Slashdot Mirror

New submitter linjaaho writes "I work as lecturer in a polytechnic. I think traditional exams are not measuring the problem-solving skills of engineering students, because in normal job you can access the internet and literature when solving problems. And it is frustrating to make equation collections and things like that. It would be much easier and more practical to just let the students use the internet to find information for solving problems. The problem: how can I let the students access the internet and at same time make sure that it is hard enough to cheat, e.g. ask for ready solution for a problem from a site like Openstudy, or help via IRC or similar tool from another student taking the exam? Of course, it is impossible to make it impossible to cheat, but how to make cheating as hard as in traditional exams?"

itwbennett writes "In a blog post on Thursday, Twitter announced that it can now block individual Tweets in specific countries, while leaving them visible in other countries. 'We try to keep content up whenever and wherever we can, and we will be transparent with users when we can't,' the blog said. Twitter will publish requests it receives to block content through its partnership with Chilling Effects."

brothke writes "In the classic poem Inferno, Dante passes through the gates of Hell, which has the inscription abandon all hope, ye who enter here above the entrance. After reading The Tangled Web: A Guide to Securing Modern Web Applications, one gets the feeling the writing secure web code is akin to Dante's experience." Read below for Ben's review. The Tangled Web: A Guide to Securing Modern Web Applications author Michal Zalewski pages 320 publisher No Starch Press rating 10/10 reviewer Ben Rothke ISBN 1593273886 summary Incredibly good and highly technical book on browser security coding In this incredibly good and highly technical book, author Michal Zalewski writes that modern web applications are built on a tangled mesh of technologies that have been developed over time and then haphazardly pieced together. Every piece of the web application stack, from HTTP requests to browser-side scripts, comes with important yet subtle security consequences. In the book, Zalewski dissects those subtle security consequences to show what their dangers are, and how developers can take it to heart and write secure code for browsers.

The Tangled Web: A Guide to Securing Modern Web Applications is written in the same style as Zalewski's last book - Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks, which is another highly technical and dense book on the topic. This book tackles the issues surrounding insecure web browsers. Since the browser is the portal of choice for so many users; its inherent secure flaws leaves the user at a significant risk. The book details what developers can do to mitigate those risks.

This book starts out with the observation that while the field of information security seems to be a mature and well-defined discipline, there is not even a rudimentary usable framework for understanding and assessing the security of modern software.

In chapter 1, the book provides a brief overview of the development of the web and how so many security issues have cropped in. Zalewski writes that perhaps the most striking and nontechnical property of web browsers is that most people who use them are overwhelmingly unskilled. And given the fact that most users simply do not know enough to use the web in a safe manner, which leads to the predicament we are in now.

Zalewski then spends the remainder of the book detailing specific problems, how they are exploited, and details the manner in which they can be fixed.

In chapter 2, the book details that something as elementary as how the resolution of relative URL's is done isn't a trivial exercise. The book details how misunderstandings occur between application level URL filters and the browser when handling these types of relative references can lead to security problems.

For those that want a feel for the book, chapter 3 on the topic of HTTP is available here.

Chapter 4 deals with HTML and the book notes that HTML is the subject of a fascinating conceptual struggle with a clash between the ideology and the reality of the on-line world. Tim Berners-Lee had the vision of a semantic web;namely a common framework that allows data to be shared and reused across applications, companies and the entire web. The notion though of a semantic web has not really caught on.

Chapter 4 continues with a detailed overview of how to understand HTML parser behavior. The author writes that HTML parsers will second-guess the intent of the page developer which can leads to security problems.

In chapter 12, the book deals with third-party cookies and notes that since their inception, HTTP cookies have been misunderstood as the tool that enables online advertisers to violate users privacy. Zalewski observes that the public's fixation on cookies is deeply misguided. He writes there is no doubt that some sites use cookies as a mechanism for malicious use. But that there is nothing that makes it uniquely suited for this task, as there are many other equivalent ways to sore unique identifiers on visitor's computes, such as cache-based tags.

Chapter 14 details the issue of rogue scripts and how to manage them. In the chapter, the author goes slightly off-topic and asks the question if the current model of web scripting is fundamentally incompatible with the way human beings works. Which leads to the question of it if is possible for a script to consistently outsmart victims simply due to the inherent limits of human cognition.

Part 3 of the book takes up the last 35 pages and is a glimpse of things to come. Zalewski optimistically writes that many of the battles being fought in today's browser war is around security, which is a good thing for everyone.

Chapter 16 deals with new and upcoming security features of browsers and details many compelling security features such as security model extension frameworks and security model restriction frameworks.

The chapter deals with one of the more powerful frameworks is the Content Security Policy (CSP) from Mozilla. CSP is meant to fix a large class of web application vulnerabilities, including cross site scripting, cross site request forgery and more. The book notes that as powerful as CSP is, one of its main problems is not a security one, in that it requires a webmaster to move all incline scripts on a web page to a separately requested document. Given that many web pages have hundreds of short scripts; this can be an overwhelmingly onerous task.

The chapter concludes with other developments such as in-browser HTML sanitizers, XSS filtering and more.

Each chapter also concludes with a security engineering cheat sheetthat details the core themes of the chapter.

For anyone involved in programming web pages, The Tangled Web: A Guide to Securing Modern Web Applications should be considered required reading to ensure they write secure web code. The book takes a deep look at the core problems with various web protocols, and offers effective methods in which to mitigate those vulnerabilities.

Michal Zalewski brings his extremely deep technical understanding to the book and combines it with a most readable style. The book is an invaluable resource and provides a significant amount of information needed to write secure code for browsers. There is a huge amount of really good advice in this book, and for those that are building web applications, this is a book they should read.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase The Tangled Web: A Guide to Securing Modern Web Applications from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

bs0d3 writes "Since the news was released that Poland will sign ACTA later this month, activists have taken to the streets in protest. Also, Anonymous has aimed their DDoS cannons at Polish websites. A government minister admitted the government had failed to fully consult the public on the issue. Piratbyran Co-Founder Marcin de Kaminski has been following the issue on ACTA in Poland, and agrees with activists that Anonymous' DDoS is hurting the situation. Now the Polish government is trying to speed up the signatory process, making a statement of not giving in to 'cyber terrorists.'"

You asked Carl Malamud about his experiences and hopes in the gargantuan project he's undertaken to prod the U.S. government into scanning archived documents, and to make public access (rather than availability only through special dispensation) the default for newly created, timely government data. (Malamud points out that if you have comments on what the government should be focusing on preserving, and how they should go about it, the National Archives would like to read them.) Below find answers with a mix of heartening and disheartening information about how the vast project is progressing.

LoC?
by an Anonymous Reader

So how many GB/TB is a Library of Congress? :)

Or, more seriously, how big are you estimating? Are you using raw scans or some sort of compression (JPG, PNG, etc)? What resolution are you using? Do you vary the resolution depending on the document?

What sort of meta data are you putting in?

CM: The reason John Podesta and I suggested a Federal Scanning Commission in our letter at YesWeScan.Org is we really don't know how big the holdings of the government are. I can tell you that the Library of Congress is about 32 million cataloged books (a significant increase from the 6,487 books Thomas Jefferson donated to get them started). But, this is about more than books, it is about paper records, microfilmed technical papers, video, audio, photographs, and much more.

The scale is fairly vast. The Smithsonian has 137 million objects, including about 13 million images. David Ferriero, the Archivist of the United States estimates he has over 10 billion pages of text documents, 7.2 million maps, and 40 million photographs including everything from past census records to presidential dinner menus, and that includes about 7.5 million motion pictures and sound recordings. The Government Printing Office distributes their documents to the Federal Depository Library Program, and that includes over 60 million pages of collections including the Official Journals of Government such as the Federal Register. That's just scratching the surface, and we recommended a Federal Scanning Commission to begin the process of understanding what we have (and what is worth digitizing).

As to standards? There are lots of pretty good standards on how to digitize. NARA, Library of Congress, GPO all spec out document scans at 400 dpi, for example. For photographs, moving images, and other objects, there are some pretty good and pretty detailed standards at www.digitizationguidelines.gov. I know Brewster Kahle's operation and my own tend to work off those specifications (in fact Brewster does quite a bit of scanning for the government).

As to compression? Well, I've found people tend to overcompress things. That said, sometimes the initial quality isn't that great, so a 600 dpi uncompressed scan would be silly in some cases. But, for photographs I try very hard to keep the TIFF images around and not rely on JPEG. Likewise, for audio it is really nice to keep a nice 48 khz version of your file around if you can simply because if you screw up the compression maybe somebody else can do a better job in a few years. Disk space is relatively cheap, so that isn't the barrier it used to be. For video, I rip MPEG2 at whatever it is on a DVD, when I'm actually digitizing I try to get the video bitrate up to 8-10 mbps when ripping a Betacam or Umatic. Some people think that is overkill, but I'd rather be safe than sorry.

Metadata? Well, you got to have it or you're not going to get very far when it comes to access. Many librarians have made perfect the enemy of the good when it comes to metadata and have resisted any attempt at digitization because we don't have the very best metadata we might have. I'm more in the camp of scan what you have and get as much of the metadata as you can into it. For example, we have 3,200 1000-page volumes of briefs from the 9th Circuit of the U.S. Court of Appeals. We didn't have good metadata, but we had the Internet Archive scan them anyway. Then, after we got our PDF files, I shipped those off to a double-key team in India and they broke the briefs up into individual documents and typed the metadata into a spreadsheet for me, which we hope to release soon.

My point is that sometimes you can shoehorn the metadata in after the fact or you can use a variety of techniques to pull the metadata out of the documents (e.g., smart OCR). In theory, you can use crowdsourcing to get the metadata, but so far I've not had a lot of luck persuading thousands of people to spend their time doing that kind of work. A captcha is a quick thing to do and is between you and something you want, whereas entering metadata in for videos or documents is one of those civic duty things that everybody thinks everybody else should be doing.

