Domain: slashdot.org
Stories and comments across the archive that link to slashdot.org.
Stories · 37,380
-
Tax Loopholes No Longer Patentable
Knowzy writes "A section of the America Invents Act disallows issuing a patent 'on a strategy for reducing, avoiding or postponing taxes,' according to Forbes. The article describes one such strategy in some detail. The USTPO has already issued 161 of these 'business method type' patents. 167 more were pending. The law only applies to future patent applications, leaving enforcement of existing patents an issue for the courts to decide." -
Book Review: Digital Evidence and Computer Crime
brothke writes "When it comes to a physical crime scene and the resulting forensics, investigators can ascertain that a crime took place and gather the necessary evidence. When it comes to digital crime, the evidence is often at the byte level, deep in the magnetics of digital media, initially invisible from the human eye. That is just one of the challenges of digital forensics, where it is easy to destroy crucial evidence, and often difficult to preserve correctly." Read on for the rest of Ben's review. Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet author Eoghan Casey pages 840 publisher Academic Press rating 10/10 reviewer Ben Rothke ISBN 978-0123742681 summary Definitive reference on the subject of digital evidence and computer crime For those looking for an authoritative guide,Digital Evidence and Computer Crimeis an invaluable book that can be used to ensure that any digital investigation is done in a formal manner, that can ultimately be used to determine what happened, and if needed, used as evidence in court.
Written by Eoghan Casey, a leader in the field of digital forensics, in collaboration with 10 other experts, the book's 24 chapters and nearly 800 pages provide an all-encompassing reference. Every relevant topic in digital forensics is dealt with in this extraordinary book. Its breadth makes it relevant to an extremely large reading audience: system and security administrators, incident responders, forensic analysts, law enforcement, lawyers and more.
In the introduction, Casey writes that one of the challenges of digital forensics is that the fundamental aspects of the field are still in development. Be it the terminology, tools, definitions, standards, ethics and more, there is a lot of debate amongst professionals about these areas. One of the book's goals is to assist the reader in tackling these areas and to advance the field. To that end, it achieves its goals and more.
Chapter 1 is appropriately titled Foundation of Digital Forensics,and provides a fantastic overview and introduction to the topic. Two of the superlative features in the book are the hundreds of case examplesand practitioners' tips. The book magnificently integrates the theoretical aspects of forensics with real-world examples to make it an extremely decipherable guide.
Casey notes that one of the most important advances in the history of digital forensics took place in 2008 when the American Academy of Forensic Sciences created a new section devoted to digital and multimedia sciences. That development advanced digital forensics as a scientific discipline and provided a common ground for the varied members of the forensic science community to share knowledge and address current challenges.
In chapter 3 – Digital Evidence in the Courtroom– Casey notes that the most common mistake that prevents digital evidence from being admitted in court is that it is obtained without authorization. Generally, a warrant is required to search and seize evidence. This and other chapters go into detail on how to ensure that evidence gathered is ultimately usable in court.
Chapter 6 – Conducting Digital Investigations – is one of the best chapters in the book. Much of this chapter details how to apply the scientific method to digital investigations. The chapter is especially rich with tips and examples, which are crucial, for if an investigation is not conducted in a formal and consistent manner, a defense attorney will attempt to get the evidence dismissed.
Chapter 6 and other chapters reference the Association of Chief Police Officer's Good Practice Guide for Computer-Based Electronic Evidence as one of the most mature and practical documents to use when handling digital crime scenes. The focus of the guide is to help digital investigators handle the most common forms of digital evidence, including desktops, laptops and mobile devices.
The Good Practice Guideis important in that digital evidence comes in many forms, including audit trails, application, badge reader and ISP and IDS logs, biometric data, application metadata, and much more. The investigator needs to understand how all of these work and interoperate to ensure that they are collecting and interpreting the evidence correctly.
Chapter 9 — Modus Operandi — by Brent Turvey is a fascinating overview of how and why criminals commit crimes. He writes that while technologies and tools change, the underlying psychological needs and motives of the offenders and their associated criminal behavior has not changed through the ages.
Chapter 10 – Violent Crime and Digital Evidence — is another extremely fascinating and insightful chapter. Casey writes that whatever the circumstances of a violent crime, information is key to determining and thereby understanding the victim-offender relationship, and to developing an ongoing investigative strategy. Any details gleaned from digital evidence can be important, and digital investigators must develop the ability to prioritize what can be overwhelming amounts of evidence.
Chapter 13 – Forensic Preservation of Volatile Data — deals with the age-old forensic issue: to shut down or not to shut down? It provides a highly detailed sample volatile data preservation process for an investigator to follow to preserve volatile data from a system. There is also a fascinating section on the parallels between arson and digital intrusion investigations.
Part 4 of the book is Computers, in which the authors note that although digital investigators can use sophisticated software to recover deleted files and perform advanced analysis of computer hard drives, it is important for them to understand what is happening behind the scenes. A lack of understanding of how computers function and the processes that sophisticated tools have automated make it more difficult for digital investigators to explain their findings in court and can lead to incorrect interpretations of digital evidence.
Chapter 17 – File Systems– has an interesting section on dates and times. Given the importance of dates and times when investigating computer-related crimes, investigators need an understanding of how these values are stored and converted. The chapter has a table of the date-time stamp behavior on both FAT and NTFS file systems. Time stamps are not a trivial issue, as there are many different actions involved (file moved, deletion, copy, etc.) that can affect the date-time stamp in very different ways.
A better title for Digital Evidence and Computer Crime might be the Comprehensive Guide to Everything You Need to Know About Digital Forensics. One is hard pressed to find another book overflowing with so many valuable details and real-world examples.
The book is also relevant for those who are new to the field, as it provides a significant amount of introductory material that delivers a broad overview to the core areas of digital forensics.
The book progresses to more advanced and cutting-edge topics, including sections on various operating systems, from Windows and Unix to Macintosh.
This is the third edition of the book and completely updated and reedited. When it comes to digital forensics, this is the reference guide that all books on the topic will be measured against.
With a list price of $70.00, this book is an incredible bargain given the depth and breadth of topics discussed, with each chapter written by an expert in the field. For those truly serious about digital forensics,Digital Evidence and Computer Crime is an equally serious book.
Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page. -
Book Review: Digital Evidence and Computer Crime
brothke writes "When it comes to a physical crime scene and the resulting forensics, investigators can ascertain that a crime took place and gather the necessary evidence. When it comes to digital crime, the evidence is often at the byte level, deep in the magnetics of digital media, initially invisible from the human eye. That is just one of the challenges of digital forensics, where it is easy to destroy crucial evidence, and often difficult to preserve correctly." Read on for the rest of Ben's review. Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet author Eoghan Casey pages 840 publisher Academic Press rating 10/10 reviewer Ben Rothke ISBN 978-0123742681 summary Definitive reference on the subject of digital evidence and computer crime For those looking for an authoritative guide,Digital Evidence and Computer Crimeis an invaluable book that can be used to ensure that any digital investigation is done in a formal manner, that can ultimately be used to determine what happened, and if needed, used as evidence in court.
Written by Eoghan Casey, a leader in the field of digital forensics, in collaboration with 10 other experts, the book's 24 chapters and nearly 800 pages provide an all-encompassing reference. Every relevant topic in digital forensics is dealt with in this extraordinary book. Its breadth makes it relevant to an extremely large reading audience: system and security administrators, incident responders, forensic analysts, law enforcement, lawyers and more.
In the introduction, Casey writes that one of the challenges of digital forensics is that the fundamental aspects of the field are still in development. Be it the terminology, tools, definitions, standards, ethics and more, there is a lot of debate amongst professionals about these areas. One of the book's goals is to assist the reader in tackling these areas and to advance the field. To that end, it achieves its goals and more.
Chapter 1 is appropriately titled Foundation of Digital Forensics,and provides a fantastic overview and introduction to the topic. Two of the superlative features in the book are the hundreds of case examplesand practitioners' tips. The book magnificently integrates the theoretical aspects of forensics with real-world examples to make it an extremely decipherable guide.
Casey notes that one of the most important advances in the history of digital forensics took place in 2008 when the American Academy of Forensic Sciences created a new section devoted to digital and multimedia sciences. That development advanced digital forensics as a scientific discipline and provided a common ground for the varied members of the forensic science community to share knowledge and address current challenges.
In chapter 3 – Digital Evidence in the Courtroom– Casey notes that the most common mistake that prevents digital evidence from being admitted in court is that it is obtained without authorization. Generally, a warrant is required to search and seize evidence. This and other chapters go into detail on how to ensure that evidence gathered is ultimately usable in court.
Chapter 6 – Conducting Digital Investigations – is one of the best chapters in the book. Much of this chapter details how to apply the scientific method to digital investigations. The chapter is especially rich with tips and examples, which are crucial, for if an investigation is not conducted in a formal and consistent manner, a defense attorney will attempt to get the evidence dismissed.
Chapter 6 and other chapters reference the Association of Chief Police Officer's Good Practice Guide for Computer-Based Electronic Evidence as one of the most mature and practical documents to use when handling digital crime scenes. The focus of the guide is to help digital investigators handle the most common forms of digital evidence, including desktops, laptops and mobile devices.
The Good Practice Guideis important in that digital evidence comes in many forms, including audit trails, application, badge reader and ISP and IDS logs, biometric data, application metadata, and much more. The investigator needs to understand how all of these work and interoperate to ensure that they are collecting and interpreting the evidence correctly.
Chapter 9 — Modus Operandi — by Brent Turvey is a fascinating overview of how and why criminals commit crimes. He writes that while technologies and tools change, the underlying psychological needs and motives of the offenders and their associated criminal behavior has not changed through the ages.
Chapter 10 – Violent Crime and Digital Evidence — is another extremely fascinating and insightful chapter. Casey writes that whatever the circumstances of a violent crime, information is key to determining and thereby understanding the victim-offender relationship, and to developing an ongoing investigative strategy. Any details gleaned from digital evidence can be important, and digital investigators must develop the ability to prioritize what can be overwhelming amounts of evidence.
