to worry about, think again. Have you ever filed too many tax deductions? If you use e-file via a web page using SSL for filing your taxes, under this proposal this becomes an additional five-year felony."

  9. Basics of Cryptographic Filesystems

    Developers · Security · · posted by michael · from the don't-forget-the-password dept. · 24 comments
    mix_master_mike writes "Found a good article over at security focus: cryptographic filesystems: design and implementation. Nice piece on this level of security that isn't being used very effectively in the industry."

  10. Windows Rootkits

    It · Security · · posted by michael · from the every-box-should-have-one dept. · 322 comments
    GuidoJ writes "The Register is running an article by Kevin Poulsen of SecurityFocus Online about rootkits in Windows NT. While rootkits are a well-known issue in Unix and Linux systems, they have rarely been found on compromised Windows machines. According to the article, Windows NT backdoors have always been 'trivial', and they have caused enough havoc already. Imagine what a stealthy rootkit could do!"

  11. Windows Rootkits

    It · Security · · posted by michael · from the every-box-should-have-one dept. · 322 comments
    GuidoJ writes "The Register is running an article by Kevin Poulsen of SecurityFocus Online about rootkits in Windows NT. While rootkits are a well-known issue in Unix and Linux systems, they have rarely been found on compromised Windows machines. According to the article, Windows NT backdoors have always been 'trivial', and they have caused enough havoc already. Imagine what a stealthy rootkit could do!"

  12. Program Hides Secret Messages in Executables

    It · Encryption · · posted by timothy · from the ms-reveals-code-to-piglatinland dept. · 243 comments
    DmuZ writes "My friend Rakan has created a new steganographic tool named Hydan which can embed messages into an executable without altering its size. He recently presented this tool to the public for the first time at codecon. This new technique was intriguing enough to get coverage on SecurityFocus.com. The code is available here."

  13. SecurityFocus On MS Security "Hole"

    It · Security · · posted by timothy · from the if-you're-sitting-at-the-console dept. · 398 comments
    friday2k writes "There is an interesting writeup at SecurityFocus that puts the latest security 'hole' in XP into perspective. It is a worthy read and should remind us all of the real issues out there." And it collects into one place much of the flak I caught after posting about the claimed security hole opened by the XP Recovery Console.

  14. Unreal Security Hole

    It · Security · · posted by timothy · from the compromising dept. · 250 comments
    Screaming Lunatic writes "There seems to be a big security hole in the Unreal engine that has been around for about 5 years. It affects servers for a number of games and operating systems, including Linux (which accounts for about 40% of UT2003 servers). Epic has been working on a patch for about 3 months. Imagine the bad publicity games would receive if a worm on the scale of Slammer had been created." A Bugtraq post from Thor Larholm of Pivx, says that Marc Rein of Epic threatened PivX with "getting our lawyers involved with this"; the TechTV article Larholm cites (the same one linked from this submission), however, contains no mention of legal action. Rein nonetheless apologized for "those completely unfortunate comments" in a followup message to Bugtraq.

  15. Unreal Security Hole

    It · Security · · posted by timothy · from the compromising dept. · 250 comments
    Screaming Lunatic writes "There seems to be a big security hole in the Unreal engine that has been around for about 5 years. It affects servers for a number of games and operating systems, including Linux (which accounts for about 40% of UT2003 servers). Epic has been working on a patch for about 3 months. Imagine the bad publicity games would receive if a worm on the scale of Slammer had been created." A Bugtraq post from Thor Larholm of Pivx, says that Marc Rein of Epic threatened PivX with "getting our lawyers involved with this"; the TechTV article Larholm cites (the same one linked from this submission), however, contains no mention of legal action. Rein nonetheless apologized for "those completely unfortunate comments" in a followup message to Bugtraq.

  16. Killing Others' Malicious Processes

    News · News · · posted by Hemos · from the shot-'em-dead dept. · 415 comments
    Roland Piquepaille writes "This opinion is not mine, but the one of Tim Mullen, from SecurityFocus Online. In this story, he expresses some strong ideas regarding systems infected by worms. "I believe you should have the right to neutralize a worm process running on someone else's infected system, if it's relentlessly attacking your network. I've even written code to demonstrate the process. Though the initial news coverage of the concept was grossly inaccurate in conveying my ideas, it has stirred up a constructive dialog. I knew my idea was controversial, but I was wrong about something -- I figured everyone in the security biz would "get it" and that the hard part would be convincing everyone else that if they can't or won't secure their machines, we as the defenders would have the right to terminate the process attacking us. It has turned out to be the opposite." The author then looks at the criticisms about this strikeback idea raised by some security experts -- to dismiss them of course. Check this column for a summary or read the original story for more details."