Total size? Brewster says a book is about 400 Mbytes (though he's very quick to point out that you could put the words in all the books in the library into a terabyte and if you're distributing PDFs, you can easily throw 130,000 full-color, searchable PDFs onto a 4 TB drive). But, you were probably asking about raw data. Here's some raw numbers:

32 million books at 400 Mbytes each is 12.8 petabytes 50 million photos at 150 Mbytes each is 7.5 petabytes 10 billion pieces of paper ("records") at 100 Kbytes each is 1 petabyte 20 years of video at 8 mbps is only 630 Tbytes.

(Somebody check my math?)

If you're talking a decade-long federal digitization initiative, we're looking at well south of 50 petabytes, which seems pretty doable in this day and age!



Can the rare books collections be digitized?
by autophile

Three closely related questions about the rare books collections at the Library of Congress:

1. I know there is some kind of effort going on to digitize the rare books collections, but can it be sped up? There are many high-quality low-cost archival book scanners out there (such as the ones developed at diybookscanner.org).

2. It gets really annoying to have to receive paper copies of books when copies are requested. Why not DVDs of high-quality images?

3. Why is there no outreach by the LoC to smaller, cheaper book scanning efforts? The Internet Archive, DIYBookscanner.org, and Decapod all come to mind.

CM: In reverse order. I don't know why we aren't distributing and decentralizing our scanning efforts. The Internet Archive is a heavy-duty production shop and they do an amazing job, as do folks like Google Books and the folks digitizing things the Mormon Church. But, there are a bunch of DIY solutions and it would be really nice if we could get more people pitching in. The biggest problem on distributing the digitization efforts is quality control. I know when it comes to ripping video, I can easily teach other people how to grab an MPEG2 off a DVD, but when it comes to things like digitizing a Betacam, that takes some training. But, we're all trainable and I wish we could all do more.

Getting back paper copies of books and papers when they're doing a copy anyway is just plain dumb. Likewise with things like FOIA results. John Podesta testified before the Senate about FOIA and said if an agency answers a FOIA request, they should also post their result online so others can see it. That seems pretty obvious.

As far as digitizing rare book collections, there are some amazing pockets throughout the government but there is no real coordination and there certainly is no effort to scan at scale or to come up with a realistic national digitization strategy. That is why we called on the White House to lead the effort. Within the Library of Congress there are some amazing collections, but if you look around to places like the National Agricultural Library or the National Library of Medicine or the libraries in the service academies you'll find lots more. Some have argued that digitizing rare books is silly because the audience is just a few academics, but I can tell you from my own experience helping host the network site for the Archimedes Palimpsest that when you make this kind of information available, there is an amazing long tail.

If you scan it, they will come. And, to answer your question, if we all scan it, they will come much sooner.



Real time legislation drafting
by kerskine

Would it be possible to implement a system that would allow real-time and continuous review of legislation while it's being drafted? Much has been made over the past three years about legislation being available for review before voting by the House or Senate. The final draft for review usually is huge PDF that makes it near impossible for citizens, interest groups, and the media to thoroughly analysis in time.

CM: You want to see the sausage being made not just buy the hot dog! I'll comment on the U.S. Congress since that's the system I know best. Thomas is a pretty good system if you happen to be stuck in 1994. It does have all the amendments and the actions and the various stages that legislation go through. But, it isn't real time, more like "pretty quick." As Van Jacobson once quipped, "Same day service in a nanosecond world." And, Thomas isn't really machine processable, it is final form, usually formatted ASCII text (shades of NROFF!). People like Josh Tauberer who built GovTrack.US have spent considerable time crawling those systems and trying to get the data into regularized formats and make it available to others to reuse via APIs, but that isn't the same as exposing the inner working of the sausage factory.

Majority Leader Cantor's staff has been pushing a system to make the raw data all available in XML from the Clerk's office and I think that is a very promising initiative which hopefully will bear fruit. (They're having a February 2 conference to discuss their plans if you are interested. I have no idea if it will be streamed for those of who aren't Inside the Beltway and I don't know their schedule for moving past conferences and into production.)

Congress is a pretty complicated beast. I know some folks like Sean McGrath have had better luck with some of the state legislatures. The problem is you need to dig deep into the inner working of a legislature. In the Congress, that means you're changing things like authoring tools that are used in the Clerk's office and by all the staff members, so you have to be careful or you get a bunch of really angry Congressman yelling at you because their staff can't crank out the flavor-of-the-week in the form of a bill or amendment.

There's also a bit of an issue of will. My work with the Congress to put hearings on-line showed that you could take the official transcripts of a hearing and use those to generate closed captions on the video. All you need is the official transcript of the hearing, but in order to get those I had to execute a special Memorandum of Understanding with the House Oversight Committee. Other committees guard their transcripts jealously and won't let them out for several when. When I started processing a bunch of historical videos we purchased from C-SPAN, I went to the Government Printing Office and found that many committees never deliver their transcripts, even a decade after the fact!



How to keep track of legislative activity about open access?
by oneiros27

Recently in the federal register, there were two calls for comments about access to data and research from federally funded research:

http://federalregister.gov/a/2011-28623 [federalregister.gov] http://federalregister.gov/a/2011-28621 [federalregister.gov]

I didn't hear about these until ~4 weeks after the original announcement, and with the holidays, it was too late to try to get the societies I'm involved with to prepare and vote on official statements. Are there any places where people can get/post notices of these sorts of things so that we can stay informed and try to help influence policies?

CM: The Federal Register is getting a lot better now that it is a much more open system. The idea of "Federal Register 2.0" was a paper I wrote for the Obama transition, so it is an issue I've tracked pretty closely and frankly, I've been amazed at how much better it is now. What they did is instead of selling the raw data feed for the Federal Register for $17,000/year, they went from SGML to XML and then released the data in bulk for free. A few guys out in San Francisco were looking for something to do to enter a contest and they took that bulk data and dreamed up GovPulse.US. That was such a better version of the Federal Register that the Office of the Federal Register switched the official site over to their open source platform. My point is the tools are there to do better notification mechanisms, and I'm sure the government would welcome somebody grabbing the GovPulse.US code out of Github and making it even better.

That's the technical answer. But, the substantive answer is that there is a huge boatload of stuff in the Federal Register and it is pretty hard to figure out what to pay attention to. I also missed that particular call for comment, and I've even missed several Requests for Information coming out of places I try and pay attention to, like the White House's Office of Science and Technology Policy. And, I do this stuff full-time! Perhaps better targeted notification mechanisms are the answer. Maybe it is a social media solution, where you pay attention to things your friends are paying attention to. I hope the answer is not that the only way to pay attention is to be employed with a beltway bandit which can afford hundreds of minions that do nothing but pay attention to Washington. Indeed, there are some very fancy for-pay services from folks like Congressional Quarterly and Bloomberg that cost an arm and a leg, but I can't help but think there has to be a better way that is also open.



What do you think of corporate partnerships?
by mhh5

I'd like to know what you think about corporate partnerships in the process to get public data released. (I'm not sure if Google Patents existed before the USPTO released its databases.) Do corporations that get involved in the process tend to make the process better without question, or are there tradeoffs in some areas because the corporations always want to help but then try to retain a proprietary version of the data for themselves?

CM: The theory is that the government gets some kind of valuable service (like digitization) that the government wouldn't get otherwise so it is a "win-win." But, the reality is all too often the government gets snookered and what we do is give some corporation exclusive access to some pot of data and the government doesn't get much of anything. The deal between Amazon and the National Archives was a good example of that kind of a private fence around the public domain. With a help from Boing Boing, I started systematically purchasing those public domain videos and re-releasing them in the wild. I have no problem with Amazon selling public domain video, I just hate it when they get a de facto or a contractual exclusive. (My testimony before Congress on this subject is here.)

There are lots of other examples of government getting snookered. For example, the Government Accountability Office let Thomson West get access to 60 million or so pages of federal legislative histories. At great cost to the government, they were all packed up and dispatched to West which digitized them all and then sent them back to the government. West now sells access to his amazing database. What did the government get for it's trouble? A few logins for GAO staffers. Even members of Congress need to pay to access the database! (We have an interesting paper trail on this issue.)

I'm glad you brought up the Google Patent system because I was personally involved in making that happen and I can tell you that this one is totally legit. Jon Orwant is the lead developer on this for Google and I played a small part in helping convince the White House and the Patent Office they ought to give Jon access to their data (the heavy lifting on that deal was by Beth Noveck who was the Deputy CTO at the time). Google makes all the data they got from the Patent Office available for bulk access with no strings attached. I can vouch for that because I did a mirror of their system. Last I heard Google was sending out anywhere from 1 to 10 terabytes of data PER DAY to external sources and even normally very critical folks who work in this arena have been really happy.

The big problem in the Patent Office is their computing infrastructure is a real catastrophe. Their power plant is over 95% capacity (e.g., plug in a computer, bring the building down!) and even though the Under Secretary knew that selling DVD subscriptions was silly, he wasn't able to switch over to an FTP service. He cut the deal with Google Patent and it worked out well for the government, for Google, and for everybody else.

What's the difference between the Google deal and the Amazon deal? In the case of the Amazon and GAO/West deals, the government lawyers did all the negotiating and they were totally outsmarted by some sharks in industry. But, when government has people like Under Secretary Kappos and Beth Noveck doing the negotiating, these things can work out just fine. The key is government should partner with people who want to do public service, not people who want to service the public.

Encouraging Governments?
by theNAM666

In a city such as Nashville, things as basic as business ownership and property records are not available online. In states such as New Jersey, public records such as basic corporate filings (officers, operating address/address for service of process) are accessible only for a fee.

What concrete actions can citizens confronting such situations, take to encourage accessibility and accountability?

CM: I find you need a carrot and a stick to make this stuff happen, especially at the local level. Folks like Everyblock.Com and CodeForAmerica.Org have done great working prying some of these databases loose, but there is still lots to do.

The first thing you should do is pick up the phone (or pick up your email client) and write/call the people who run the system. Ask them if you can have access to the data. Sometimes, it is as simple as that.