Chapter 13 – Forensic Preservation of Volatile Data — deals with the age-old forensic issue: to shut down or not to shut down? It provides a highly detailed sample volatile data preservation process for an investigator to follow to preserve volatile data from a system. There is also a fascinating section on the parallels between arson and digital intrusion investigations.
Part 4 of the book is Computers, in which the authors note that although digital investigators can use sophisticated software to recover deleted files and perform advanced analysis of computer hard drives, it is important for them to understand what is happening behind the scenes. A lack of understanding of how computers function and the processes that sophisticated tools have automated make it more difficult for digital investigators to explain their findings in court and can lead to incorrect interpretations of digital evidence.
Chapter 17 – File Systems– has an interesting section on dates and times. Given the importance of dates and times when investigating computer-related crimes, investigators need an understanding of how these values are stored and converted. The chapter has a table of the date-time stamp behavior on both FAT and NTFS file systems. Time stamps are not a trivial issue, as there are many different actions involved (file moved, deletion, copy, etc.) that can affect the date-time stamp in very different ways.
A better title for Digital Evidence and Computer Crime might be the Comprehensive Guide to Everything You Need to Know About Digital Forensics. One is hard pressed to find another book overflowing with so many valuable details and real-world examples.
The book is also relevant for those who are new to the field, as it provides a significant amount of introductory material that delivers a broad overview to the core areas of digital forensics.
The book progresses to more advanced and cutting-edge topics, including sections on various operating systems, from Windows and Unix to Macintosh.
This is the third edition of the book and completely updated and reedited. When it comes to digital forensics, this is the reference guide that all books on the topic will be measured against.
With a list price of $70.00, this book is an incredible bargain given the depth and breadth of topics discussed, with each chapter written by an expert in the field. For those truly serious about digital forensics,Digital Evidence and Computer Crime is an equally serious book.
Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page. -
Julian Assange's Unauthorized Autobiography
macwhizkid writes "After signing a major book deal for his autobiography, Julian Assange backed out (allegedly worrying about self-incrimination) but failed to return his £500,000 advance payment. The publisher is understandably unhappy with this outcome, and intends to publish the 'world's first unauthorized autobiography' from an early draft Assange submitted. The book will be in stores tomorrow, but I'm still hoping it'll be published early on WikiLeaks..." -
Patent Attorney Breaks Down Impact of the America Invents Act
msmoriarty writes "As you probably heard, on Friday the Obama administration signed the America Invents Act, which changed our system to 'first to file.' Support for the bill itself was split in the tech industry: Microsoft and IBM (among others) supported the act, Google and Apple opposed it. Redmondmag asked a patent attorney to explain in detail the act and what impact he thinks it will have on the tech industry. According to him, there are still many open questions. From the article: 'The Act has not accomplished [first to file] harmonization in a straightforward or unambiguous way. For example, it is not clear whether a prior use or offer for sale of an invention by an inventor or joint inventor within a year of the date of filing would render the invention unpatentable.' He also said that the act clearly favors larger corporations, and he doubts it will speed up the patent process itself, which was one of its intended benefits." -
Samsung May Try To Block Next iPhone In Europe Too
phonewebcam writes with a report in The Register about the ongoing spat between Samsung and Apple. From the article: "Samsung could try to get the iPhone 5 delayed or banned in Europe, a source has told South Korea's Maeil Business Newspaper today. The Korean giant is considering a lawsuit against the next version of the Apple smartphone due in October, in the expectation that iPhone 5 will make use of some basic telecoms technology that Samsung has patented. ... It comes a day after The Korea Times quoted an anonymous Samsung exec saying that the company would attempt to do the same thing in Korea." -
Feds Call Full-Tilt Poker a 'Global Ponzi Scheme'
blair1q writes "Popular (and heavily advertised) poker website Full-Tilt Poker was sued today by the U.S. government, following an investigation that revealed it to be a massive Ponzi Scheme. The principals in the company set up a complicated system to direct funds from subscribers' poker accounts into their own bank accounts. This was in contravention of their own claim that users' money was untouched. Players' accounts amounted to $390 million, but the company only has $60 million in the bank, having over time distributed $440 million to its own directors and executives." -
Client-side Web REPL For 15+ Languages
In his first accepted submission, MaxShaw writes "repl.it is an online REPL that supports running code in 15+ languages, from Ruby to Scheme to QBasic, in the browser. It is intended as a tool for learning new languages and experimenting with code on the go. All the code is open sourced under the MIT license and available from GitHub." A few of the languages are supported by reusing existing "Foolang in Javascript" interpreters, but a number of them are built using Emscripten (previously used to build Doom for the browser). All evaluation occurs client side, but saved sessions are stored on their server. -
Mozilla Contemplating Five Week Release Cycle
MrSeb writes with an article in Extreme Tech about the ever quickening pace of Firefox development. Quoting the article: "Mozilla, not content with its monumental shift from four major builds in five years down to a new stable build every six weeks, is looking at outputting a new release every five weeks, or perhaps even less. Christian Legnitto, a project manager at Mozilla (and currently the 'release manager' of Firefox), announced the intention to shift to a shorter release cycle on Mozilla's planning mailing list. In response to one developer citing the success of the six-week release cycle, and asking whether it would be feasible to speed it up even further, Legnitto said: 'Yes, I absolutely think in the future we will shorten the cycle.' There are still some pains to overcome, though, such as add-on maintenance, testing, and localization — and ultimately, as browsers become more like operating systems, do we really want something as important as Firefox receiving a new major version every 5 weeks?" In other news, it looks like Firefox is losing users faster than ever despite (because of?) the new rapid release cycle. -
Ask Slashdot: Recovering Data From 20-Year-Old Diskettes?
First time accepted submitter Zilog writes "The end of the 3.5-inch floppy and the disappearance of associated drives showed to me the need to backup the tens of diskettes that accompanied my youth. Carefully preserved, these diskettes have proved readable for the most part — while some are approaching 20 years old. However, some diskettes have shown surface defects in areas with compressed archives (zip). Any ideas on how to recover (as much as possible) these bad sectors?" -
Ask Jennifer Granick About Computer Crime Defense
Attorney Jennifer Granick has defended many high profile hackers, including researcher Christopher Soghoian, creator of a fake boarding pass generator (2006); Michael Lynn versus Cisco/ISS (2005); Jerome Heckenkamp; and Luke Smith and Nelson Pavlosky in Online Policy Group v. Diebold Election Systems (now Premier Election Solutions), a copyright misuse case related to electronic voting. Granick also won an exemption from the U.S. Copyright Office in 2006 allowing phone unlocking despite the anti-circumvention provisions of the Digital Millennium Copyright Act, which set the stage for renewal of the exemption and for the jailbreaking exemption in 2009. At Stanford, Granick worked with Lawrence Lessig on constitutional copyright cases and taught six years worth of law students about computers, technology and civil liberties. While Civil Liberties Director at the EFF, Granick started the Coders' Rights Project and participated in litigation against ATT and the federal government for violation of surveillance regulations. Now an attorney at ZwillGen PLLC, Granick assists individuals and companies creating new products and services. And now, she's graciously agreed to answer your questions. Please, as usual, ask as many questions as you'd like, but confine each question to a separate post. -
Ask Jennifer Granick About Computer Crime Defense
Attorney Jennifer Granick has defended many high profile hackers, including researcher Christopher Soghoian, creator of a fake boarding pass generator (2006); Michael Lynn versus Cisco/ISS (2005); Jerome Heckenkamp; and Luke Smith and Nelson Pavlosky in Online Policy Group v. Diebold Election Systems (now Premier Election Solutions), a copyright misuse case related to electronic voting. Granick also won an exemption from the U.S. Copyright Office in 2006 allowing phone unlocking despite the anti-circumvention provisions of the Digital Millennium Copyright Act, which set the stage for renewal of the exemption and for the jailbreaking exemption in 2009. At Stanford, Granick worked with Lawrence Lessig on constitutional copyright cases and taught six years worth of law students about computers, technology and civil liberties. While Civil Liberties Director at the EFF, Granick started the Coders' Rights Project and participated in litigation against ATT and the federal government for violation of surveillance regulations. Now an attorney at ZwillGen PLLC, Granick assists individuals and companies creating new products and services. And now, she's graciously agreed to answer your questions. Please, as usual, ask as many questions as you'd like, but confine each question to a separate post. -
Gene Therapy May Thwart HIV
sciencehabit writes "Over the past few years, a man living in Berlin, Timothy Brown, has become world famous as the first — and thus far only — person to apparently have been cured of his HIV infection. Brown's HIV disappeared after he developed leukemia and doctors gave him repeated blood transfusions from a donor who harbored a mutated version of a receptor the virus uses to enter cells. Now, researchers report promising results from two small gene-therapy studies that mimic this strategy, hinting that the field may be moving closer to a cure that works for the masses." -
Google Wallet Launches With $10 Credit
Following up on our digital wallet discussion yesterday, CWmike writes "Google officially launched its Google Wallet application today for NFC-ready Sprint Nexus S 4G phone users. The application launches initially for Citi MasterCard credit card holders, but Google also said today that Visa, Discover and American Express will be able to add their cards to future versions of Google Wallet. The application, first announced in May, was described in an official blog post. Visa said in a separate statement that it has licensed Google to use Visa's PayWave technology, used in 'hundreds of thousands' of terminals worldwide. But Visa didn't describe a timeline for when that function would be enabled. Google said it will allow users to add any bank card to a Google Prepaid Card and they will receive $10 to try the service." Reviews of the service are popping up, and many seem to say the same thing; when it works, it's great, but your real wallet isn't going anywhere. -
Artificial Blood Vessels Created On a 3D Printer
rallymatte writes "A team at Fraunhofer Institute in Germany has managed to create artificial blood vessels with a 3D printer that may come to be used for transplants of lab-created organs. From the article: 'To print something as small and complex as a blood vessel, the scientists combined the 3D printing technology with two-photon polymerisation — shining intense laser beams onto the material to stimulate the molecules in a very small focus point.'" -
The (Big) Problem With RIM
An anonymous reader writes "Research in Motion, by all accounts, had a terrible week. But things might get even worse. The Canadian technology company posted dismal quarterly earnings numbers, missing revenue and sales targets, while margins continued to shrink. Co-CEO Mike Lazaridis conceded the PlayBook had been thwarted by a lack of apps and content, not necessarily by a weak platform. Like Apple with its iOS, and Microsoft with Windows, creating a successful platform will be dependent on the eco-system it supports, but RIM hasn't shown ability to foster that." Speculation has begun as to whether or not RIM will wind up having a PlayBook firesale in the same vein as the TouchPad. -