  17. Killing Others' Malicious Processes

    News · News · · posted by Hemos · from the shot-'em-dead dept. · 415 comments
    Roland Piquepaille writes "This opinion is not mine, but the one of Tim Mullen, from SecurityFocus Online. In this story, he expresses some strong ideas regarding systems infected by worms. "I believe you should have the right to neutralize a worm process running on someone else's infected system, if it's relentlessly attacking your network. I've even written code to demonstrate the process. Though the initial news coverage of the concept was grossly inaccurate in conveying my ideas, it has stirred up a constructive dialog. I knew my idea was controversial, but I was wrong about something -- I figured everyone in the security biz would "get it" and that the hard part would be convincing everyone else that if they can't or won't secure their machines, we as the defenders would have the right to terminate the process attacking us. It has turned out to be the opposite." The author then looks at the criticisms about this strikeback idea raised by some security experts -- to dismiss them of course. Check this column for a summary or read the original story for more details."

  18. Appropriate Punishment For Crackers?

    Yro · Security · · posted by Hemos · from the what-are-the-consequences dept. · 633 comments
    Cally writes "There's a Kevin Poulson article on SecurityFocus reporting that the US Sentencing Commission is seeking opinions about the appropriate punishment for convicted system crackers and other black-hat types. On one hand, it seems absurd to ruin the entire life of a foolish 15 year-old for committing the equivalent of graffiti. Then again, perhaps these people are cyber-terrorists who should be illegally imprisoned, indefinitely, without a trial, charges, or legal representation? You choose."

  19. Adelphia's Cable Modems Compromised

    It · Security · · posted by CowboyNeal · from the leaving-the-door-open dept. · 182 comments
    texus writes "The Adelphia PowerLink Cable Modem Internet Service Provider, that serves 5.5 million customers nation wide, was found to be vulnerable of a major security flaw that allows cable modem subscribers to spy on each others traffic, as well as the ability to modify other users internet packets in realtime. The severity of a potential attack could allow a malicious subscriber to gain access to the customers private activity on the net, as well as the capabilities to hijack connections, intercept SSL/SSH/VPN encrypted sessions, hijack and poison dns servers, and perform a Denial of Service on the entire subnet. The advisory on BugTraq officially states that it didn't seem like Unix machines that logged onto the network were affected, but reports from other Adelphia subscribers indicate that this was inaccurate and Unix users are vulnerable as well."

  20. Adelphia's Cable Modems Compromised

    It · Security · · posted by CowboyNeal · from the leaving-the-door-open dept. · 182 comments
    texus writes "The Adelphia PowerLink Cable Modem Internet Service Provider, that serves 5.5 million customers nation wide, was found to be vulnerable of a major security flaw that allows cable modem subscribers to spy on each others traffic, as well as the ability to modify other users internet packets in realtime. The severity of a potential attack could allow a malicious subscriber to gain access to the customers private activity on the net, as well as the capabilities to hijack connections, intercept SSL/SSH/VPN encrypted sessions, hijack and poison dns servers, and perform a Denial of Service on the entire subnet. The advisory on BugTraq officially states that it didn't seem like Unix machines that logged onto the network were affected, but reports from other Adelphia subscribers indicate that this was inaccurate and Unix users are vulnerable as well."

  21. Reverse Engineering Win32 Trojans on Linux

    Developers · Programming · · posted by michael · from the clean-room dept. · 86 comments
    slackrootcyc writes "A post (and previous article) give a detailed examination of the reversing process, using a trojan found in the wild. Later on in the story it discusses some techniques for reversing Windows-native code entirely under Linux."

  22. Reverse Engineering Win32 Trojans on Linux

    Developers · Programming · · posted by michael · from the clean-room dept. · 86 comments
    slackrootcyc writes "A post (and previous article) give a detailed examination of the reversing process, using a trojan found in the wild. Later on in the story it discusses some techniques for reversing Windows-native code entirely under Linux."

  23. Due Diligence?

    Developers · Security · · posted by michael · from the postscript-always-a-nice-touch dept. · 202 comments
    ekr writes "The OpenSSL remote buffer overflows discovered at the end of July got a lot of press here on /. But how many people actually fixed their machines? I decided to study this question, and the results are kind of depressing. Two weeks after the release of the bug, over two thirds of the servers I sampled were still vulnerable. Even two weeks after the Slapper worm was announced, a third of the total servers were vulnerable. The paper can be found here in PDF or Postscript."