Other times, though, it isn't quite as simple since they want the money (or they want the control or they think this should be done by "private industry" by which they mean some buddy who is a contractor). The nice thing about any government system is somebody usually has oversight responsibilities. So, the next step is to find a city council member of state legislator who has oversight on the agency in question and ask them.

Again, life isn't usually that simple, but sometimes you win! If you can't get anywhere that way, what I usually end up doing is basically competing with the government system. Build a proxy system like RECAPtheLaw.Org did to recycle paid documents. Or, get a sponsor and buy a reasonable number of docs and build a web site that looks like it is going to be a real production system.

Then, go back again and ask. Maybe if you have eyeballs or at least have a nice web site, that is enough to get the government moving. But, if that doesn't do the job, you may have no choice but to compete with them for real, which of course requires a big commitment in time and energy and not everybody can do that. I know in the case of the Patent Office, I started pestering them in 1993, including several times when I spent 6-figure sums purchasing their data, and it still took until 2011 to crack that nut.

The real trick is focus/obsession. Pick one thing you really care about and just keep pestering them until you crack it open. If you're surfing from one opengov problem to another, showing up for a 1-day hackathon then moving on to something else, you're not going to get anywhere. Pick something real and make it your thing.



Privately Owned, Copyrighted Law
by AdamnSelene

I think I have read that the law itself cannot be copyrighted and it should be possible to make it available available to everyone. But as a techie who drafts standards and specifications, I was wondering about how far this goes--especially since Congress recently proposed enacting some of our standards into law. (They decided not to, but they read some parts into the committee records as they debated.) Can you still accomplish your project if a governmental body adopts (or considers adopting) a privately owned, copyrighted technical reference manual or set of safety standards as administrative law (or regulations that carry the force of law)? Or would such obstacles keep you from being able to digitize all of the government's laws (and archives of proposed laws)?

CM: The idea that the law has no copyright is a fundamental part of the American system of government. That applies to states and municipalities as well. The basic decision is Wheaton v. Peters from 1834 but that decision has been reaffirmed over and over. The law is sacred in the American system. You can't have equal protection under the law or due process under the law if there is a poll tax on access to justice.

When we get to a privately developed standards however, it turns into a very interesting issue. The basic mechanism is called Incorporation by Reference. The government will take some external document (such as a model building code) and incorporate the entire text to make it the law of the land. A guy named Peter Veeck was responsible for a landmark decision in 2002 when he published the Texas Building Code which was an incorporation of a privately-developed and very expensive model code. The court ruled that while the model code had copyright, the law of the land did not.

Based on the Veeck decision, my group went and posted many of the public safety codes enacted by the states. We started by purchasing model codes, finding the incorporating legislation, and concatenating the two pieces together and posting the resulting PDFs. More recently, we've done some extensive reworking of the California public safety codes, known as Title 24, converting the entire text into valid XHTML, recoding the graphics as SVG graphics, the formulas as MathML, and regenerating the PDF documents as nicely typeset documents instead of low-quality scans. You can see this work on the web but it is also available as Google Code project.

The federal government also uses this mechanism intensively, with over 2,000 standards incorporated into the Code of Federal Regulations. This is non-trivial stuff, things like all the OSHA safety regulations. The issue was recently considered by a federal group called the Administrative Conference of the U.S. which basically rolled over and endorsed the idea that it is ok for important parts of the law to cost money. (Read EFF's protest letter if you want a good critique of what they did.)

I'm not necessarily saying that government should be able to appropriate any privately-developed standard and make it available. And, I'm not necessarily saying you want OSHA bureaucrats drafting the standards. But, I do think the big standards establishment and the government regulators have cut a deal that results in the law not being available and the costs forked off on private citizens and small business with extortionate monopoly prices. I just paid $847 for a 48-page safety standard from Underwriters Labs and $60 for 2-page safety standard from the Society of Automotive Engineers, both of which are mandated by law in the CFR. They do need money to run their operations, but let me just point out that in 2009 the 501(c)(3) nonprofit Underwriters Labs paid their CEO $2,138,984 and the nonprofit SAE paid their CEO $412,578.

Ancestry.com
by An Anonymous Reader

What is your opinion about websites like Ancestry.com which make use of public records and charge a subscription fee for access? What is the incentive for the government to migrate old documents into digital form when services like these exist? Do you think Ancestry.com should be a 501(c)(3)?

CM: I'm not a big fan of for-profit corporations that have a business model of monetizing the public domain. I'm fine if they exist and fine if they make billions of dollars, but if they are the only game in town they've taken something that belongs to all of us and and turned it into their private property.

The government got snookered on the Ancestry.Com deal. They could have insisted that the raw data be available in bulk for anybody else to use. The folks that approach the government to cut these sweetheart deals argue that is unreasonable because they need a "return on investment" and the argue that if they don't get the return on investment they won't do the deal (and by extension nobody else will do the deal).

But, government can argue much harder! For example, instead of negotiating some exclusive thing with Ancestry.Com, how come they didn't ask the Internet Archive to grab the data? Or put together something creative with a couple of foundations that would pay for the digitization in return for the kind of payback the foundations like to see (e.g., good press, photo opportunity with the President, or other tools of the trade)?

You asked if Ancestry.Com should be a 501(c)(3)? Not all nonprofits do something that I think which should be an essential part of their mission, which is allow others to compete with them. I believe providing open access to all data ought to be a precondition to getting nonprofit status (an idea that Gil Elbaz has been pushing for quite some time). A good example of a nonprofit that builds walls is Guidestar which wants to be the place where you go for all your nonprofit information. The IRS should be making all Form 990 returns of nonprofits available in bulk for anybody to use, which would knock the bottom out of Guidestar's attempts to build walls and force them to stay innovative and provide value.

Pacer Problems
by onyxruby

How much difficulty do you anticipate in getting and publishing records in Pacer? If there's one system that should be free it the decisions that our courts make and yet you are charged by the page just to view the results. Are you concerned about a court taking an unkind view on your archiving what is in Pacer?

CM: PACER is an abomination. Do they take a dim view of our efforts? Well, the Administrative Office of the U.S. Courts reacted so strongly to our efforts to make their data available that they called the FBI on Aaron Swartz and cancelled the only meaningful public access system they had, which consisted of one terminal in each of 17 public libraries around the country. In this era of rapidly decreasing costs, they just boosted their access charges from 8 cents a page to 10 cents a page, arguing that this is a bargain compared to 25 cents a page for a copy machine.

What I find so disturbing about PACER is that when we did get 20 million pages of docs, we were able to conduct a comprehensive analysis of privacy violations in the courts, an analysis that led to a nice thank-you letter from the Judicial Conference and changes in their privacy rules. In other words, only when public interest groups got access to the data did we begin to address privacy issues. Public access is not just about pro se prisoners defending themselves from a jail cell, which is the view of many in the Administrative Office of the Courts. Public access is about attempts like ours (and many other folks) to make our system of justice function better. When we say we are "an empire of laws not a nation of men" that means we write down what we are doing in our courts so that it is no longer the arbitrary decisions of individuals. The paper trail is there so we can make sure the system is functioning properly. When you limit that access to those that only have a Gold Card, you pervert democracy and you pervert justice.

This principle that access to justice shouldn't hide behind a cash register goes back to the Greeks. Theseus in Euripedes' Suppliants said "when there are no public laws, one man holds power by keeping the law all for himself, and there is no more equality. But when the laws are written, the weak man and the rich man have equal justice." The PACER system is justice for the rich man.

Steve Schultze and the team at Princeton did a lot of the heavy lifting on this issue, including the very nice RECAPtheLaw.Org system they built. They've also done a lot of financial analysis that shows that the courts are not only recovering their costs for operating the expensive PACER system, they're making a huge profit (to the tune of $100 million/year) and using their excess profits to do things like buy big-screen TVs in direct violation of the E-Government act.

The basic problem on PACER is the Judicial Conference has delegated the issue to a few techie judges who think what they've built is something great. But, PACER is a hairball of bad PERL code and the result has not served the judges, the bar, or the American people very well. My only hope is that eventually, the Judicial Conference will see that their information technology is 30 years behind the rest of the Internet and feel ashamed at the travesty they have wrought. Until then, we have RECAP.

If you're interested in the issue, a couple of resources to look at are the PACER paper trail and a bit of a rant that I delivered at the Gov 2.0 summit.



How to visualize opened data?
by hardwarejunkie9

The amount of information you're trying to free is entirely staggering and consists, largely, of tables of numbers. These numbers are incredibly significant, but people generally can't see them.

After you free all of this information and make it available to the public (as it should be), then what? What do you expect for the public to do with these numbers? Tables of information are not nearly as useful as graphs. This data needs to be seen, but, more importantly, it needs to be understood.

Do you have any ideas for how to disseminate this information? Perhaps a team-up with someone like gapminder.org's Hans Rosling might be particularly valuable for all of us.

CM: Actually, most of the data I'm looking at is not tables of numbers, it is video, images, textual documents, technical papers, maps, and books.

But, I definitely get what you're saying and there are a lot of numbers. For example, the IRS Form 990s should be structured data instead of PDF documents, so extracting the data from the mass of paper is the initial challenge. There are lots of other examples of this kind of initial extraction, getting what were printed paper docs into structured data. There are some interesting tools, such as OCRopus which does layout analysis, but there needs to be much more. One of the reason we called for a Federal Scanning Commission is that we think there is a lot of directed R&D that could not only scale up mass digitization but could also work on the important value-added of extraction of structured data and handling some of the tricky issues like detecting the presence of Social Security Numbers.

Once you have the data, as you say, then what? I'm a big fan of the idea that the government starts by providing bulk data, then they provide an API, and then maybe they also build web sites and apps and other things along with everybody else out there. That's a 3-part hierarchy that Ed Felten and some of his students developed and it should be a law that applies to all government information systems that are externally facing.