Evaluating the 'Doofus Factor' In Corporate Governance
PolygamousRanchKid writes with this quote from an article in the Economist: "The directors of Yahoo! were 'so spooked by being cast as the worst board in the country' that they fired Carol Bartz as chief executive 'to show that they're not the doofuses that they are.' That was Ms Bartz's typically blunt verdict, offered to Fortune after she was dismissed with a phone call by the internet firm's chairman, Roy Bostock, on September 6th. She would say that. Yet Ms Bartz's criticisms of the board have been sympathetically received. Firing a chief executive by phone smacks of hasty, panicky decision-making. And Yahoo!'s board already had a poor reputation, having turned down an offer from Microsoft that valued the firm at several times what it is worth today. It is not just Yahoo!'s board that is feeling the heat. The directors of HP, another stumbling Silicon Valley giant, have been accused of serial ineptitude spanning the appointment and dismissal of Carly Fiorina as chief executive, the firing of her successor, Mark Hurd, and the selection of his replacement, Léo Apotheker. ... There is growing demand for boards to undergo a formal evaluation process, to assess both the performance of each individual board member and how they work together as a group. The European Union is considering new regulations that would require an independent evaluation of the board every three years." -
Court Reinstates $675k File Sharing Verdict
FunPika writes with this excerpt from Wired: "A federal appeals court on Friday reinstated a whopping $675,000 file sharing verdict that a jury levied against a Boston college student for making 30 tracks of music available on a peer-to-peer network. The decision by the 1st U.S. Circuit Court of Appeals reverses a federal judge who slashed the award as 'unconstitutionally excessive.' U.S. District Judge Nancy Gertner of Boston reduced the verdict to $67,500, or $2,250 for each of the 30 tracks defendant Joel Tenenbaum unlawfully downloaded and shared on Kazaa, a popular file sharing peer-to-peer service. The Recording Industry Association of America and Tenenbaum both appealed in what has been the nation's second RIAA file sharing case to ever reach a jury. The Obama administration argued in support of the original award, and said the judge went too far when addressing the constitutionality of the Copyright Act's damages provisions. The act allows damages of up to $150,000 a track." Update: 09/17 21:32 GMT by S : As it turns out, the article's explanation of the decision is a bit lacking; read on for NewYorkCountryLawyer's more accurate explanation. NYCL writes, "The 1st Circuit Court of Appeals has declined to reach the Due Process issue in SONY BMG Music Entertainment v. Tenenbaum. In a 65-page decision (PDF), which rejected all of Tenebaum's counsel's other arguments, and which otherwise praised Judge Gertner's handling of the trial, the First Circuit felt that under the doctrines of judicial restraint and constitutional avoidance, it was premature to decide the constitutional issue without first disposing of the defendant's motion on common law, remittitur grounds. The Court gave several examples of scenarios which might have occurred, had the lower court decided the remittitur question, which would have avoided embarking down the constitutional path." -
Court Reinstates $675k File Sharing Verdict
FunPika writes with this excerpt from Wired: "A federal appeals court on Friday reinstated a whopping $675,000 file sharing verdict that a jury levied against a Boston college student for making 30 tracks of music available on a peer-to-peer network. The decision by the 1st U.S. Circuit Court of Appeals reverses a federal judge who slashed the award as 'unconstitutionally excessive.' U.S. District Judge Nancy Gertner of Boston reduced the verdict to $67,500, or $2,250 for each of the 30 tracks defendant Joel Tenenbaum unlawfully downloaded and shared on Kazaa, a popular file sharing peer-to-peer service. The Recording Industry Association of America and Tenenbaum both appealed in what has been the nation's second RIAA file sharing case to ever reach a jury. The Obama administration argued in support of the original award, and said the judge went too far when addressing the constitutionality of the Copyright Act's damages provisions. The act allows damages of up to $150,000 a track." Update: 09/17 21:32 GMT by S : As it turns out, the article's explanation of the decision is a bit lacking; read on for NewYorkCountryLawyer's more accurate explanation. NYCL writes, "The 1st Circuit Court of Appeals has declined to reach the Due Process issue in SONY BMG Music Entertainment v. Tenenbaum. In a 65-page decision (PDF), which rejected all of Tenebaum's counsel's other arguments, and which otherwise praised Judge Gertner's handling of the trial, the First Circuit felt that under the doctrines of judicial restraint and constitutional avoidance, it was premature to decide the constitutional issue without first disposing of the defendant's motion on common law, remittitur grounds. The Court gave several examples of scenarios which might have occurred, had the lower court decided the remittitur question, which would have avoided embarking down the constitutional path." -
CRTC Tells Rogers To Stop Throttling Online Gamers
Meshach writes "Recently Canada's telecommunications regulator revealed that net neutrality was failing and that throttling was taking place. Apparently several months later things have not improved and Canada's telecommunications regulator on Friday gave Rogers Communications Inc., 'mere days' to stop throttling online games." -
Ballmer Hints At 'Metro-ization' of Office
CWmike writes "Microsoft's CEO strongly hinted this week that the company will craft a Metro-style version of the next Office suite. 'You ought to expect that we are rethinking and working hard on what it would mean to do Office Metro style,' Ballmer told a Wall Street analyst. Metro, a tile- and touch-based interface borrowed from Windows Phone 7, would be a massive change for Office, one that would dwarf the 'ribbonization' that set off a firestorm of complaints about Office 2007's new look. The criticism died down, and Microsoft later extended the ribbon in Office 2010 and Windows 7. It will ribbonize other components of Windows 8, notably the OS's file manager. One analyst believes Metro Office is a done deal. 'I think they need something in Metro to enable people to work on documents on tablets,' said Rob Helm, an analyst with Directions on Microsoft. 'They need something on ARM.'" -
Seven States Pile On To Block AT&T/T-Mobile Deal
An anonymous reader writes "New York, California, and five other U.S. states have joined a lawsuit initiated by the Department of Justice that would block AT&T's merger with T-Mobile. 'The revised filing comes ahead of a court hearing next week, when the two sides are scheduled to discuss the prospects of a settlement. AT&T has said that it will contest the Justice Department's lawsuit, while also seeking a potential settlement.' CNet notes that 'States don't have the power to block the deal, but they can influence the federal regulators and make it more onerous if AT&T attempts to negotiate for concessions to close the deal. They can also slow down the process with their own lawsuits.'" -
Did HP Bilk Its Shareholders?
jfruhlinger writes "About a month ago, HP announced that it was getting out of the PC, tablet, and mobile phone business to focus on software services, at which point, rather predictably, HP's stock plunged. Obviously, HP's leadership had been working on this plan for some time before it was announced, which leads to the question: did they deliberately mislead their stockholders by not being more transparent? That's what a shareholder lawsuit against the company alleges. How the courts treat the suit could have interesting implications for how transparent public corporations need to be about future strategy." -
Seismologist Manslaughter Trial Begins Next Week
El Puerco Loco writes with a followup to a story we discussed in May about the manslaughter charges facing six seismologists and one government official in Italy after an earthquake there killed 309 people and destroyed 20,000 buildings. The case is going to trial next week, and an article at Nature provides an update on how things stand: "The indictments have drawn global condemnation. The American Geophysical Union and the American Association for the Advancement of Science (AAAS), both in Washington DC, issued statements in support of the Italian defendants. ... The view from L'Aquila, however, is quite different. Prosecutors and the families of victims alike say that the trial has nothing to do with the ability to predict earthquakes, and everything to do with the failure of government-appointed scientists serving on an advisory panel to adequately evaluate, and then communicate, the potential risk to the local population. ... [The charges allege that the defendants] provided 'incomplete, imprecise, and contradictory information' to a public that had been unnerved by months of persistent, low-level tremors. [Prosecutor Fabio Picuti] says that the commission was more interested in pacifying the local population than in giving clear advice about earthquake preparedness. 'I'm not crazy,' Picuti says. 'I know they can't predict earthquakes. The basis of the charges is not that they didn't predict the earthquake. As functionaries of the state, they had certain duties imposed by law: to evaluate and characterize the risks that were present in L'Aquila.'" -
Senate Lets Teachers, Students Be Facebook Friends
An anonymous reader writes "The Missouri State Teachers Association (MSTA) has managed to secure another win in its battle against a new law regarding social networking with students. A repeal of the recently passed law has unanimously passed the Missouri state Senate." -
Wolfenstein Ray Traced and Anti-Aliased, At 1080p
An anonymous reader writes "After Intel displayed their research demo Wolfenstein: Ray Traced on Tablets, the latest progress at IDF focuses on high(est)-end gaming now running at 1080p. Besides image-based post-processing (HDR, Depth of Field) there is now also an implementation of a smart way of calculating anti-aliasing through using mesh IDs and normals and applying adaptive 16x supersampling. All that is powered by the 'cloud,' consisting of a server that holds eight Knights Ferry cards (total of 256 cores / 1024 threads). A lot of hardware, but the next iteration of the 'Many Integrated Core' (MIC) architecture, named Knights Corner (and featuring 50+ cores), might be just around the corner." -
Book Review: Metasploit The Penetration Tester's Guide
eldavojohn writes "The Metasploit Framework has come a long way and currently allows just about anyone to configure and execute exploits effortlessly. Metasploit: The Penetration Tester's Guide takes current documentation further and provides a valuable resource for people who are interested in security but don't have the time or money to take a training class on Metasploit. The highlights of the book rest on the examples provided to the reader as exercises in exploiting several older versions of operating systems like Windows XP and Ubuntu while at the same time avoiding triggering antivirus or detection. The only weak point of this book is that a couple chapters refer the reader to external texts (on stacks and registers) in order to meet requirements for crafting exploits. The book also gives the reader a brief warning on ethics as many of these exploits and techniques would most likely work on many sites and networks. If you're wondering how seemingly inexperienced groups like lulzsec constantly claim victims, this would be an excellent read." Keep reading for the rest of eldavojohn's review. Metasploit The Penetration Tester's Guide author David Kennedy, Jim O'Gorman, Devon Kearns, and Mati Aharoni pages 300 publisher No Starch Press, Inc. rating 10/10 reviewer eldavojohn ISBN 978-1593272883 summary A thorough guide to penetration testing with the Metasploit Framework. In 2007, Metasploit was migrated from Perl to Ruby. The book opens with a brief history of the framework and mentions this but does not address any complaints of performance loss. Instead, the authors argues that this increased contributions and adoptions. As a result, all the code in this book (which the exception of some SQL payloads) is written in Ruby. If you don't know Ruby but you know many other languages, it's a fairly simple language to pick up.