  24. MSS Initiative Makes Progress

    Internet · · posted by ryuzaki0 · from the doctor-heal-theyself dept. · 114 comments
    Phil writes "The MSS Initiative was started by Richard van den Berg and myself to combat sites that are broken (enable Path MTU Discovery AND block ICMP 3,4) which include such big sites as SecurityFocus and CERT (causing those behind PPPoE and other less-than-1500-MTU-protocols to be unable to view the sites). This past week we were priveleged enough to be able to present a paper at the 16th LISA Systems Administration Conference! Check out the paper and slides and be sure, like many members of the audience, to fix the sites you administer!"

  25. Mozilla: The Good And The Bad

    Tech · Mozilla · · posted by timothy · from the 10-dollar-fine-if-you-said-ugly dept. · 541 comments
    Rui del-Negro writes "According to this article at The Register, six security flaws in Mozilla were posted to BugTraq last weekend. They have not been added to the official Mozilla vulnerability list yet. But details can be found here, here, here and here (phew!). Finally, two other bugs were found, relating to loading GIF files (in several Linux browsers) and Mozilla's (JavaScript) implementation of onUnload ( ). Are they trying to prove they can beat Microsoft at their own game..? Or is someone just trying to win a prize?" On a brighter note, Zerbey writes "From Neil's Place here is 101 Things Mozilla can do which IE cannot. Very interesting reading and an excellent resource for convincing stubborn Internet Explorer users why they should switch. This article was also reported at Mozillazine. I'm still waiting for NTLM auth to be implemented so we can switch over at my workplace, the only reason we still have to use Internet Explorer."

  26. Mozilla: The Good And The Bad

    Tech · Mozilla · · posted by timothy · from the 10-dollar-fine-if-you-said-ugly dept. · 541 comments
    Rui del-Negro writes "According to this article at The Register, six security flaws in Mozilla were posted to BugTraq last weekend. They have not been added to the official Mozilla vulnerability list yet. But details can be found here, here, here and here (phew!). Finally, two other bugs were found, relating to loading GIF files (in several Linux browsers) and Mozilla's (JavaScript) implementation of onUnload ( ). Are they trying to prove they can beat Microsoft at their own game..? Or is someone just trying to win a prize?" On a brighter note, Zerbey writes "From Neil's Place here is 101 Things Mozilla can do which IE cannot. Very interesting reading and an excellent resource for convincing stubborn Internet Explorer users why they should switch. This article was also reported at Mozillazine. I'm still waiting for NTLM auth to be implemented so we can switch over at my workplace, the only reason we still have to use Internet Explorer."

  27. Mozilla: The Good And The Bad

    Tech · Mozilla · · posted by timothy · from the 10-dollar-fine-if-you-said-ugly dept. · 541 comments
    Rui del-Negro writes "According to this article at The Register, six security flaws in Mozilla were posted to BugTraq last weekend. They have not been added to the official Mozilla vulnerability list yet. But details can be found here, here, here and here (phew!). Finally, two other bugs were found, relating to loading GIF files (in several Linux browsers) and Mozilla's (JavaScript) implementation of onUnload ( ). Are they trying to prove they can beat Microsoft at their own game..? Or is someone just trying to win a prize?" On a brighter note, Zerbey writes "From Neil's Place here is 101 Things Mozilla can do which IE cannot. Very interesting reading and an excellent resource for convincing stubborn Internet Explorer users why they should switch. This article was also reported at Mozillazine. I'm still waiting for NTLM auth to be implemented so we can switch over at my workplace, the only reason we still have to use Internet Explorer."

  28. Mozilla: The Good And The Bad

    Tech · Mozilla · · posted by timothy · from the 10-dollar-fine-if-you-said-ugly dept. · 541 comments
    Rui del-Negro writes "According to this article at The Register, six security flaws in Mozilla were posted to BugTraq last weekend. They have not been added to the official Mozilla vulnerability list yet. But details can be found here, here, here and here (phew!). Finally, two other bugs were found, relating to loading GIF files (in several Linux browsers) and Mozilla's (JavaScript) implementation of onUnload ( ). Are they trying to prove they can beat Microsoft at their own game..? Or is someone just trying to win a prize?" On a brighter note, Zerbey writes "From Neil's Place here is 101 Things Mozilla can do which IE cannot. Very interesting reading and an excellent resource for convincing stubborn Internet Explorer users why they should switch. This article was also reported at Mozillazine. I'm still waiting for NTLM auth to be implemented so we can switch over at my workplace, the only reason we still have to use Internet Explorer."