The issue here is that all too often people look at a problem like "digitize all government information" and they want to see the whole stack of the solution from one place. But, I think you can do a layered approach and count on the fact that there is always somebody smarter out there and our job is to reduce the barriers to entry. So, how would I visualize the data? I have no idea, but I'd make damned sure that folks like Martin Wattenberg at Many Eyes and Hans Rosling at Gapminder knew the data was out there and then I'd sit back and be amazed at whatever they come up with. How's that for pushing the problem downstream?



Why is data access so hard?
by CanHasDIY

Can you provide any explanation as to why it is so difficult and cost-prohibitive to obtain records from the government, especially considering the abundance of laws requiring government compliance with requests for information (AKA "Sunshine Laws")?

Is it simply a matter of government employee ineptitude, or have you found evidence of a more nefarious rationale?

CM: I get that question a lot. Why would a member of Congress take deliberate steps to stop public hearings from being available? Why would a court administrator deliberately restrict access to public court documents? Usually the answer is, as Heinlein said, "you have attributed conditions to villainy that simply result from stupidity." When I'm explaining why something is so broken on a big government system, my usual answer is that there are a lot of people still stuck in the 1970s and 1980s, when information dissemination was really, really hard and it took men in white lab coats and computers the size of freight trains to process data. In other words, the problem with a lot of folks who are government gatekeepers is they just don't get the Internet and they don't get computers. In fact, usually when some senior bureaucrat is throwing stones at me, you can find younger staffers working for them rolling their eyes.

That's an optimistic view, and if I'm right things will get better. But, I'm often wrong on my predictions of the future. (I was the guy who saw TimBL demo the web in 1992 and thought to myself "interesting, but it won't scale.")

But, there is also some more nefarious stuff happening, often the accumulation of power by being able to cut exclusive deals with contractor buddies. If your life in government consists of receiving emissaries from Lockheed Martin, maybe you think you're making everybody happy by letting them build you a $1 billion computer system. Often, you think your problems are so unique that the $1 billion solution is the only answer.

And, in some cases, as we've seen from numerous GAO reports, Inspector General reports, Congressional hearings, and newspaper articles, there are some really evil people out there who think the public domain and the government is their personal business opportunity. Looting the federal government is the kind of civic crime that ranks right up there in my book with stealing cookies from Girl Scouts and selling fake medicines to sick people.



Who is the worst?
by TheBrez

Which government agency is the worst to get information from?

CM: I don't know who the worst are (there's a lot of competition for that slot), but the ones that piss me off the most are the ones that should know better.

Public.Resource.Org is a really small operation. I'm the only staff member. My part-time sysadmin is @mdkail who is pretty busy with his day job as CIO at NetFlix. My ISP is Jim Martin and his team at ISC who are kind of busy running the F-Root. My office net is supported by the amazing systems team at O'Reilly which rents me office space at below-market rates.

I'll grant you government would have a tough time getting that kind of help. But, I'm a one-man shop and we run the 4th most popular U.S. government video channel on YouTube, we're the source for a lot of the on-line presence of the U.S. Court of Appeals, and we've supported efforts for the U.S. Congress, the White House, and the National Archives. If we can do this out of Northern California, couldn't the vast resources of the federal government in Washington, D.C. do a whole lot better than they're doing now?

For me, my current bete noir is the U.S. Congress. We got half-way through processing their archives of video from congressional hearings, publishing about 31 terabytes of data. Then, a couple of staffers decided this was a bad idea and pulled the rug out from under us. They actually decided it was a bad idea to publish video from public congressional hearings.

Like any agency, Congress is a mixed bag. We had tons of support from Darrell Issa, for example, and ran a very successful pilot project for him for a year. We talked to all sorts of people on committees and in the various agencies that support the Congress. But, at the end of the day, a couple of staff members were able to decide that the public archive shouldn't be public and they terminated our project. (If you have some time, you might like to read our rather surreal paper trail.)

So, rather than the worst, I think we need to look for the most shameful, the ones that have the privilege and the power and could easily do better. I know it is in vogue to throw stones at government in general and Washington in particular, but there are times when government can be so useful and so awe inspiring it takes your breath away. Government can be that shining city on the hill but we all have to take an active part in our government to keep those lights shining bright.

symbolset writes "Jimmy Wales confirms that the entire English language Wikipedia will be on blackout January 18th from midnight to midnight, Eastern Standard Time. The site's 25 million daily users will redirected to an education page with a call to action. Votes are still being taken on the exact implementation." Despite a small victory against SOPA in the House, Wikipedia still feels the blackout is necessary due to the looming Senate vote on PROTECT IP, and as a deterrent to future attempts to revive a similar law under a new name.

revealingheart writes "BBC reports that Sweden is allowing one citizen per week to take control of its official Twitter feed, in what's been described as 'the world's most democratic Twitter experiment.' Adam Arnesson, a 21-year-old organic sheep farmer, is said to be the biggest star of the project so far, uploading photos and videos of life on his family's farm; while a female minister in the Church of Sweden and a Bosnian immigrant have also posted on the feed. The Swedish Institute and VisitSweden launched the experiment in December, which has helped to double Sweden's Twitter followers in the past month."

RobinEggs writes "After long speculation and a few affirmative hints, Blizzard has confirmed that Diablo 3 will have a console version. Responding to a fan who asked him to 'confirm or deny' a console version of D3, Blizzard community manager Bashiok said, 'Yup. Josh Mosqueira is lead designer for the Diablo console project.' Here's hoping Blizzard remains one of the few companies to fully develop both the console and PC version of their titles, rather than simply porting the Xbox version to PC. I think we've all had enough of bizarre scrolling, menus that can't be used with a mouse, and 'Controls' menus that don't even bother replacing the 360 controller image with an actual keyboard layout."

Voline writes "In a tweet early this morning, cybersecurity researcher Christopher Soghoian pointed to an internal memo of India's Military Intelligence that has been liberated by hackers and posted on the Net. The memo suggests that, "in exchange for the Indian market presence" mobile device manufacturers, including RIM, Nokia, and Apple (collectively defined in the document as "RINOA") have agreed to provide backdoor access on their devices. The Indian government then "utilized backdoors provided by RINOA" to intercept internal emails of the U.S.-China Economic and Security Review Commission, a U.S. government body with a mandate to monitor, investigate and report to Congress on 'the national security implications of the bilateral trade and economic relationship' between the U.S. and China. Manan Kakkar, an Indian blogger for ZDNet, has also picked up the story and writes that it may be the fruits of an earlier hack of Symantec. If Apple is providing governments with a backdoor to iOS, can we assume that they have also done so with Mac OS X?"

bs0d3 writes "Kopimism is now an official religion in Sweden. Kopimi beliefs originated with the Swedish group called Piratbyran who believed that everything should be shared freely online without restrictions from copyright. Leader Isak Gerson, has recently had some disagreements with the Swedish Pirate Party where many people disagree with all religions." Here's the official website for the "Missionary Church of Kopimism."

An anonymous reader writes "As from today, network operators in Chile are no longer allowed to sell carrier-locked phones, and must unlock free of charge all devices already sold to costumers through a simple form on their respective websites. The new regulation came into effect in preparations for the rollout of Mobile Number Portability, set to begin on January 16th. This is one among other restrictions that forbid carriers to lock in the customers through 'abusive clauses' in their contracts, one of which was through selling locked devices. Now if a customer wishes to change carriers he/she needs only to have the bills up to date and the process of porting the number should only take 24 hours."

symbolset writes "TheNextWeb is reporting that the first official jailbreak for Windows Phone 7, ChevronWP7, has 'sold out' of tokens to enable homebrew application support. Only 10,000 tokens to jailbreak Windows Phones were ever granted. According to an announcement through ChevronWP7's Twitter feed, they're discussing whether they will ask Microsoft to make more available. With Lumia falling flat in Europe Microsoft needs all the enthusiastic modding fans they can get."

brothke writes "If there ever was a book that should not be judged by its title, Defense against the Black Arts: How Hackers Do What They Do and How to Protect against It, is that book. Even if one uses the definition in The New Hackers Dictionary of 'a collection of arcane, unpublished, and (by implication) mostly ad-hoc techniques developed for a particular application or systems area', that really does not describe this book. The truth is that hacking is none of the above. If anything, it is a process that is far from mysterious, but rather aether to describe. With that, the book does a good job of providing the reader with the information needed to run a large set of hacking tools." Read below for the rest of Ben's review. Defense against the Black Arts: How Hackers Do What They Do and How to Protect against It author Jesse Varsalone, Matthew Mcfadden, Michael Schearer, Sean Morrissey pages 412 publisher CRC Press rating 7/10 reviewer Ben Rothke ISBN 1439821194 summary Good reference for someone experienced in the topic who wants to improve their skills Defense against the Black Arts is another in the line of hacking overview books that started with the first edition of Hacking Exposed. Like Hacking Exposed, the book walks the reader through the process of how to use hacking tools and how to make sense of their output.

Defense against the Black Arts is written for the reader with a good technical background who is looking for a nuts and bolts approach to ethical hacking. Its 14 chapters provide a comprehensive overview of the topic, with an emphasis on Windows.

But for those looking for an introductory text, this is not the best choice out there. The book is written for the reader that needs little hand-holding. This is in part due to its somewhat rough around the edges text and the use of more advanced hacking tools and techniques.

By page 4, the author has the reader downloading BackTrack Linux. BackTrack is a Ubuntu distro which has a focus on digital forensics and penetration testing. BackTrack is currently in a 5 R1 release, based on Ubuntu 10.04 LTS and Linux kernel 2.6.39.4. BackTrack comes with a significant amount of security and hacking tools preloaded, which the authors reference throughout the book.

After showing how to install BackTrack, chapter 1 shows how to log into Windows without knowing the password. Much of that is around the Kon-Boot tool, which allows you to change the contents of the Windows kernel in order to bypass the administrator password. Tools like Kon-Boot though will only work when you have physical access to the machine.

Chapter 3 gets into the details of digital forensics and highlights a number of popular tools for forensic imaging. While the book provides a good overview of the topic, those looking for the definitive text on the topic should read Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet.