The first chapter of this book clearly indicates that the objective is to empower white hat hackers and researchers. They lay down a predefined set of phases that one takes while pen testing a target. They are Pre-engagement Interactions, Intelligence Gathering, Threat Modeling, Vulnerability Analysis, Exploitation, Post Exploitation and Reporting. Chapter two covers the terminology that is used across the Metasploit Framework so if you're unfamiliar with concepts like 'shellcode' or 'payload' this chapter will set you straight. It also mentions a UI for Metasploit called Armitrage but my personal tastes kept me using the minimal MSFConsole and MSFcli.
Chapter three begins to cover intelligence gathering and covers everything from the basic whois tool to writing your own custom scanner. The chapter does a great job of carefully explaining in detail the difference between passive and active scanning. The stealth TCP scan that nmap provides was a new thing for me and the chapter also details how Metasploit can use several database technologies to record and store the results of your scans to be used later on. The chapter shows how to use Metasploit to scan ports, server message blocks, MS SQL servers, SSH servers, FTP and simple network management protocol sweeping. Most of these techniques are a few quick commands in Metasploit's console and with Ruby mixins the chapter illustrates how to write your own scanner for use in Metasploit in about 20 lines of code. But all of this is just to get a grasp of what's up and running on the server.
Chapter four starts to get interesting with actual vulnerability scanning. Banner grabbing is an important technique in pen testing and the book suggests using NeXpose community edition (also a Rapid7 tool). This is covered in more detail in the appendix but NeXpose is a web GUI interface for scanning, storing and managing site scans. This provides great reporting features, it's intuitive and reduces everything to point-and-click for the user. But luckily this tool can also be run from the console (something I preferred). The chapter also covers another popular scanner called Nessus and shows to import the results to Metasploit for use. The chapter also includes noisy options like SMB login scanning or just looking for open VNC or X11 servers. Mentioned here first (but also frequently later in the book) is Back|Track for connecting to such targets. Something neat about this chapter is that if you don't care that your target knows you're attacking them, you can just move from these results collected with NeXpose, Nessus or OpenVAS and drop them into the 'autopwn' tool in Metasploit. It's three commands on the console and apparently works more often than it should.
Chapter five familiarizes the reader with the MSFConsole and its basic commands like showing all the exploits, payloads and targets available in the Metasploit Framework installed. These are constantly updated and maintained so they often change. With that information, the chapter proceeds to step the reader through an exploit in a Windows XP SP2 (MS08-067) and then a Samba exploit in Ubuntu 9.04.
Chapter six spices things up by introducing Meterpreter that extends the Metasploit Framework to serve a shell to the exploited system and from there perform additional attacks. The chapter shows how to brute force an MS SQL server and use the stored procedure xp_cmdshell to gain remote access. Meterpreter has a lot of neat features like keystroke logging, capturing screenshots and dumping password hashes (including the pass-the-hash technique). Simple commands in meterpreter can allow the user to easily and effortlessly accomplish many things: privilege escalation, token impersonation, pivoting to another system, process migration, killing antivirus software, system scraping, the list goes on. The chapter finishes by briefly mentioning an intriguing tool called Railgun that I wish they had spent more time on.
Chapter seven covers avoiding antivirus detection through tools like msfencode (to avoid your exploit being fingerprinted). Even better is encoding it many many times. If you know what antivirus your target uses, you can simply run the antivirus on your encoded exploit on your local machine to see if it's picked up. The chapter also covers the basics on continuing normal execution of a backdoored executable and packers that compress an executable for you with decompression code built in.
The book gets progressively more technical with chapter eight focusing on client side attacks. The chapter covers the NOP slide technique and also introduces the Immunity Debugger. It covers the Internet Explorer Aurora Exploit (MS10.002) as an end of chapter exercise for the reader to do. Chapter nine takes a quite look at Metasploit's auxiliary modules that allow the user to do many other things than just exploits. They run through the source of a mischievous Foursquare Location Poster that can make you appear to be everywhere on Foursquare. They also cover heap spraying attacks in web browsers — a topic that was particularly discomforting for me considering how long I often leave my browser open for.
Chapter ten was probably one of the more boring for me but a very important tool for pen testers. It shows how to turn the Metasploit Framework into a social exploitation tool that can be used to send templated e-mails to distribution lists. The intent of this, of course, is to get one user in a large company to click on a site that looks like their company's homepage and perhaps enter their credentials. By just selecting from lists of options, you can create java applet exploits that appear to be legitimately signed, clone a website like gmail and harvest credentials, tabnabbing, webjacking, man-left-in-the-middle and finally mixing those all together in a multipronged attack. The next chapter is just more exploits via Fast-Track (an open source Python based tool that builds on top of Metasploit).
Chapter twelve covers Karmetasploit, a Metasploit implementation of the wireless security tool Karma. The strategy of this exploit is to present your machine as a wireless access point. When a user connects, you can use karmetasploit to host fake webpages and grab their credentials or even gain shell access through a client side attack. Knowing how frequently people attach to anything in coffee shops and airports, this sort of attack could be particularly brutal and extremely easy to execute given Metasploit's simplicity for users.
The final chapters do an okay job of showing you how to first build your own module for Metasploit in chapter thirteen. Then in fourteen, the book looks at building your own exploit and goes into detail about fuzzing applications on your local machine and using the Immunity Debugger to look at what's happening given the fuzzed input. What follows is a lengthy discussion of the Structured Exception Handler (SEH) and the Next SEH (NSEH) and how you can manipulate registers and utilize JMPs to hit a NOP slide into your shellcode. This is one of the longest and most complicated chapters with probably the most technically intensive writing. I would like to see further editions of this book expand on things like this as it was important for me as a software developer to understand how these attacks are manufactured.
Chapter fifteen was similar to fourteen but showed how to port exploits to the metasploit framework. This chapter covers more so the general guidelines for writing exploits for the metasploit framework and doing it so that you leverage metasploit's flexibility. Chapter sixteen covers the scripting abilities of meterpreter and customizing that to execute further exploits once you have access to a target machine with meterpreter.
The final chapter brings the key steps together for a simulated penetration testing of a preconfigured system with web server (the book lists the Pirate Bay as a source of this torrent). As you work through this chapter, the phases of pen testing are exercised with all the aforementioned strategies employed.
This book was a real eye opener to read for a software developer. I haven't done formal pen testing aside from testing my own code so a lot of these advanced concepts were new to me. I enjoyed how the code was laid out with circled numbers marking code (instead of every line being numbered) that were referenced later in the text. I hope future editions of this book provide progressively more and more material as there's clearly a lot of sections that are condensed into a few paragraphs but could be expanded upon almost endlessly. I'm glad this sort of tool didn't exist during my younger more mischievous years as this book demonstrates that it could be used for gaining access to just about anything (depending on how much free time and skill you have).
You can purchase Metasploit: The Penetration Tester's Guide from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page. -
Book Review: Metasploit The Penetration Tester's Guide
eldavojohn writes "The Metasploit Framework has come a long way and currently allows just about anyone to configure and execute exploits effortlessly. Metasploit: The Penetration Tester's Guide takes current documentation further and provides a valuable resource for people who are interested in security but don't have the time or money to take a training class on Metasploit. The highlights of the book rest on the examples provided to the reader as exercises in exploiting several older versions of operating systems like Windows XP and Ubuntu while at the same time avoiding triggering antivirus or detection. The only weak point of this book is that a couple chapters refer the reader to external texts (on stacks and registers) in order to meet requirements for crafting exploits. The book also gives the reader a brief warning on ethics as many of these exploits and techniques would most likely work on many sites and networks. If you're wondering how seemingly inexperienced groups like lulzsec constantly claim victims, this would be an excellent read." Keep reading for the rest of eldavojohn's review. Metasploit The Penetration Tester's Guide author David Kennedy, Jim O'Gorman, Devon Kearns, and Mati Aharoni pages 300 publisher No Starch Press, Inc. rating 10/10 reviewer eldavojohn ISBN 978-1593272883 summary A thorough guide to penetration testing with the Metasploit Framework. In 2007, Metasploit was migrated from Perl to Ruby. The book opens with a brief history of the framework and mentions this but does not address any complaints of performance loss. Instead, the authors argues that this increased contributions and adoptions. As a result, all the code in this book (which the exception of some SQL payloads) is written in Ruby. If you don't know Ruby but you know many other languages, it's a fairly simple language to pick up.
The first chapter of this book clearly indicates that the objective is to empower white hat hackers and researchers. They lay down a predefined set of phases that one takes while pen testing a target. They are Pre-engagement Interactions, Intelligence Gathering, Threat Modeling, Vulnerability Analysis, Exploitation, Post Exploitation and Reporting. Chapter two covers the terminology that is used across the Metasploit Framework so if you're unfamiliar with concepts like 'shellcode' or 'payload' this chapter will set you straight. It also mentions a UI for Metasploit called Armitrage but my personal tastes kept me using the minimal MSFConsole and MSFcli.
Chapter three begins to cover intelligence gathering and covers everything from the basic whois tool to writing your own custom scanner. The chapter does a great job of carefully explaining in detail the difference between passive and active scanning. The stealth TCP scan that nmap provides was a new thing for me and the chapter also details how Metasploit can use several database technologies to record and store the results of your scans to be used later on. The chapter shows how to use Metasploit to scan ports, server message blocks, MS SQL servers, SSH servers, FTP and simple network management protocol sweeping. Most of these techniques are a few quick commands in Metasploit's console and with Ruby mixins the chapter illustrates how to write your own scanner for use in Metasploit in about 20 lines of code. But all of this is just to get a grasp of what's up and running on the server.