  29. Mozilla: The Good And The Bad

    Tech · Mozilla · · posted by timothy · from the 10-dollar-fine-if-you-said-ugly dept. · 541 comments
    Rui del-Negro writes "According to this article at The Register, six security flaws in Mozilla were posted to BugTraq last weekend. They have not been added to the official Mozilla vulnerability list yet. But details can be found here, here, here and here (phew!). Finally, two other bugs were found, relating to loading GIF files (in several Linux browsers) and Mozilla's (JavaScript) implementation of onUnload ( ). Are they trying to prove they can beat Microsoft at their own game..? Or is someone just trying to win a prize?" On a brighter note, Zerbey writes "From Neil's Place here is 101 Things Mozilla can do which IE cannot. Very interesting reading and an excellent resource for convincing stubborn Internet Explorer users why they should switch. This article was also reported at Mozillazine. I'm still waiting for NTLM auth to be implemented so we can switch over at my workplace, the only reason we still have to use Internet Explorer."

  30. Mozilla: The Good And The Bad

    Tech · Mozilla · · posted by timothy · from the 10-dollar-fine-if-you-said-ugly dept. · 541 comments
    Rui del-Negro writes "According to this article at The Register, six security flaws in Mozilla were posted to BugTraq last weekend. They have not been added to the official Mozilla vulnerability list yet. But details can be found here, here, here and here (phew!). Finally, two other bugs were found, relating to loading GIF files (in several Linux browsers) and Mozilla's (JavaScript) implementation of onUnload ( ). Are they trying to prove they can beat Microsoft at their own game..? Or is someone just trying to win a prize?" On a brighter note, Zerbey writes "From Neil's Place here is 101 Things Mozilla can do which IE cannot. Very interesting reading and an excellent resource for convincing stubborn Internet Explorer users why they should switch. This article was also reported at Mozillazine. I'm still waiting for NTLM auth to be implemented so we can switch over at my workplace, the only reason we still have to use Internet Explorer."

  31. SANS/FBI Release Top 20 Security Vulnerabilities

    It · Security · · posted by CowboyNeal · from the lock-them-boxes-down dept. · 268 comments
    theBraindonor writes "SANS Institute and the FBI have compiled a listing of the The Twenty Most Critical Internet Security Vulnerabilities. The list is broken down into two groups: Windows Systems and Unix Systems." The list of Unix vulnerabilities is also a list of the network programs I (and presumably many others) use most. It's a good thing there's BugTraq.

  32. Linux Worm Spreading, Many Systems Vulnerable

    Tech · Security · · posted by timothy · from the patchy-patchy dept. · 546 comments
    sverrehu writes "A GNU/Linux worm exploiting a bug in OpenSSL spreads through vulnerable Apache web servers, according to Symantec. The worm, which was first reported in Europe, targets several popular Linux distributions. See also the SecurityFocus vulnerability listing for the OpenSSL bug." sionide also writes: "Netcraft recently published a report which explains that a large portion of Apache systems are still unpatched (halfway down). To protect yourself please upgrade to OpenSSL 0.9.6g."

  33. Graphing Randomness in TCP Initial Sequence Numbers

    Developers · Security · · posted by michael · from the winning-lottery-numbers-in-there-somewhere dept. · 145 comments
    Saint Aardvark writes "This is neat: Graphic visualization of how random TCP Initial Sequence Numbers really are for different OSs. It's a great way of seeing how secure a TCP stack really is. Cisco IOS is great; OS9, OpenVMS and IRIX aren't. Posted to the ever-lovin' BugTraq mailing list." This is a follow-up to the previous report.

  34. If You Hack NBC, You Don't Get to Meet Tom Brokaw

    It · Security · · posted by CmdrTaco · from the thats-pretty-funny dept. · 319 comments
    subgeek writes "Security Focus Online is carrying this story about the spot that Adrian Lamo almost had on the NBC Nightly News with Tom Brokaw. NBC changed their mind after they realized the possible legal implications of filming someone hack corporate systems. NBC also seemed a bit touchy that Lamo had gotten into their system so handily. According to the article, it took him about five minutes and one guessed password to get inside NBC's intranet from a computer at a Kinko's. Lamo's comment: "It was a very full service system.""