Chapter 5 deals with web application penetration testing. The authors describe a number of tools that can be used to assess the security of web sites, and offer ways to attempts to manipulate data from a web page or web application.

One is likely hard pressed to find a large web site that will be vulnerable to such web attacks, given that most of them have already checked for those errors via validation control testing. Smaller vendors may not be so proactive, and find out that those $99- items are being sold for .99 cents. With that, the chapter details a number of tools developers can use to test for SQL injection, XSS and other types of web vulnerabilities.

Chapter 8 is about capturing network traffic. There are two perspective to collecting traffic. For the attacker, it is about identifying holes and avenues for attack. For those trying to secure a network, collecting network traffic is an exercise in identifying, thwarting and defending the network against attacks.

Chapter 10 provides a brief overview of Metasploit. For those looking for a comprehensive overview of Metasploit, Metasploit: The Penetration Testers Guide is an excellent resource. This chapter like many of the others provides the reader with detailed step-by-step instructions, including screen prints, on how to use the specific tool at hand.

Chapter 11 provides a long list of attack and defense tools that can be used as a larger part of a penetration tester's toolkit.

Chapter 12 is interesting is that it details how social engineering can be used. The authors show how public domain tools like Google Maps can be used in to mount an attack.

Chapter 13 – Hack the Macs– is one of the shorter chapters in the book and should really be longer. One of the reasons pen testers are increasingly using Macs is that the newer Macs run on the Intel platform, and can run and emulate Windows and Linux. The increasing number of tools for the Mac, and significant Mac vulnerabilities, mean that the Mac will increasingly be used and abused in the future.

Just last week, Dr. Mich Kabay wrote in Macintosh Malware Erupts that malware specifically designed for Mac is on the rise. This is based on progressively more and more serious malware for the Mac since 2009 where given that Apple products have been increasing their market share for laptops and workstations but especially for tablets and phones.

The article notes that one of the reasons Mac OS X is perceived as superior to Windows is because of its appearance of having integrated security. But although the design may be sound, the operating system does not prevent people from being swayed into thinking that the malicious software they are downloading is safe. With that, Apple will have to concentrate more on security and vulnerability within their operating system.

The book ends with about 30 pages on wireless hacking. The chapter provides an overview of some of the weaknesses in Wi-Fi technology and how they can be exploited. The chapter focuses on the airmon tool, part of BackTrack that you can use to set your wireless adapter into monitor mode, to see all of the traffic traversing the wireless network.

Overall, Defense against the Black Arts: How Hackers Do What They Do and How to Protect against It is a really good reference for someone experienced in the topic who wants to improve their expertise.

Ben Rothkei s the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase Defense against the Black Arts: How Hackers Do What They Do and How to Protect against It from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Lucas123 writes "According to published reports Apple is plunking down up to $500 million to purchase solid-state drive start-up Anobit Technologies. Even Israeli Prime Minister Benjamin Netanyahu tweeted about the deal congratulating Apple on its first acquisition in his country. Apple is planning to use the acquisition to set up to set up a semiconductor development center in Israel. Apple already uses NAND flash from Anobit in its iPhone, iPad and MacBook Air products, according to the reports."

dell623 writes "Google is rolling out an OTA upgrade to Ice Cream Sandwich for the Nexus S. GSM versions can already be updated manually. An early review is largely positive and comments on the significant visual and performance improvements. The Nexus S upgrade allows for a direct comparison against Gingerbread on the same hardware, and the likely improvement in current phones that will receive the upgrade."

Barence writes "PC Pro has a feature examining the psychology and motivation of people who create fake or parody Twitter accounts. The feature reveals how people behind some of the most popular parodies — such as @MrsStephenFry — have gone on to earn commercial success, while others are altogether more sinister. The man behind @Lord_Credo managed to convince many that he was a personal adviser to British Prime Minister, David Cameron, and wormed his way into political circles. He allegedly conned some out of money, took advantage of the hospitality of others, and left the professional reputation of at least one 'in tatters.' He even fabricated a malignant brain tumor, leaving one young member of the group 'utterly distraught.'"

New submitter Howard Beale writes with this excerpt from The Verge: "To date, the user tracking controversy surrounding Carrier IQ has focused primarily on Android, but today details are surfacing that the company also may have hooks into Apple's iOS. Well-known iPhone hacker Chpwn tweeted today that versions at least as recent as iPhone OS 3.1.3 contained references to Carrier IQ and later confirmed it's in all versions of iOS, including iOS 5." The details are still emerging; however, iPhone users will be happy to hear that while it's reported that the software is available to the OS, "the good news is that it does not appear to actually send any information so long as a setting called DiagnosticsAllowed is set to off, which is the default."

brothke writes "It has been a decade since Oracle started their unbreakable campaign touting the security robustness of their products. Aside from the fact that unbreakable only refers to the enterprise kernel; Oracle still can have significant security flaws. Even though Java supports very strong security controls including JAAS (Java Authentication and Authorization Services), it still requires a significant effort to code Java securely. With that The CERT Oracle Secure Coding Standard for Javais an invaluable guide that provides the reader with the strong coding guidelines and practices in order to reduce coding vulnerabilities that can lead to Java and Oracle exploits." Read on for the rest of Ben's review. The CERT Oracle Secure Coding Standard for Java author Fred Long, Dhruv Mohindra, Robert Seacord, Dean Sutherland, David Svoboda pages 744 publisher Addison-Wesley Professional rating 10/10 reviewer Ben Rothke ISBN 0321803957 summary Definitive guide on the topic The book is from CERT, and like other CERT books, provides both the depth and breadth necessary to gain mastery on the topic.

The first 100 pages of the book are available here. After reading it, you will be likely to want to see the next 650 pages.

This book provides a set of guidelines for secure programming in Java SE 6 and 7 environments. It is primarily targeted at software developers and computer security practitioners. While Java is inherently designed to be relatively secure as compared with other languages, it requires the developer to understand the security controls and language features thoroughly before he can implement them correctly. The book illustrates insecure coding practices and suggests corresponding safe alternatives to enable a developer to have an optimal blueprint.

Software developers are constantly under pressure to accommodate feature requests and have to strike a fine balance between enhancing delivery excellence and releasing a software product in consonance with deadlines. At the same time they routinely tackle technical challenges and often document their experience for the benefit of others. This book is one such effort, in that, several programmers and reviewers have contributed the contents. It encourages a developer to think beyond programming logic and enables him to produce clear, concise, maintainable and secure code – a mandatory requirement for today's dynamic software industry which is plagued by a spectrum of security threats and attrition's.

This book isn't for a Java beginner. The introductory chapter expects an intermediate or seasoned Java professional to identify the gamut of security vulnerabilities that frequently manifest in code and design. The chapter briefly explains injections attacks, unintended information disclosure, denial of service and issues involving concurrency and class loaders. Summary tables have been provided to assist the reader to easily locate representative secure coding rules for each category.

The examples presented primarily encompass the lang and util libraries of Java SE and also cover collections, concurrency, logging, management, reflection, regex, zip, I/O, JMX, JNI, math, serialization and JAXP libraries. No particular Java platform or technology has been favored; the set of rules is generic and independent of whether a mobile, enterprise, desktop or web application is being developed.

Notably, the layout enables the practitioner to pick up any chapter or rule at random without requiring him to read the preceding pages. Each rule has a short description of a unique problem and one or more non-compliant and compliant code examples. Risk assessment and references to other coding standards along with bibliography are also provided.

Unfortunately, the suggested tips for automatic detection of described problems aren't very practical because no automated bug detection tools have been vetted. Some rules also have a related vulnerabilities section that preys on weaknesses in commonplace software in context of the described problem.

Chapter 2 focuses on input validation and data sanitization. It highlights attacks such as SQL, XML, and OS injection and XML External Entity (XXE) and suggests corresponding mitigation techniques. It mentions but doesn't elaborate on web-based attacks such as cross-site scripting and CSRF, to avoid being too domain specific. The chapter advises developers to normalize strings, canonicalize and validate path names, refrain from logging unsanitized input, use appropriate internationalization and globalization APIs, avoid string encoding misgivings and other issues.

Chapters 3, 4 and 5 deal with declarations and class initialization, expressions, and numeric operations respectively. Dangers of auto-boxing, side-effects in assertions, integer overflow, and vagaries of floating point arithmetic are discussed at length.

The examples are short, to the point and intellectually challenging for the advanced reader. For example, one rule – don't use denormalized numbers dissects a vulnerability in Java 1.6 and earlier that allows an attacker to perform a denial of service attack by sending a crafted input to the JVM.

The book devotes a chapter to object-oriented programming and stresses on limiting extensibility of classes, encapsulating data, ensuring that code refactoring doesn't result in broken class hierarchies, using generics for fun and profit and so on.

Another chapter discusses Java methods, for example, one rule suggests that subclasses mustn't increase the accessibility of an overridden method. There is some useful information about using methods of Object class properly. This information is standard advice that can also be found in other books. This book offers all that and more. For example, one rule documents a convincing and exhaustive list of reasons why you shouldn't use finalizers.

The book also highlights misconstrued exception handling practices through examples akin to the shortcuts programmers invent, to save themselves from the trouble of having to handle exceptions. It explains why doing that can be insidious. Information disclosure arising from ill-conceived exception handling strategies is also discussed. Some may disagree with the advice on the pretext that exception handling when done the right way leads to unreadable code, however, the features presented from Java 7 convincingly offer a middle path. Further, when compliance with a certain rule is believed to be challenging and costly, the standard allows documented deviations and even lists valid exceptions for each rule.

Chapters 9, 10, 11, 12 and 13 are reserved for concurrency related issues. There are more than 30 rules in these chapters; the set could qualify as a handbook of concurrency issues and solutions. At a high level, the chapters cover visibility and atomicity, locking, thread class APIs, thread pools and thread safety in multi-threaded Java programs. The chapters don't assume that the reader has any familiarity with multi-threaded programming.

The next few chapters highlight input-output (I/O) risks such as working with shared directories, using files securely, closing resource handles properly, serialization and more. The book doesn't assume that the reader has a sophisticated background in serialization and builds from the basics. It cites examples of vulnerabilities that necessitate understanding the role of serialization.