Chapter four starts to get interesting with actual vulnerability scanning. Banner grabbing is an important technique in pen testing and the book suggests using NeXpose community edition (also a Rapid7 tool). This is covered in more detail in the appendix but NeXpose is a web GUI interface for scanning, storing and managing site scans. This provides great reporting features, it's intuitive and reduces everything to point-and-click for the user. But luckily this tool can also be run from the console (something I preferred). The chapter also covers another popular scanner called Nessus and shows to import the results to Metasploit for use. The chapter also includes noisy options like SMB login scanning or just looking for open VNC or X11 servers. Mentioned here first (but also frequently later in the book) is Back|Track for connecting to such targets. Something neat about this chapter is that if you don't care that your target knows you're attacking them, you can just move from these results collected with NeXpose, Nessus or OpenVAS and drop them into the 'autopwn' tool in Metasploit. It's three commands on the console and apparently works more often than it should.
Chapter five familiarizes the reader with the MSFConsole and its basic commands like showing all the exploits, payloads and targets available in the Metasploit Framework installed. These are constantly updated and maintained so they often change. With that information, the chapter proceeds to step the reader through an exploit in a Windows XP SP2 (MS08-067) and then a Samba exploit in Ubuntu 9.04.
Chapter six spices things up by introducing Meterpreter that extends the Metasploit Framework to serve a shell to the exploited system and from there perform additional attacks. The chapter shows how to brute force an MS SQL server and use the stored procedure xp_cmdshell to gain remote access. Meterpreter has a lot of neat features like keystroke logging, capturing screenshots and dumping password hashes (including the pass-the-hash technique). Simple commands in meterpreter can allow the user to easily and effortlessly accomplish many things: privilege escalation, token impersonation, pivoting to another system, process migration, killing antivirus software, system scraping, the list goes on. The chapter finishes by briefly mentioning an intriguing tool called Railgun that I wish they had spent more time on.
Chapter seven covers avoiding antivirus detection through tools like msfencode (to avoid your exploit being fingerprinted). Even better is encoding it many many times. If you know what antivirus your target uses, you can simply run the antivirus on your encoded exploit on your local machine to see if it's picked up. The chapter also covers the basics on continuing normal execution of a backdoored executable and packers that compress an executable for you with decompression code built in.
The book gets progressively more technical with chapter eight focusing on client side attacks. The chapter covers the NOP slide technique and also introduces the Immunity Debugger. It covers the Internet Explorer Aurora Exploit (MS10.002) as an end of chapter exercise for the reader to do. Chapter nine takes a quite look at Metasploit's auxiliary modules that allow the user to do many other things than just exploits. They run through the source of a mischievous Foursquare Location Poster that can make you appear to be everywhere on Foursquare. They also cover heap spraying attacks in web browsers — a topic that was particularly discomforting for me considering how long I often leave my browser open for.
Chapter ten was probably one of the more boring for me but a very important tool for pen testers. It shows how to turn the Metasploit Framework into a social exploitation tool that can be used to send templated e-mails to distribution lists. The intent of this, of course, is to get one user in a large company to click on a site that looks like their company's homepage and perhaps enter their credentials. By just selecting from lists of options, you can create java applet exploits that appear to be legitimately signed, clone a website like gmail and harvest credentials, tabnabbing, webjacking, man-left-in-the-middle and finally mixing those all together in a multipronged attack. The next chapter is just more exploits via Fast-Track (an open source Python based tool that builds on top of Metasploit).
Chapter twelve covers Karmetasploit, a Metasploit implementation of the wireless security tool Karma. The strategy of this exploit is to present your machine as a wireless access point. When a user connects, you can use karmetasploit to host fake webpages and grab their credentials or even gain shell access through a client side attack. Knowing how frequently people attach to anything in coffee shops and airports, this sort of attack could be particularly brutal and extremely easy to execute given Metasploit's simplicity for users.
The final chapters do an okay job of showing you how to first build your own module for Metasploit in chapter thirteen. Then in fourteen, the book looks at building your own exploit and goes into detail about fuzzing applications on your local machine and using the Immunity Debugger to look at what's happening given the fuzzed input. What follows is a lengthy discussion of the Structured Exception Handler (SEH) and the Next SEH (NSEH) and how you can manipulate registers and utilize JMPs to hit a NOP slide into your shellcode. This is one of the longest and most complicated chapters with probably the most technically intensive writing. I would like to see further editions of this book expand on things like this as it was important for me as a software developer to understand how these attacks are manufactured.
Chapter fifteen was similar to fourteen but showed how to port exploits to the metasploit framework. This chapter covers more so the general guidelines for writing exploits for the metasploit framework and doing it so that you leverage metasploit's flexibility. Chapter sixteen covers the scripting abilities of meterpreter and customizing that to execute further exploits once you have access to a target machine with meterpreter.
The final chapter brings the key steps together for a simulated penetration testing of a preconfigured system with web server (the book lists the Pirate Bay as a source of this torrent). As you work through this chapter, the phases of pen testing are exercised with all the aforementioned strategies employed.
This book was a real eye opener to read for a software developer. I haven't done formal pen testing aside from testing my own code so a lot of these advanced concepts were new to me. I enjoyed how the code was laid out with circled numbers marking code (instead of every line being numbered) that were referenced later in the text. I hope future editions of this book provide progressively more and more material as there's clearly a lot of sections that are condensed into a few paragraphs but could be expanded upon almost endlessly. I'm glad this sort of tool didn't exist during my younger more mischievous years as this book demonstrates that it could be used for gaining access to just about anything (depending on how much free time and skill you have).
You can purchase Metasploit: The Penetration Tester's Guide from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page. -
Eben Upton Answers Your Questions
Last week you asked the Director of the Raspberry Pi Foundation, Eben Upton, about developing an ultra-low-cost computer and running a charitable organization. Below you'll find his answers. Thanks go out to a busy Eben for responding so quickly. The role of commercial viability in education
by ronocdh
Your decision to sell the Raspberry Pi to any interested parties, not just educational institutions, seems to indicate a broad-minded approach to education, favoring transparency and open standards. What percentage of your costs do you expect to cover by selling directly to individual, hacker-type enthusiasts, versus wholesale distribution to educational institutions for inclusion in curricula?
Eben: Initially, we expect to sell almost all of our output to the hobbyist community. Our revenue models assume a roughly 50-50 mix of in-house and wholesale distribution (education and resellers) after the first year. We have a very low fixed-cost base, and will break even when we reach sales of 20-30k units per year.
One reason we’re also selling to individuals is that we believe very strongly in self-directed learning. I didn’t learn to program in a classroom; I did it by hacking on the school computers in my own time and subsequently buying a second-hand machine of my own (after saving for what seemed at the time like an eon). While there are many teachers out there who have the necessary skills to teach computer science, we realize that a large number of pupils will never encounter one of these teachers, and that the subject is generally absent from standardized curricula.
It is likely that more children will learn programming by using Raspberry Pi at home than in school. We’re investigating the possibility of establishing a prize fund to reward children who develop exceptional software under their own steam.
Power Supply
by Anonymous Coward
The requirement for an external power supply seems unfortunate given the small form factor of the computer. When so many devices can draw power from a USB port (and yes, I do acknowledge that these are USB peripherals whereas the Raspberry Pi is a USB host), the need for another cable on such a small device is probably going to be an inconvenience. I'm sure that this is a topic that generated some interesting engineering discussions during product development. Can you share with us what other alternatives may have been considered and the pros and cons of them, and how you ultimately concluded that an external power supply is necessary? 1W at 5V is 200mA, which is certainly a plausible amount of current to draw from a USB cable. It could even make sense for the Raspberry Pi to be a USB device and host a telnet server. Was this use case considered?
Eben: As it happens, the tiny USB-key form factor that David shows in the original BBC video is powered by a hacked USB hub which emits power on its host port. We focused on the USB host use case, because we see Raspberry Pi primarily as computer rather than as a peripheral, and because doing so keeps the cost and complexity of the board itself to a minimum.
We want to find a way to eliminate the power supply for some users, and hope to support a power over Ethernet module as an option at some point if there’s sufficient demand; right now our low-cost RJ-45 jack is not PoE-capable, but this will probably change.
VGA?
by ajo_arctus
I think it's an incredible project, and I'll certainly buy one for my son when they come out. I'm just wondering though if not having VGA is a bit of an oversight and I'd be interested to know why you made that tradeoff. I agree composite is great for places where old TVs are common, and HDMI is great for those of us who just want it as a novelty, it's just I can't help but feel that the people who could benefit most from this would most likely get one of these along with a free or very low cost second-hand monitor, which would almost certainly be VGA only.
Eben: The tradeoff is driven by the feature set of the BCM2835. Previous products in this line used an analog RGB TV output peripheral which could be hacked to drive VGA quite easily; irritatingly, for cost reasons, BCM2835 only supports single-channel (composite) video out, which prevents us from doing this.
I agree that the lack of VGA output is a very significant problem with the device, particularly in school environments, where (at least in the UK) there are often labs full of old analog monitors. Although we can’t afford to add chips to the baseline device to support it, we’re investigating three routes to add VGA compatibility in the future:
Supporting monochrome output directly using our single-channel analog TV interface.
Bridging from the HDMI/DVI output to VGA using an add-on board or “smart cable”.
Bridging from the onboard MIPI DSI interface in the same way.
This is right at the top of our follow-on project list, once the main boards are out of the door.
More enbedded features?
by Anonymous Coward
Love the concept, and will probably buy at least a couple of the model B.
I was wondering if you plan to have future models with more embedded features (like Bluetooth, WiFi, and GPS)? I know this would raise the cost, but with smartphones including all those things, I wouldn't think that it would be too expensive.
Great work, can't wait to pick mine up.
Eben: Glad to hear you like the concept. We’re investigating the possibility of adding exactly the three interfaces you mention to a future version. These are available in quite cost-effective “combo chips” from a number of manufacturers, and it may be that savings from removing the Ethernet bridge chip, transformers and RJ-45 jack will go some way towards paying for the extra silicon.