  35. Attack Of The Dreamcasts

    It · Security · · posted by Hemos · from the swirly-logos-coming-at-you dept. · 449 comments
    kevin_conaway writes "A pair of coders are now suggesting that it is possible, with a modified dreamcast system running Linux to sneek into an office building and stick it on a network drop and leave. The dreamcast will then probe for ways to connect to the outside world. They say they have created similar software for iPAQs and a special bootable cdroms for print servers and similar boxes. Just a reminder that are networks need to be as secure on the inside as they should be on the outside. Get the story here."

  36. 802.11b Honeypots Open for Business

    It · Security · · posted by CmdrTaco · from the are-you-secure dept. · 103 comments
    11thangel writes "SecurityFocus is running a story about a wireless honeypot project, being run by the SAIC. The setup consists of 5 Cisco access points in the Washington D.C. area, with two extra antennas (high gain omni's) plugged in. The network itself has a bunch of comps with various vulnerabilities, similar to a traditional honeypot. At the present, the network doesn't have a net connection, but the administrator is considering hooking it through a web proxy that would add a consent-to-monitor banner, so he can watch who's doing what. Time to find a WiFi card that can MAC-hop."

  37. 802.11b Honeypots Open for Business

    It · Security · · posted by CmdrTaco · from the are-you-secure dept. · 103 comments
    11thangel writes "SecurityFocus is running a story about a wireless honeypot project, being run by the SAIC. The setup consists of 5 Cisco access points in the Washington D.C. area, with two extra antennas (high gain omni's) plugged in. The network itself has a bunch of comps with various vulnerabilities, similar to a traditional honeypot. At the present, the network doesn't have a net connection, but the administrator is considering hooking it through a web proxy that would add a consent-to-monitor banner, so he can watch who's doing what. Time to find a WiFi card that can MAC-hop."

  38. Schmidt Predicts Digital Sky Is Falling

    It · Security · · posted by michael · from the dict-cullion dept. · 506 comments
    Danse writes "Former Microsoft security chief Howard Schmidt now works for the government as the vice chairman of the Critical Infrastructure Protection Board. According to this article on Security Focus, he has been touring the country, proclaiming the dangers of "zero-day viruses" and "affinity worms" that will create the kind of havoc that nothing else short of a nuclear exchange could cause. "Traffic lights, pacemakers, appliances -- all subject to outages and interruptions because in the future they're controlled via Internet, declares Schmidt. The power grid could fail catastrophically by 2005!" How do you argue with this kind of rhetoric, especially when it's being spread directly by government officials to corporate leaders?"

  39. Schmidt Predicts Digital Sky Is Falling

    It · Security · · posted by michael · from the dict-cullion dept. · 506 comments
    Danse writes "Former Microsoft security chief Howard Schmidt now works for the government as the vice chairman of the Critical Infrastructure Protection Board. According to this article on Security Focus, he has been touring the country, proclaiming the dangers of "zero-day viruses" and "affinity worms" that will create the kind of havoc that nothing else short of a nuclear exchange could cause. "Traffic lights, pacemakers, appliances -- all subject to outages and interruptions because in the future they're controlled via Internet, declares Schmidt. The power grid could fail catastrophically by 2005!" How do you argue with this kind of rhetoric, especially when it's being spread directly by government officials to corporate leaders?"

  40. PHP Vulnerability Announced

    Tech · Php · · posted by krow · from the who-would-have-thunk-it dept. · 47 comments
    corz writes "Just when you thought you were finished upgrading the webserver, 'The PHP Group has learned of a serious security vulnerability in PHP versions 4.2.0 and 4.2.1. An intruder may be able to execute arbitrary code with the privileges of the web server. This vulnerability may be exploited to compromise the web server and, under certain conditions, to gain privileged access.' Here's the bugtraq announcement." The hole is in the parsing of HTTP POST headers and can allow arbitrary code to be run on vulnerable machines. PHP thoughtfully decided to release a new version, 4.2.2, today with the fix. You can find a copy of it here (mirror).

  41. Gates and Lasser on Palladium

    Microsoft · · posted by ryuzaki0 · from the he-said-he-said dept. · 358 comments
    A rather funny juxtaposition this morning - Bill Gates or someone with his signature stamp sent a spam-gram to pretty much everyone who receives any sort of Microsoft email: Bill only mentions Digital Rights Management in one throw-away sentence. And like most other spam, he promises it's a one-time mailing. On the other hand, Jon Lasser of Think Unix fame takes a harsher look at Microsoft's vision of a world where your computer is trusted against you.