A chapter on platform security follows, and is meant for advanced Java users. This chapter leads to another on runtime environment that cautions against signing code, granting permissions frivolously and permitting insecure deployment configurations. The final chapter captures miscellaneous rules that forbid hardcoding sensitive information, leaking memory, generating weak random numbers and writing insecure singletons among other topics.

Many other leading security standards delineate high-level measures that must be taken to ensure compliance but most fall short of prescribing the exact recipe to get there. This book fills that gap by approaching security from the ground-zero level upwards. However, it doesn't clearly specify to what extent the rules will help organizations meet the compliance goals proposed by other security standards. All the same, the eighteen crisp chapters of this book undeniably have the potential to help the software developer win the battle against software insecurity on his own terms.

For those using Java on Oracle and hoping to build secure applications, The CERT Oracle Secure Coding Standard for Javais a very useful resource that no programmer should be without.

Ben Rothkeis the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase The CERT Oracle Secure Coding Standard for Java from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

gbrumfiel writes "For forty years, the Higgs boson has remained a theoretical construct, but by Christmas, scientists may have a pretty good idea of whether it's real or not. Nature News reports that a new analysis has further narrowed the Higgs range, and data gathered this autumn at the LHC should be enough to show a faint signal from a Higgs, if it's there. (Already one signal has disappeared earlier in the year.) Physicists hope to finish their analysis of the autumn data by the year's end, but even if they come up empty-handed it won't be the end of the story. The Higgs is commonly referred to as the particle that endows others with mass, but its real appeal is the ability to unify the weak nuclear force with electromagnetism. If there is no Higgs, some other mechanism for creating a unified 'electroweak' force should be found inside the LHC."

TheNextCorner writes "Remember how the Stop Online Piracy Act would make streaming of copyrighted material a felony? Many of these lawmakers actually stream copyrighted videos on their websites." However, that's not the whole story. according to a followup at Ars Technica to the tweeted claims about streaming and SOPA. From which: "The Electronic Frontier Foundation tweeted the post, and it was re-tweeted more than 100 times. So are the sponsors of SOPA hypocrites? We're not fans of SOPA, so we'd love to have this story check out. But we're also a news site, so we contacted James Grimmelmann, a copyright scholar at New York Law School, (and judging from his tweets, not a SOPA supporter) to get his expert opinion."

TheNextCorner writes "Remember how the Stop Online Piracy Act would make streaming of copyrighted material a felony? Many of these lawmakers actually stream copyrighted videos on their websites." However, that's not the whole story. according to a followup at Ars Technica to the tweeted claims about streaming and SOPA. From which: "The Electronic Frontier Foundation tweeted the post, and it was re-tweeted more than 100 times. So are the sponsors of SOPA hypocrites? We're not fans of SOPA, so we'd love to have this story check out. But we're also a news site, so we contacted James Grimmelmann, a copyright scholar at New York Law School, (and judging from his tweets, not a SOPA supporter) to get his expert opinion."

TheNextCorner writes "Remember how the Stop Online Piracy Act would make streaming of copyrighted material a felony? Many of these lawmakers actually stream copyrighted videos on their websites." However, that's not the whole story. according to a followup at Ars Technica to the tweeted claims about streaming and SOPA. From which: "The Electronic Frontier Foundation tweeted the post, and it was re-tweeted more than 100 times. So are the sponsors of SOPA hypocrites? We're not fans of SOPA, so we'd love to have this story check out. But we're also a news site, so we contacted James Grimmelmann, a copyright scholar at New York Law School, (and judging from his tweets, not a SOPA supporter) to get his expert opinion."

jhigh writes "An Austrian security researcher is scheduled to release the first 'bootkit' for Windows 8 at the upcoming MalCon in Mumbai. This exploit loads in the MBR and stays memory resident until Windows loads, resulting in root access to the system. This allegedly defeats the new secure boot features in Windows 8's bootloader."

An anonymous reader writes "id Software is still planning to release the Doom 3 source this year, but it's been delayed by a patent issue that's causing John Carmack to personally rewrite some of the code. The patent issue in Doom 3 concerns the Carmack's Reverse algorithm and has led Carmack to rewrite it in the open-source Doom 3."

SharkLaser writes "Minecraft, the most widely known and best selling indie game in the history, is now finished. Minecraft creator Notch tweeted yesterday that Minecraft has gone gold and will be released at the end of the week at the first Minecon, a gathering of Minecraft fans. So far over 4 million people have bought the game, generating over 50 million dollars in revenue. Minecraft has also had a rapid modding community around the game, developing gems like the Millenaire mod, Builders and Tornadoes. Minecraft also brought back the interest in voxel based engines, introducing games like Ace of Spades (build, make tunnels, capture the flag FPS) and Voxatron [note: you might want to turn down your volume for this video]. It also opened up many ways for new indie developers, as Minecraft showed development can be funded solely by making something new and giving out early access to the game for those who are interested in the project. The upcoming Steam-like IndieCity-platform will also employ similar feature where, in addition to normal indie game store, players can look at unfinished projects and choose to support their development."

brothke writes:"The book Digital Assassination: Protecting Your Reputation, Brand, or Business Against Online Attacks says businesses that take days to respond to social media issues are way behind the curve. Social media operates in real-time, and responses need to be almost as quick. In a valuable new book on the topic, Securing the Clicks Network Security in the Age of Social Media, Gary Bahadur, Jason Inasi and Alex de Carvalho provide the reader with a comprehensive overview on how not to be a victim of social media based security problems." Read on for the rest of Ben's review. Securing the Clicks Network Security in the Age of Social Media author Gary Bahadur, Jason Inasi and Alex de Carvalho pages 368 publisher McGraw-Hill Osborne Media rating 9/10 reviewer Ben Rothke ISBN 0071769056 summary Definitive guide around social network security Social media is now mainstream in corporate America, and even though it is hot, the security and privacy issues around it are even hotter. In the past, many firms simply said no to social media at the corporate level. But as Natalie Petouhoff of Weber Shandwick has observed, that will no longer work, as "social media isn't a choice anymore; it's a business transformation tool".

The main security and privacy issue around social media is that users will share huge amounts of highly confidential personal and business information with people they perceive to be legitimate. Besides that, issues such as malware, vulnerabilities (cross site scripting, cross site request forgery, etc.), corporate espionage, phishing, spear phishing and more; are just a few of the many security risks around social media that need to be taken into consideration.

In the book, the authors detail a framework for analyzing the corporate threats that arise from social media. The book uses the H.U.M.O.R methodology (Human resources, Utilization of resources and assets, Monetary considerations, Operations management, Reputation management) a matrix that outlines a systematic approach for developing the necessary security plans, policies and processes to mitigate social media risks.

At 325 pages, the books 5 parts and 18 chapters provide the reader with a comprehensive overview of all of the critical areas around social media secure, that can be used to safeguard its assets and digital rights, in addition to defending their reputation from social network-based attacks. The book covers all of the core topic areas, from assessing social media security, to monitoring in the social media landscape, threat assessments, reputation management: strategy and collaboration and more; the authors provide the reader with an enlightening overview of all of the core areas.

In chapter 1 the authors astutely note that no company today is immune to the many threats posted by a single individual, let alone a socially engaged and networked population. No firm should engage in social media before they fully understand the security and privacy risks that are being introduced. This book not only effectually does that; it also provides an all-inclusive framework around social media security.

As to the notion of the inherent security risks around social media, this was recently proven when Chris Hadnagy (author of Social Engineering: The Art of Human Hacking) and James O'Gorman detailed in their Social Engineering Capture the Flag results from Defcon 19 observed that information leakage via social media is a difficult problem to solve due to how it is used and the frequency it is used in today's society. Having access to social media from computers and cell phones means that people can update their accounts instantaneously, from anywhere. The ease of which an employee can share data can contribute heavily to information leakage.

Chapter 4 on threat assessments provides an exhaustive list of the different types of attackers and threat vectors that need to be considered when using social media. The attacks in the social media space are often different from typical IT attackers. As to threat vectors, there are a number of different vectors, both internal and external that can impact an organization. The chapter lists those vectors and details them.

Chapter 9 – monetary considerations – strategy and collaboration– is a fascinating chapter in that it notes that in many firms, IT security budgets have not yet clearly defined the line item for social media security. In addition, trying to retrofit the IT security budget by assuming that tools already purchased for data loss prevention will also cover social media security concerns will likely be inadequate.

Chapter 11 deals with reputation management – which has the goal to build and protect a positive Internet-based reputation, and not let it get subterfuge via social media. This is a significant issue as the risk to a firm's reputation is significant and growing with the increased use of social networks.

One very helpful feature of the book that effectively brings home the message is numerous real-world case studies in every chapter. One fascinating example in chapter 13 is about the Cooks Source infringement controversy and the nature of how notto respond to a social media issue.

The book also lists numerous amounts of tools. Chapter 13 has a comprehensive list of monitoring tools and the appendix has a list of nearly 100 tools for activity tracking, analytics, geolocation, plagiarism checking and more. These lists are extremely helpful, and the reader can start using many of these tools to get an initial pulse on the level of security around how their firm uses social media.

Chapter 14 provides excellent guidance on how to execute social media security on a limited budget. The authors suggest the use of free or inexpensive software and other resources that can be used to help a company monitor the impact of their social media infrastructure. The chapter also details how social media security can be executed on a bugger budget, via the use of more sophisticated tools that can be used to secure manage the data flows within an organization.

It will not be long until Facebook has its 1 billionth user. Given that a New York court recently referred to a user's reasonable expectation of privacy on sites like Facebook and MySpace as wishful thinking, the importance of Securing the Clicks Network Security in the Age of Social Media can't be overemphasized.