FCC (and equivalent) certification of a wireless-capable version would be challenging for us with our current level of staffing, but hopefully this will change as we start to sell the Model A and B devices.
Open Sourced Schematics and Layout?
by Anonymous Coward
Are you going to open source the schematics and layout for the hardware design?If so, will they be provided in formats that are easy to use with low cost and / or free software tools such as Eagle, KiCad, or gEDA?
Eben: A qualified yes. We intend to release our schematics and board designs provided we are satisfied that the chips needed to build the device are available through distribution in reasonably small quantities. Our relationships with our component vendors are critical to the success of Raspberry Pi; we wouldn’t want to put them in a position where they were being criticized for being unwilling to provide chips directly to hobbyists.
If we do open the hardware, we’ll use a format compatible with a cheap package (Eagle would be my preference, although we’d need to check the limitations in the free version). We very much hope to be able to do this. We’ve said elsewhere that our dream scenario is that someone in China decides to copy our design and start knocking out millions of clones. Remember we’re a not-for-profit organization under English law, and all our trustees have other jobs, so we don’t have the same set of incentives as a regular company.
A cautionary note for people hoping to build these devices themselves – I don’t believe it’s feasible to assemble it manually, and the PoP memory configuration we use is beyond the reach even of some professional assembly houses.
parallel computing
by jtollefson
Since the price point on these are so low, what's the feasibility of doing mass grid computing on these machines?
Eben: I think it’s very feasible, though I have my doubts as to whether Raspberry Pi is a particularly good source of cheap MIPS. Consider that only a small fraction of our die area is occupied by the ARM core, so if you’re intending to just do CPU work you’re carrying a lot of baggage (GPU, video accelerator, camera pipeline, JPEG codec, a couple of DSPs) which isn’t being used. We’d need to run the numbers, but I expect that a $200 x86 box will give you more compute than 8 Raspberry Pis, and in a more friendly package (a two or four concurrent threads, rather than eight).
Where we may come into our own is in providing low-energy MIPS. Idle-time distributed computing applications like Folding@Home should work, and you wouldn’t need to worry about justifying the power consumption of a PC.
Java development?
by eparker05
Since the primary OS will be Debian based we can assume support for C, C++, Python, Perl, and Bash scripting. But I have heard that you would need to get Oracle involved if you wanted a Java SE JDK since the RPi is Arm based. Can you comment on whether or not this is true and, if so, have you or are you in the process of obtaining the ability to develop Java on this platform?
Eben: We’ve not looked into Java support in detail, and certainly haven’t been in touch with Oracle. Various people have suggested OpenJDK to us as a good alternative; it’s known to work well on ARM-based systems, and doesn’t require us to obtain a license.
Can You Extrapolate on Your Teaching Strategy?
by eldavojohn
I see that you plan on using C and Python for teaching languages. I recognize that I am of an older generation but grasping C in its entirety or even little endian versus big endian was something that didn't fully come around until college for me. What are your strategies for teaching even younger targets with something like C (Python, however is probably easier)? Are you developing a rigid teaching course line or just happy to have the community put anything out? Furthermore, what is the point of putting all these other languages on your wiki like Processing or Lua? Could you or someone on your staff give a brief explanation for each of these links or are they here just to inspire someone to write a tutorial for -- I don't know -- harvesting data with the Raspberry Pi and displaying it in Processing on another computer? Or do you intend the processing application to compile to ARMv6 on the device and run on the device for a UI output? I know ARMv6 is supposed to be a leaner architecture but I'm not at all familiar with the Broadcom BCM2835 that you've shown on your alpha boards. All my searches for it just link back to your site.
Eben: We’re very happy for the community to put anything out there; originally we’d planned to provide an integrated teaching curriculum built around the device, but it\s become clear that there are a lot of third parties out there with much more experience than us. The wiki is a good example – it was set up by someone else, and we have very little to do with it. I’m personally a fan of putting Lua on the device, because it leads in nicely to things like Garry’s mod programming on the PC; we’ve supplied an alpha board to a Cambridge-area developer who is working on a Lua port.
BCM2835 is a new application processor, derived from the BCM2763 graphics processor, which does get a mention on the Broadcom web site. Most applications are likely to run on the device with local UI output, though there have been people on our forums talking about using them for remote data logging.
Introduction to programming
by simonloach
The raspberry pi is meant to introduce programming concepts to school-level children.
My question is: How are you planning on doing this from a UI perspective? The BBC micro (as far as I can tell, a little before my time) simply dropped the user into a BASIC prompt and left the rest to their imagination. This seems like a pretty fundamental design question for the raspberry pi, but I haven't been able to find a clear answer yet.
Eben: If it were up to us, we’d probably just drop people into a bash (or even better, IPython) shell and let them get on with it. On the other hand, there are many people who just want to use the Raspberry Pi as a general-purpose productivity machine; for these people, we’ll need to provide a desktop environment as an option in the standard root filesystem.
I think the compromise is likely to be that we boot to a bash shell, and require the user to type ‘startx’ to get a desktop, or ‘python’ (or whatever) to start programming. Don’t expect to see a standard install boot to gdm. Because we’re nostalgic old farts, we’re also looking at making sure there’s a way for you to boot the board straight into BASIC.
It's all about the manuals
by MROD
Seeing as the aim of the project is to create a tinkering platform for nascent, teenage programmers I was wondering why the idea to write a full, tutorial programming manual was dropped. The whole of the early '80s micro boom and bedroom coders was based upon not on the "cheap" hardware such as the BBC Micro and the Sinclair ZX81/Spectrum but mainly the comprehensive and very educational manuals which came with them. So, why was the idea of the accompanying educational material dropped?
Eben: This is partly a resourcing issue (we’re only just able to develop the hardware and get it out of the door), and partly a realization that other people can do this much better than we can. Almost any generic Linux programming tutorial should apply to Raspberry Pi. In time perhaps we can bundle some of the best ones on the device to give people a leg up when they start; we’re already planning to do this with the excellent NeHe OpenGL ES tutorials.
We need to bear in mind how much easier it is to get access to educational material now than it was in the 1980s. I remember spending months trying to dig up information about Bresenham’s algorithm (ironically to write an Elite clone on the BBC Micro – I hope David isn’t reading this), when now you can just Google it. Access to online tutorials is one of the reasons we decided to do a Model B with a bundled Ethernet adapter. -
Nokia Announces Qt Open Governance Model
chill writes "Over the past year the Qt Developers have been working to sort out how they can make development of Qt even more inclusive and open. After exploring various options, they are now almost ready to go live with the new solution. It's taken a little longer than expected, but they are now very close to moving hosting of Qt to a new domain: qt-project.org [domain not yet live when posted]. The domain will be owned by a non-profit foundation whose only purpose is to host the infrastructure for the Qt project. More details of the changes are available at the Qt Open Governance Model wiki." -
Nokia Announces Qt Open Governance Model
chill writes "Over the past year the Qt Developers have been working to sort out how they can make development of Qt even more inclusive and open. After exploring various options, they are now almost ready to go live with the new solution. It's taken a little longer than expected, but they are now very close to moving hosting of Qt to a new domain: qt-project.org [domain not yet live when posted]. The domain will be owned by a non-profit foundation whose only purpose is to host the infrastructure for the Qt project. More details of the changes are available at the Qt Open Governance Model wiki." -
NASA Unveils Design for New Space Launch System
wooferhound writes with an article in the Orlando Sentinel about NASA's Deep Space Exploration project. From the article: "After months of debate, NASA has settled on plans for its next spaceship — a space shuttle hybrid that will fly twice in the next decade and cost $30 billion through 2021, according to senior administration officials and internal NASA documents. That NASA decided to recycle elements of the shuttle is not unexpected. Last year, Congress and the White House agreed NASA should reuse equipment from old programs and the new design — which includes a giant fuel tank and two booster rockets — largely reflects that compromise. The most noticeable change is the plane-like orbiter will be replaced by an Apollo-like crew capsule atop the tank." The Space Launch System will be powered by a combination of the Shuttle main engine for the core launch stage, and the J-2 engine (from the Saturn V project) for the upper stage. The same solid booster rockets used for Shuttle missions will be used for at least the initial unmanned launch in 2017, but NASA will have a design contest to replace them for the 2021 crewed launch and beyond. -
Cisco Emerges From Restructuring 13,000 Employees Lighter
Joining the ranks of accepted submitters, Zibodiz writes with an article in PC World about Cisco restructuring. From the article: "Cisco Systems emerged from 150 days of restructuring on Tuesday ... The networking company started to streamline its operations and refocus itself on a few core businesses earlier this year after posting disappointing financial results. The subsequent restructuring shut down its Flip consumer camcorder unit and other businesses and eliminated 12,900 jobs, with almost 23,000 employees moved in the process. Executives laid out some more details on Tuesday at Cisco's annual financial analyst conference in San Jose, California. Cisco's five areas of focus now are its core routing and switching business, collaboration, data-center virtualization, video, and tying these elements together in an overall architecture." Zibodiz further writes "Perhaps the most interesting thing to me is that Cisco had 12,900 employees that were doing things other than 'routing and switching, collaboration, virtualization, video, and ... architecture.'" -
More Info On Google's Alternative To JavaScript
I'm Not There (1956) writes "Last week the news came in that Google is supposed to unveil 'Dart,' a new programming language for browser-based apps. Now an internal email from late last year describes this project as the 'high risk/high reward' path [of Google's browser development strategy]. Apps in this new language will run in a VM on browsers that support it, and can be translated to JS for other browsers. 'Performance, developer usability, and ability to be tooled' are the main characteristics of the language." The email notes that Google will be working on ECMAScript Harmony in the near term, but they describe the project as ultimately doomed by "fundamental problems" with ECMAScript. It's interesting that Google took part in abandoning ECMAScript 4, which would have been almost fully backward compatible with current implementations while solving most of the "fundamental problems" Google claims require a brand new language to fix. -
More Info On Google's Alternative To JavaScript
I'm Not There (1956) writes "Last week the news came in that Google is supposed to unveil 'Dart,' a new programming language for browser-based apps. Now an internal email from late last year describes this project as the 'high risk/high reward' path [of Google's browser development strategy]. Apps in this new language will run in a VM on browsers that support it, and can be translated to JS for other browsers. 'Performance, developer usability, and ability to be tooled' are the main characteristics of the language." The email notes that Google will be working on ECMAScript Harmony in the near term, but they describe the project as ultimately doomed by "fundamental problems" with ECMAScript. It's interesting that Google took part in abandoning ECMAScript 4, which would have been almost fully backward compatible with current implementations while solving most of the "fundamental problems" Google claims require a brand new language to fix. -
US Launches Criminal Probe in eBay-Craigslist Trade Secrets Case
angry tapir writes with an article in Tech World about the longstanding spat between eBay and Craigslist expanding from a civil case into criminal case. From the article: "The U.S. Department of Justice has opened an investigation into whether eBay executives broke the law and stole trade secrets while sitting on the board of Craigslist.org. The investigation is centered on the activities of eBay executives who managed the Craigslist relationship between 2004 and 2007, a period when eBay morphed from a US$30 million Craigslist investor, with a seat on its board of directors, into a direct competitor in the lucrative online classified advertising market." -
Google Unveils Flight Search
Google announced today the availability of Flight Search, the product of their acquisition of ITA Software last year. "Starting today, when you search for flight information on Google, for example 'flights from Chicago to Denver,' you will see a 'Flights' link in the left-hand panel. This link leads to our new Flight Search feature, and is offered in addition to the flight schedules which have been available since May." Google says they're continuing to develop the service, and added that the results are "not influenced by any paid relationships." -
Court Denies EPIC's Rehearing Request, Awards Fees
OverTheGeicoE writes "The Electronic Privacy Information Center posted a news release about the DC Circuit Court awarding them attorneys fees yesterday. They are to receive $21,482 in attorneys fees for an open government lawsuit against DHS that ultimately released documents about DHS's airport body scanner program. EPIC used these released documents in EPIC v. DHS, another lawsuit that attempts to end the use of airport body scanners. At the end of an e-mailed version of this news release (EPIC Alert 18.18, not yet posted on the Web), EPIC states that 'EPIC requested an en banc review of the court's decision not to suspend, but, on September 12, 2011, the court declined the request.' Is this the end of EPIC v. DHS, or does this simply open the door for an appeal to the Supreme Court?" The complete ruling (PDF) is available. -
Hotfile Sues Warner Bros Over Abuse of Takedown Tool
schwit1 writes with a piece in Torrent Freak about ongoing litigation between Hotfile and a few movie studios. From the article: "Hotfile has sued Warner Bros. for fraud and abuse. Hotfile accuses the movie studio of systematically abusing its anti-piracy tool by taking down hundreds of titles they don't hold the copyrights to, including open source software. Among other things, Hotfile is looking for damages to compensate the company for the losses they suffered." Near the end of the article it is mentioned that files taken down by the tool were replaced with links to legally procure similar works from Warner Bros. -
Happy Programmer Day!