  42. Symantec to Acquire SecurityFocus

    It · Security · · posted by michael · from the woe-to-the-defeated dept. · 200 comments
    cbv writes "Symantec Corp. today announced the acquisition of SecurityFocus for approximately US$75 million in cash. The press release reads, 'With this acquisition, Symantec will offer customers the most comprehensive, proactive early warning system across the broadest range of threats.' The transaction is expected to close by early to mid-August 2002."

  43. Crypto Restrictions Are Taking Over the World

    Yro · Privacy · · posted by timothy · from the and-you'll-like-it dept. · 348 comments
    zeke writes: "An article on SecurityFocus details how forced key escrow and other crypto restrictions have taken root around the world, in countries like France, South Africa, the Netherlands and the UK. Ironically, this leaves the United States -- the birthplace and graveyard of the Clipper Chip -- as one of the few bastions of unregulated encryption."

  44. BitchX 1.0c19 IRC Client Backdoored

    It · Security · · posted by michael · from the what-me-worry dept. · 305 comments
    JRAC writes "A recent Bugtraq submission has indicated that the popular IRC client, BitchX, contains a backdoor. So far, only certain 1.0c19 files, downloaded from ftp.bitchx.com are reported to contain the malicious code. The BitchX developers have been notified, so hopefully a fix will be issued soon. Looks like irssi wasn't the only one ;)"

  45. OpenSSH Vulnerability Disclosed, Version 3.4 Released

    It · Security · · posted by timothy · from the quick-turnaround dept. · 336 comments
    Dan writes: "OpenSSH 3.4 has been released and will be shortly available on all mirrors. All versions of OpenSSH's sshd between 2.9.9 and 3.3 contain an input validation error that can result in an integer overflow and privilege escalation. OpenSSH 3.4 fixes this bug." And kylus writes: "The previously mentioned vulnerability in OpenSSH has been disclosed by ISS X-Force today on the BugTraq list. This is a potential remote root compromise, and while there is a workaround, it's advised that users upgrade to version 3.4 as soon as they can."

  46. Mitnick Testifies on Telco's Security

    It · Security · · posted by michael · from the what-me-worry dept. · 206 comments
    Woefdram writes "Our favourite computer criminal (?) Kevin Mitnick testified in a case against Telco Sprint that their security was like Swiss cheese: full of holes. The story on SecurityFocus quotes Mitnick, saying, 'I had access to most, if not all, of the switches in Las Vegas,' and tells how he came up with a list of 100 challenge-response codes." We've written about this case before.

  47. Security of Open vs. Closed Source Software

    It · Security · · posted by michael · from the flame-retardant-suit dept. · 349 comments
    morhoj writes "Cambridge University researcher Ross Anderson just released a paper concluding that open source and closed source software are equally secure. Can't find a copy of the paper online yet, but I thought this would make for an interesting morning conversation. You may not agree with him, but anyone who's on the BugTraq List can tell you that open source software isn't as bug free as we would all like to think." I found Anderson's paper, so read it for yourself. There are some other interesting papers being presented at the conference as well.

  48. Security Concerns When Consoles Go Online?

    It · Security · · posted by michael · from the never-had-these-problems-with-atari dept. · 211 comments
    VonGuard writes "I've written an article for Security Focus about the security concerns that having an Xbox or Playstation 2 on your network might raise. The article, entitled Welcome to the Jungle was an interesting experience to write. I really think that Sony will end up having some trouble from their stance on third party security design, while Microsoft might end up smelling like roses. Too bad MS shipped the Nimda virus with their Korean version of .Net Visual Studio."

  49. Security Concerns When Consoles Go Online?

    It · Security · · posted by michael · from the never-had-these-problems-with-atari dept. · 211 comments
    VonGuard writes "I've written an article for Security Focus about the security concerns that having an Xbox or Playstation 2 on your network might raise. The article, entitled Welcome to the Jungle was an interesting experience to write. I really think that Sony will end up having some trouble from their stance on third party security design, while Microsoft might end up smelling like roses. Too bad MS shipped the Nimda virus with their Korean version of .Net Visual Studio."

  50. Security Concerns When Consoles Go Online?

    It · Security · · posted by michael · from the never-had-these-problems-with-atari dept. · 211 comments
    VonGuard writes "I've written an article for Security Focus about the security concerns that having an Xbox or Playstation 2 on your network might raise. The article, entitled Welcome to the Jungle was an interesting experience to write. I really think that Sony will end up having some trouble from their stance on third party security design, while Microsoft might end up smelling like roses. Too bad MS shipped the Nimda virus with their Korean version of .Net Visual Studio."