For those firms that are looking to securely use social media, and not get abused by it, this book should be required reading.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase Securing the Clicks Network Security in the Age of Social Media from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

An anonymous reader writes "A tweet appeared from Raspberry Pi stating the launch of the $25 PC wasn't happening in November as expected. So I decided to investigate further and contacted Raspberry Pi to see what was going on. Eben Upton was kind enough to email me back and give us some good and bad news. The bad news is: we aren't getting the $25 PC this month as expected. But that's where the bad news ends, as it is still arriving in 2011 for some people. Eben confirmed that an order has been placed for 10,000 units, but they won't arrive until the end of November. That means we will see Raspberry Pi go up for sale in December, but it won't be a typical 'get as many out the door as you can' launch. Those first 10k are earmarked for programmers as software is desperately required before a full consumer launch." Update: Apparently some of the details about the production of units and who can get one from the first batch have changed. Raspberry Pi has updated their front page with the latest information.

The first of a few submitters, szo sent in an early report that John McCarthy passed early yesterday. Paul Graham (among others) confirmed: the news was true. And so, shortly after a fellow founder of countless language descendants, goes the founder of the Lisp tree at the age of 84.

Landing an accepted submission, notanymore writes "The PA Supreme Court now has a Twitter account to post rulings and opinions. How could this be a bad thing? It's progression toward making public information more easily accessible. Some argue that it's public shaming but isn't it the same as a newspaper reporting on local crime?"

bs0d3 writes "The U.S. Department of Justice has forced Gmail and Sonic.net to hand over the personal information of Jacob Appelbaum, a WikiLeaks volunteer. Sonic says they fought to keep the DoJ out of Appelbaum's records, which was very expensive but 'the right thing to do.' Google said, 'we comply with the law,' although 'Both Google and Sonic pressed for the right to inform Mr. Appelbaum of the secret court orders, according to people familiar with the investigation.' The collected information and the nature of the investigation remain classified. Applebaum's Gmail correspondence seized by the DoJ dates back to November 1, 2009, which is believed to be the month that WikiLeaks contributor and Army Private Bradley Manning allegedly began communication with Julian Assange. Last year, federal prosecutors used a similar subpoena to obtain information pertaining to Applebaum's Twitter account."

bs0d3 writes "Today a court in Belgium overruled an earlier judgment and ordered an ISP to block The Pirate Bay. The type of block to be used by the ISP is a simple DNS filter, which is similar to ones used before in Denmark. In Denmark the DNS block was extremely easy to circumvent, and the attention to The Pirate Bay actually increased Danish site traffic after the block. Today a hacktivist group called Telecomix, which is more recently known for helping to establish communications during the Internet blackout in Egypt, is offering their help. Their custom made 'censorship proof' DNS service is designed for situations just like this. ISP customers facing a block can simply use Telecomix's DNS server instead of the ISP-provided one to access blocked sites such as The Pirate Bay." The Pirate Bay also has suggestions for getting around the DNS block.

UnknowingFool writes "On Monday Microsoft updated webpages to announce a price drop for the Zune pass subscription, and it removed all references to the Zune hardware. This prompted many to suspect the Zune was dead. A MS spokesman then tweeted that the updates were in error and the Zune was not dead. Then MS later admitted that they will no longer produce hardware but would honor any existing orders. It appears MS has trouble with managing their PR."

itwbennett writes "The patent licensing agreement between Microsoft and Samsung this week set off a firestorm of childish tit-for-tat between Microsoft and Google. But more telling is what Samsung had to say about its relationship with Google: 'Samsung knows it can't rely on Google. We've decided to address Android IP issues on our own,' a Samsung official told The Korea Times. The only good news to come from all of this, says blogger Brian Proffitt, is that we may be headed for a courtroom showdown over just what patents Microsoft believes are in violation, which really is what should have happened to begin with." Update: 09/30 20:05 GMT by S : As it turns out, the so-called "Samsung official" cited by The Korea Times turned out to be patent blogger Florian Mueller.

brothke writes "When it comes to a physical crime scene and the resulting forensics, investigators can ascertain that a crime took place and gather the necessary evidence. When it comes to digital crime, the evidence is often at the byte level, deep in the magnetics of digital media, initially invisible from the human eye. That is just one of the challenges of digital forensics, where it is easy to destroy crucial evidence, and often difficult to preserve correctly." Read on for the rest of Ben's review. Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet author Eoghan Casey pages 840 publisher Academic Press rating 10/10 reviewer Ben Rothke ISBN 978-0123742681 summary Definitive reference on the subject of digital evidence and computer crime For those looking for an authoritative guide,Digital Evidence and Computer Crimeis an invaluable book that can be used to ensure that any digital investigation is done in a formal manner, that can ultimately be used to determine what happened, and if needed, used as evidence in court.

Written by Eoghan Casey, a leader in the field of digital forensics, in collaboration with 10 other experts, the book's 24 chapters and nearly 800 pages provide an all-encompassing reference. Every relevant topic in digital forensics is dealt with in this extraordinary book. Its breadth makes it relevant to an extremely large reading audience: system and security administrators, incident responders, forensic analysts, law enforcement, lawyers and more.

In the introduction, Casey writes that one of the challenges of digital forensics is that the fundamental aspects of the field are still in development. Be it the terminology, tools, definitions, standards, ethics and more, there is a lot of debate amongst professionals about these areas. One of the book's goals is to assist the reader in tackling these areas and to advance the field. To that end, it achieves its goals and more.

Chapter 1 is appropriately titled Foundation of Digital Forensics,and provides a fantastic overview and introduction to the topic. Two of the superlative features in the book are the hundreds of case examplesand practitioners' tips. The book magnificently integrates the theoretical aspects of forensics with real-world examples to make it an extremely decipherable guide.

Casey notes that one of the most important advances in the history of digital forensics took place in 2008 when the American Academy of Forensic Sciences created a new section devoted to digital and multimedia sciences. That development advanced digital forensics as a scientific discipline and provided a common ground for the varied members of the forensic science community to share knowledge and address current challenges.

In chapter 3 – Digital Evidence in the Courtroom– Casey notes that the most common mistake that prevents digital evidence from being admitted in court is that it is obtained without authorization. Generally, a warrant is required to search and seize evidence. This and other chapters go into detail on how to ensure that evidence gathered is ultimately usable in court.

Chapter 6 – Conducting Digital Investigations – is one of the best chapters in the book. Much of this chapter details how to apply the scientific method to digital investigations. The chapter is especially rich with tips and examples, which are crucial, for if an investigation is not conducted in a formal and consistent manner, a defense attorney will attempt to get the evidence dismissed.

Chapter 6 and other chapters reference the Association of Chief Police Officer's Good Practice Guide for Computer-Based Electronic Evidence as one of the most mature and practical documents to use when handling digital crime scenes. The focus of the guide is to help digital investigators handle the most common forms of digital evidence, including desktops, laptops and mobile devices.

The Good Practice Guideis important in that digital evidence comes in many forms, including audit trails, application, badge reader and ISP and IDS logs, biometric data, application metadata, and much more. The investigator needs to understand how all of these work and interoperate to ensure that they are collecting and interpreting the evidence correctly.

Chapter 9 — Modus Operandi — by Brent Turvey is a fascinating overview of how and why criminals commit crimes. He writes that while technologies and tools change, the underlying psychological needs and motives of the offenders and their associated criminal behavior has not changed through the ages.

Chapter 10 – Violent Crime and Digital Evidence — is another extremely fascinating and insightful chapter. Casey writes that whatever the circumstances of a violent crime, information is key to determining and thereby understanding the victim-offender relationship, and to developing an ongoing investigative strategy. Any details gleaned from digital evidence can be important, and digital investigators must develop the ability to prioritize what can be overwhelming amounts of evidence.

Chapter 13 – Forensic Preservation of Volatile Data — deals with the age-old forensic issue: to shut down or not to shut down? It provides a highly detailed sample volatile data preservation process for an investigator to follow to preserve volatile data from a system. There is also a fascinating section on the parallels between arson and digital intrusion investigations.

Part 4 of the book is Computers, in which the authors note that although digital investigators can use sophisticated software to recover deleted files and perform advanced analysis of computer hard drives, it is important for them to understand what is happening behind the scenes. A lack of understanding of how computers function and the processes that sophisticated tools have automated make it more difficult for digital investigators to explain their findings in court and can lead to incorrect interpretations of digital evidence.

Chapter 17 – File Systems– has an interesting section on dates and times. Given the importance of dates and times when investigating computer-related crimes, investigators need an understanding of how these values are stored and converted. The chapter has a table of the date-time stamp behavior on both FAT and NTFS file systems. Time stamps are not a trivial issue, as there are many different actions involved (file moved, deletion, copy, etc.) that can affect the date-time stamp in very different ways.

A better title for Digital Evidence and Computer Crime might be the Comprehensive Guide to Everything You Need to Know About Digital Forensics. One is hard pressed to find another book overflowing with so many valuable details and real-world examples.

The book is also relevant for those who are new to the field, as it provides a significant amount of introductory material that delivers a broad overview to the core areas of digital forensics.

The book progresses to more advanced and cutting-edge topics, including sections on various operating systems, from Windows and Unix to Macintosh.

This is the third edition of the book and completely updated and reedited. When it comes to digital forensics, this is the reference guide that all books on the topic will be measured against.

With a list price of $70.00, this book is an incredible bargain given the depth and breadth of topics discussed, with each chapter written by an expert in the field. For those truly serious about digital forensics,Digital Evidence and Computer Crime is an equally serious book.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Following up on our digital wallet discussion yesterday, CWmike writes "Google officially launched its Google Wallet application today for NFC-ready Sprint Nexus S 4G phone users. The application launches initially for Citi MasterCard credit card holders, but Google also said today that Visa, Discover and American Express will be able to add their cards to future versions of Google Wallet. The application, first announced in May, was described in an official blog post. Visa said in a separate statement that it has licensed Google to use Visa's PayWave technology, used in 'hundreds of thousands' of terminals worldwide. But Visa didn't describe a timeline for when that function would be enabled. Google said it will allow users to add any bank card to a Google Prepaid Card and they will receive $10 to try the service." Reviews of the service are popping up, and many seem to say the same thing; when it works, it's great, but your real wallet isn't going anywhere.