netbuzz writes "As made-up holidays go, today's event – Programmer Day – doesn't get the attention or respect of, say, SysAdmin Day or Talk Like a Pirate Day. (One exception appears to be Russia, where 'Programmers' Day' has been 'officially recognized' since 2009.) Yet programmers and their fans are taking to public forums, if not in droves at least in growing groups, to give coders their due respect." -
Of Diamond Planets, Climate Change, and the Scientific Method
A few weeks ago, we discussed the discovery of a diamond planet in orbit around a pulsar. One of the researchers behind the discovery has now written a followup article about reaction to the news from the media and laypeople. Quoting: "The attention we received was 100% positive, but how different that could have been. How so? Well, we could have been climate scientists. ... Instead of sitting back and basking in the glory, I suspect we’d find a lot of commentators, many with no scientific qualifications, pouring scorn on our findings. People on the fringe of science would be quoted as opponents of our work, arguing that it was nothing more than a theory yet to be conclusively proven. There would be doubt cast on the interpretation of our data and conjecture about whether we were “buddies” with the journal referees. If our opponents dug really deep they might even find that I’d once written a paper on a similar topic that had to be retracted. Before long our credibility and findings would be under serious question. But luckily we’re not climate scientists." -
Authors' Guild Goes After University Book Digitization Projects
An anonymous reader sends this excerpt from Ars Technica: "With the planned settlement between Google and book publishers still on indefinite hold, a legal battle by proxy has started. Google partnered with many libraries at US universities in order to gain access to the works it wants to digitize. Now, several groups that represent book authors have filed suit against those universities, attempting to block both digital lending and an orphaned works project. The suit is being brought by the Authors' Guild, its equivalents in Australia, Quebec, and the UK, and a large group of individual authors. Its target: some major US universities, including Michigan, the University of California system, and Cornell. These libraries partnered with Google to get their book digitization efforts off the ground and, in return, Google has provided them with digital copies of the works. These and many other universities have also become involved with the HathiTrust, an organization set up to help them archive and distribute digital works; the HathiTrust is also named as a defendant." -
Fusion Garage Going After Lower-Price Tablet Market
nk497 writes "Fusion Garage has dropped the price of its follow-up to the JooJoo tablet, cutting the Grid10's price by $200 to $299 in the US and £259 in the UK. Outspoken CEO Chandrasekar Rathakrishnan has clearly been following the HP TouchPad fire sale, and noticed the importance of price when it comes to taking on Apple's iPad. He said there's no point in buying 'a poor carbon copy' of the Apple tablet for the same price. 'At $499, why would you buy — it's like going to China and buying a [fake] Louis Vuitton bag, at the same price as the real Louis Vuitton bags. It doesn't make sense, when you know it's a rip-off product,' he said." -
Fusion Garage Going After Lower-Price Tablet Market
nk497 writes "Fusion Garage has dropped the price of its follow-up to the JooJoo tablet, cutting the Grid10's price by $200 to $299 in the US and £259 in the UK. Outspoken CEO Chandrasekar Rathakrishnan has clearly been following the HP TouchPad fire sale, and noticed the importance of price when it comes to taking on Apple's iPad. He said there's no point in buying 'a poor carbon copy' of the Apple tablet for the same price. 'At $499, why would you buy — it's like going to China and buying a [fake] Louis Vuitton bag, at the same price as the real Louis Vuitton bags. It doesn't make sense, when you know it's a rip-off product,' he said." -
Kevin Mitnick Answers
Last week, you asked Kevin Mitnick questions about his past, his thoughts on ethics and disclosure, and his computer set-up. He's graciously responded; read on for his answers. (No dice on the computer set-up, though.) Thanks, Kevin. Do you own a Guy Fawkes Mask?
by blair1q
Do you own a Guy Fawkes mask, or have an opinion of Anonymous' activities?
Anon & Lulzsec
by zero0ne
What are your opinions on the actions of groups like Lulzsec & Anon? Do you feel that they will, in the end, expand freedom on the net or just help government tighten the noose on Internet restrictions?
Kevin Mitnick: Sorry, I do not own a Guy Fawkes mask.
I don't think you can look at Anonymous as a single collective group. There appears to be many factions of it. Some are out there performing hacktivist activities that are being pursued with the true desire of keeping information free and holding our leaders accountable for their actions. Performing civil disobedience through illegal activities is probably not the preferred method, but I can understand what motivates these individuals.
As far as Lulzsec and other groups under the Anonymous banner that are just doing it for the "lulz," it reminds me of the prankster activities that many hackers have been involved in the past. This is part of the culture. Many of the attacks performed by these groups were going after the low-hanging fruit, and those vulnerabilities should have never been open to compromise. We trust these companies with our personal information. It is their responsibility to secure that data to the best of their ability. However, every time a major hack occurs, we are so focused on the attackers and never on the company that left your private information available to be taken. The media feeds this notion.
I don't think that the actions of groups like Anonymous will have much effect on expanding freedom on the net. Though some of their causes may be worthwhile, when you have groups like Lulzsec that just do it for the "lulz," the government has never understood these types of motivations and move harder to prosecute to make an example. So, the answer to your question is no. I would expect law enforcement would just make it a higher priority to curtail the actions of these kinds of groups.
Do as I do?
by wiedzmin
Do you lead by example, as in encourage hackers to do what you did, so that they can end-up as famous and well-paid security consultants? Or are you more of a "do as I say not as I do" type of role models?
KM: My hacking was always for personal pursuits. I never did it to make money. Naturally, I would try to dissuade anyone involved in legally questionable activities. There are so many opportunities these days to satisfy the challenge of breaking into systems and/or networks without breaking the law.
Though the fact that I am able to work as a professional security consultant and public speaker today is a blessing, the price I had to pay for it was pretty high.
How did you choose your targets?
by Rizimar
When you were hacking and breaking into systems, how did you decide which ones to break into? Was it because of the difficulty/ease of doing it with different security setups? Or was it because of the actual people/corporations/entities behind the servers and what they stood for?
KM: Usually, there was something of personal interest to me. I hacked into companies that developed operating systems to look at the source code. The reason I wanted to look at the source code was to discover security vulnerabilities in the operating system(s) that I could exploit. My goal was to become the best at hacking into any system I desired. To me it was like playing the ultimate video game, but with real world danger and consequences.
Later when I became a fugitive, I compromised cellular phone handset manufacturers to gain access to the handset source code for two reasons: (1) to create invisibility by modifying the firmware in my cellular phone; and (2) for the trophy; the harder the target, the more challenging it was to me.
Hi, Kevin. I'm one of your victims.
by Remus Shepherd
Hi, Kevin. I was told that my credit card information was among the thousands you stole from Netcom, way back in the day. I won't ask you what you did with the credit card info you stole, that might cause problems with self-incrimination. I wouldn't want that, oh no.
So let me ask this: How does it feel to be a 'respected' member of the security community now, after having frightened and hurt so many people back then? How does it feel to have the hacker community regard you as a hero when you've done some of the most amoral and harmful acts in modern computing history? I guess what I'm really asking is, how well do you sleep at night? Honestly.
KM: I did take a copy of the entire Netcom database, which also included the subscriber's credit card information, depending on the subscriber's payment method. I was never interested in the credit card information itself, only the user information associated with it that would allow me to reset passwords of Netcom users. The fact is, I was not the only one with these credit cards numbers. That database had been circulating on the Internet for months. I was merely one of many that had access to this information. This entire story is detailed in my new book — Ghost in the Wires — and once you read it, my objective for this hack will become clearer.
Was your identity ever compromised? Was your personal data ever leaked? If so, it wasn't me! That's because I never profited from my hacking activities, and there was never any disclosure of what I had come across or any of the source code materials that I obtained.
You stated: "You've done some of the most amoral and harmful acts in modern computing history?" You really need to get your facts straight. You sound like the government prosecutor who once claimed I could dial into NORAD and whistle into the phone to launch a nuclear missile. Or like the prosecutors who argued I caused 300 million dollars worth of loss by reading proprietary source code. It was a ridiculous argument.
According to the Securities and Exchange Commission rules, if any of the victim companies in my case suffered a material loss, they are required to report it to their shareholders. Did Motorola, Nokia, Fujitsu, NEC, Sun, Digital, and other public companies report any losses attributable to my conduct to their shareholders? Not at all. So did all the above companies defraud their shareholders by failing to report a loss, or did the Federal prosecutors lie in order to get me a harsh sentence? You work it out.
I paid a heavy price for my activities. I sleep like a baby!
Is it cool any more?
by Hazel Bergeron
You have gone from hacker/cracker to security consultant via quite a difficult route. If you just wanted the money, there would have been far easier ways.
Today, the most well-known kiddies tend to do something high profile but requiring little technical brilliance and move quickly to "legitimate" jobs. The majority of "security consultants" don't really have much technical knowledge at all, being more public relations/ass-covering types.
With this in mind, what advice do you have to people who like to study security for its own sake? Should they keep quiet about what they do, developing an academic career so they can research to their heart's content without commercial pressures?
Or does everyone clever sell out in the end?
KM: First of all, I disagree with your assessment that the majority of security consultants don't really have much technical knowledge. I have working relationships with numerous security people that have substantial technical skills. I encourage others to pursue their passion in security in either the commercial world or in academia depending on their goals. Even in an academic career, your pursuits will be limited, as there will always be a line. For many security professionals, they continue to research security, even on their own time, to keep up with new developments and techniques.
Cybersecurity Companies?
by bigredradio
Kevin, do you suspect any collusion on the part of cybersecurity companies such as Kapersky Labs or Avast! and virus creators? If there were not so many exploits in the wild, would there be a billion-dollar anti-virus industry?
KM: I don't know about Kaspersky but I think it's ludicrous to assert that any anti-virus company would be involved with malware creators. These are large companies and the risk of being involved in this type of unethical behavior is too great.
Responsible Disclosure?
by gcnaddict
Should you find a security vulnerability (either in an open source project, a commercial product, or a company's hosted systems), what procedure would you consider "responsible disclosure" to the parties who are considered owners of the product? I recognize that each of the three cases listed above could vary significantly.
KM: I think you have to notify the developer of the product, so that they may create a solution for the vulnerability. They should be given a reasonable amount of time to correct the situation, and then it should be made public.
NOTE — Kevin clarified with this addition: Note too, I believe the software vendor ought to pay for the vulnerability information as security researchers should be paid for their time.
cybersecurity
by Anonymous
What cybersecurity threats do you see as the most dangerous to the Internet now?
Re:cybersecurity
by zero0ne
What threat do you see as the most dangerous in 2, 5 and 10 years?
KM: Malware is probably the most substantial threat. Not only because it is so prevalent and being crafted better to avoid detection, but also because a large majority of internet users are oblivious to the dangers involved with clicking unknown links, authorizing Java Applets, opening attachments from people they don't know, and are easily fooled by average phishing attacks. People are still the weak link, and even intelligent ones make poor decisions. Case in point, the recent spearfishing attacks on Google and RSA, which proved highly effective.
Looking into the future is difficult as technology progresses so rapidly. In the next few years, as more and more corporations move towards cloud computing, these servers loaded with information are going to be the new playground for hackers. Layers of security need to be applied in any cloud-computing environment to minimize the risk.
With the recent hacks on Certificate Authorities, I would count on SSL becoming obsolete in the future and being replaced with a new, more robust secure standard, since the "web of trust" is no longer a feasible model.
With the proliferation of consumer devices coming onto the market that are internet-ready, I would expect to see more attacks at the heart of these new technologies. New devices, especially those branded by names like Apple, Microsoft, and Google, always tend to draw the attention of hackers from all over the world.
Cyberwar?
by mewsenews
The minor political movement surrounding your incarceration would likely not happen today. Hacking has become a state-sponsored activity, with China attacking Google and America/Israel attacking Iran. Do you think your life would be a lot different if you were born 10 years later?
KM: If you were asking if the circumstances would have been different had my hacking occurred ten years later, then I would say yes. The prosecutors would not have been able to convince the Court that I was a serious National Security threat, which resulted in me being held in solitary confinement for nearly a year, based on ridiculous claim that I could launch a nuclear weapon by whistling into a phone. Also, they would not have been able to claim the damages were the total R&D costs associated with the development of source code, which I merely looked at, without distributing it. I think my sentencing and treatment in the justice system would have been much different, as they would not have been able to exaggerate the harm like the Government did in my case.
Computer Setup?
by Anonymous
What is your computer setup? I mean hardware, OS, software you use to work.
KM: You send me yours along with the IP address, and I'll tell you mine. Good try at information reconnaissance.
SSA
by Anonymous
Has the gal from the Social Security Administration claimed her kiss? if so, was she hot?
KM: No, I don't know if she was hot and she has yet to contact me.
Ham radio license?
by vlm
Are you going to fight to get back your ham radio license or is that all water under the bridge now?
KM: I did fight the FCC and still have my ham radio license. The FCC allowed me to retain my license because they deemed me fully rehabilitated after a long administrative court proceeding.
"Justice ... "
by capnkr
Having experienced "justice" of a rather harsh sort (IMO, & possibly yours, too :) ) given that what you did was relatively inconsequential despite the claims otherwise, do you now do any work towards helping keep the sort of experience you had from happening again to other hackers (note: *not* 'crackers')?
KM: I have, and I do. I don't want to see someone's curiosity or desire to learn how to break into systems land him or her into prison. I remember supporting Dmitry Sklyarov when he was arrested at Defcon for exposing a bug in Adobe's e-books. I remember joining a group of people that were protesting his arrest for alleged DMCA violations in Santa Monica, California a while back.
In the end...
by NabisOne
Was it worth it? Is there an upside to your experiences the last ten years?
KM: I have no regrets in regards to my hacking experiences. I have always had a passion for learning, solving difficult challenges, and satisfying my own curiosity.
However, I do regret the effects that my activities had on my family and the companies that were damaged by my actions. I can't undo the past, and can just move forward to try and help others keep themselves safe from those trying to do them harm.
My recent experiences of the last 10 years have been nothing short of a miracle. One word has changed that for me: authorization! I now get authorization from my clients to test their security controls. -
YouTube Disables Comments and User Uploads For Korean Users
Craig Mundie may want a driver's license for the Internet, but Korea has actually implemented something of that kind. And, as first-time accepted submitter Pseudonym Authority writes, in the form of an excerpt from PC World: "Google has disabled user uploads and comments on the Korean version of its YouTube video portal in reaction to a new law that requires the real name of a contributor be listed along each contribution they make. The rules, part of a Cyber Defamation Law, came into effect on April 1 for all sites with over 100,000 unique visitors per day. It requires that users provide their real name and national ID card number." -
Ask Slashdot: Where Can I Buy Legal Game ROMs?
PktLoss writes "I'm interested in building an arcade machine, following the footsteps of Cmdr Taco among many others. Not being all that interested in piracy, I need to find somewhere to buy games. StarROMs used to be the kind of thing I was looking for, though with an incredibly short catalog. The MAME people have a few available for free (non-commercial), but this isn't going to sate my needs. There's an entire cottage industry supporting this goal. People are ready to sell me plans, kits, buttons, joy sticks, glass marquees, and entire machines. That's fantastic, but where can I get the games? I refuse to believe that this entire industry is built on piracy." -
How Game Makers Like EA Mine for Tax Breaks
Sometimes it seems like the U.S. government's relationship to commercial video games is mostly adversarial, as when public officials vilify or move to censor games (even when the results are mixed). An anonymous reader writes with a reminder that the business side of the games business has a much cozier government link, as reflected in this excerpt from the New York Times: "Because video game makers straddle the lines between software development, the entertainment industry and online retailing, they can combine tax breaks in ways that companies like Netflix and Adobe cannot. Video game developers receive such a rich assortment of incentives that even oil companies have questioned why the government should subsidize such a mature and profitable industry whose main contribution is to create amusing and sometimes antisocial entertainment." Since filling out even a simple return can be rather game-like, maybe they're just doing what they do best. -
Marking 10 Years Since 9/11/2001
10 years ago today, coordinated terrorist attacks on New York City and Washington, D.C. killed nearly 3,000 people. It wasn't the first terrorist attack directed against the U.S., or even on U.S. soil, but it was the deadliest, and came at a time of relative peace. Probably most people reading this remember where and how they heard the news. We've often discussed the consequences of the attack: security cordons, ID checks and metal detectors where none existed before, a reexamination of how U.S. policy affects international perception and attitudes, and the encroachment of surveillance policies and technology, to name a few. Today, we don’t want to inundate you with links to tributes and retrospectives, so we’ll offer the only thing we can: a look back at how the day unfolded here. Our thoughts are with everyone who lost friends and family members. -
Ask Slashdot: P2P Liability On a Shared Connection?
An anonymous reader writes "I have a roommate that insists on using BitTorrent without taking any kind of precautions. He has an affinity for downloading material that is extremely popular and high-risk. He's received a warning from a well-known media giant in the past about his file sharing, but hasn't been sued. We've recently begun living in an apartment together (with one other person) and share our Internet connection and IP address. If his p2p activity leads to someone attempting to take legal action, could I be held liable? How would our accusers differentiate between our computers if we all share the same IP address? Would they just sue the lot of us?" Some lawyers would certainly like to get a look at everything on the other side of the connection. Has anyone out there faced legal problems as a result of someone else's use of your connection?