FunPika writes with this excerpt from Wired: "A federal appeals court on Friday reinstated a whopping $675,000 file sharing verdict that a jury levied against a Boston college student for making 30 tracks of music available on a peer-to-peer network. The decision by the 1st U.S. Circuit Court of Appeals reverses a federal judge who slashed the award as 'unconstitutionally excessive.' U.S. District Judge Nancy Gertner of Boston reduced the verdict to $67,500, or $2,250 for each of the 30 tracks defendant Joel Tenenbaum unlawfully downloaded and shared on Kazaa, a popular file sharing peer-to-peer service. The Recording Industry Association of America and Tenenbaum both appealed in what has been the nation's second RIAA file sharing case to ever reach a jury. The Obama administration argued in support of the original award, and said the judge went too far when addressing the constitutionality of the Copyright Act's damages provisions. The act allows damages of up to $150,000 a track." Update: 09/17 21:32 GMT by S : As it turns out, the article's explanation of the decision is a bit lacking; read on for NewYorkCountryLawyer's more accurate explanation. NYCL writes, "The 1st Circuit Court of Appeals has declined to reach the Due Process issue in SONY BMG Music Entertainment v. Tenenbaum. In a 65-page decision (PDF), which rejected all of Tenebaum's counsel's other arguments, and which otherwise praised Judge Gertner's handling of the trial, the First Circuit felt that under the doctrines of judicial restraint and constitutional avoidance, it was premature to decide the constitutional issue without first disposing of the defendant's motion on common law, remittitur grounds. The Court gave several examples of scenarios which might have occurred, had the lower court decided the remittitur question, which would have avoided embarking down the constitutional path."

CWmike writes "Microsoft's CEO strongly hinted this week that the company will craft a Metro-style version of the next Office suite. 'You ought to expect that we are rethinking and working hard on what it would mean to do Office Metro style,' Ballmer told a Wall Street analyst. Metro, a tile- and touch-based interface borrowed from Windows Phone 7, would be a massive change for Office, one that would dwarf the 'ribbonization' that set off a firestorm of complaints about Office 2007's new look. The criticism died down, and Microsoft later extended the ribbon in Office 2010 and Windows 7. It will ribbonize other components of Windows 8, notably the OS's file manager. One analyst believes Metro Office is a done deal. 'I think they need something in Metro to enable people to work on documents on tablets,' said Rob Helm, an analyst with Directions on Microsoft. 'They need something on ARM.'"

CWmike writes "Intel's Thunderbolt high-speed interconnect technology could be years away from getting optical technology, an Intel executive said this week at IDF. Originally introduced in February on Macs, Thunderbolt was pitched as being optical technology but currently uses copper wires. Dadi Perlmutter of Intel's Architecture Group said copper wires are working much better than expected, and that fiber was expensive. 'It's going to be way out,' Perlmutter said. 'At the end of the day it's all about how much speed people need versus how much they would be willing to pay.'"

CWmike writes "President Barack Obama's American Jobs Act would allow the FCC to conduct so-called incentive auctions, in which the agency would share the proceeds of a spectrum auction with television stations that voluntarily give up their spectrum. The goal would be to raise $6.5 billion to fund a nationwide voice and data network for police, fire departments and other emergency responders. Lawmakers and other groups have called for a nationwide public safety network since emergency responders had trouble communicating with each other during the Sept. 11, 2001 terrorists attacks on the U.S."

psychonaut writes "Digital Bits have confirmed through sources at CBS Paramount that CBS are working on a high-definition transfer of Star Trek: The Next Generation. A four-episode Blu-Ray sampler disc is to be released later this year; the episodes featured will be the two-part pilot 'Encounter at Farpoint,' 'Sins of the Father,' and fan favourite 'The Inner Light.' On 2 September, LeVar Burton tweeted that he had stopped by CBS Paramount Television City to check the progress and was 'mindblown' by the conversion. TrekCore has an article with further details and an analysis of some of the technical hurdles involved in remastering these episodes."

psychonaut writes "Long-term readers of Slashdot may be familiar with The Linux Counter, which attempts to measure (through surveys and statistics) the number of people using GNU/Linux operating systems. The project started in 1993 and shot to fame six years later, largely as a result of three Slashdot articles (two of which brought the Counter to its knees). After four years of stagnation, project founder Harald Tveit Alvestrand has handed over the reins to a new maintainer, Alexander Mieland. Over the past few months, Mieland has completely redeveloped the project, with a modernized design and support facilities (including a bug tracker, mailing list, RSS feed, and Twitter account). The New Linux Counter is now up and running, with all the data for active users from the old counter. The old site will continue to operate for a time but will soon be shut down and requests redirected to the new site."

CWmike writes "At long last Adobe Flash has come to an iPad or iPhone, writes Jonny Evans. Adobe appeared at Europe's NAB equivalent, IBC, this week to introduce Adobe Flash Media Server 4.5 and Adobe Flash Access 3.0. Adobe's solution repackages content in real-time, changing the protocol to suit the target device, HTTP Dynamic Streaming or HLS, for example. This should mean that iOS devices will get much of the advantages of Flash video support, without the processor degradation and battery life cost of the format in use on other devices. 'With Adobe Flash Media Server 4.5, media publishers now have a single, simple workflow for delivering content using the same stream to Flash-enabled devices or to the Apple iPhone and iPad,' Adobe says."

CWmike writes "A security researcher is criticizing Apple for lagging with its response to the DigiNotar certificate fiasco. He is urging the company to quickly update Mac OS X to protect users. 'We're looking at some very serious issues [about trust on the Web] and it doesn't help matters when Apple is dragging its feet,' said Paul Henry, a security and forensics analyst with Lumension. Unlike Microsoft, which updated Windows on Tuesday to block all SSL certificates issued by DigiNotar, Apple has not updated Mac OS X to do the same. Meanwhile, even Mac OS X users who want to go DIY are stymied, reports Bob McMillan, because the OS can't properly revoke dodgy digital certificates."

CWmike writes "Rice University researchers announced on Tuesday that they have successfully demonstrated full-duplex wireless tech that would allow a doubling of network traffic without the need for more cell towers. Professor Ahutosh Sabharwal said the innovative technology requires a minimal amount of new hardware for both mobile devices and networks. However, it does require new standards, meaning it might not be available for several years as carriers move to 5G networks, he added. By allowing a cell phone or other wireless device to transmit data and receive data on the same frequency, unlike with today's tech, the new standard could double a network's capacity. Rice has created a Wireless Open-Access Research Platform (WARP) with open source software that provides a space for researches from other organizations to innovate freely and examine full-duplex innovations."

CWmike writes with an article in Computerworld about Google axing yet another product. From the article:"Google has decided to retire Desktop, an application it first launched in 2004 that is designed to let people search for files and data stored in their computers' hard drives. It was one of the first products Google aimed against Microsoft and was intended to improve upon the native search functionality found in Windows. Desktop search became an area of competition, as Microsoft responded to the challenge and others such as Yahoo launched their own products. However, Google has decided that, with the popularity of cloud computing and users' increasing comfort with Web apps, the time has come to decommission Desktop, it said in a recent blog post. As of September 14, Google will also end support for Desktop APIs, services, plug-ins and gadgets." From the looks of it the announcement implies that Google Gadgets are getting the axe too, which a few more people might be using.

An anonymous reader writes "After previously claiming that the Iranian hack of CA Diginotar did not compromise certificates of the Dutch government, it has now been decided that there is too much risk and the certificates will have to be revoked after all (original Dutch text). Since the Dutch government has been using only Diginotar-supplied certificates, this will leave all government websites with invalid certificates while a new supplier is being searched for. The minister of internal affairs recommends people not to use the websites if a warning about an invalid certificate appears." Related: Reader TheAppalasian links to Johnathan Nightingale of Mozilla Engineering explaining in clear terms why DigiNotar should no longer be trusted.

CWmike writes "Is high tech really that tough on older workers, or are they simply not pulling their weight in an industry that never stops innovating? Age bias: Some consider it IT's dirty little secret, or even IT's big open secret. Older workers have been hit harder by the recession. '[Age bias is] something that no [employer] talks about. But it's a reality in tech that if you're 45 years of age and still writing C code or Cobol code and making $150,000 a year, the likelihood is that you won't be employed very long,' says Vivek Wadhwa, who currently holds academic positions at several universities, including UC Berkeley, Duke and Harvard. Wadhwa's observation indicates that age bias is a simplistic label for a complicated set of factors that influence the job prospects for senior tech employees."

tekgoblin writes "Starz plans to remove all of its movies and TV shows from the Netflix streaming library after negotiations failed. Starz, which is owned by John Malone's Liberty Media, said they have ended talks with Netflix to renew a deal that ends February 28th. Netflix stands to lose a large amount of content, as Starz has licenses for first run Sony and Walt Disney movies."

CWmike writes "The Apache open-source project has patched its Web server software to quash a bug that a denial-of-service (DoS) tool has been exploiting. Apache 2.2.20, released Tuesday, plugs the hole used by an 'Apache Killer' attack tool. On Aug. 24, project developers had promised a fix within 48 hours, then revised the timetable two days later to 24 hours. The security advisory did not explain the delay."

CWmike writes "Steven Sinofsky, president of Microsoft's Windows and Windows Live division, said this week that Windows 8 will let users treat the traditional desktop as 'just another app' that loads only on command. When it unveiled Windows 8's UI in June, Microsoft said it would feature a 'touch-first' interface to compete in the fast-growing tablet market. Underneath that, however, would be a traditional Windows-style desktop. 'Having both of [the] user interfaces [work] together harmoniously is an important part of Windows 8,' Sinofsky said in a blog post on Wednesday. The Metro-style UI — the one inspired by Windows Phone 7's tile-based design — will be the first to show up when a user boots a device. At that point, users reach a crossroads. 'If you want to stay permanently immersed in that Metro world, you will never see the desktop — we won't even load it (literally the code will not be loaded) unless you explicitly choose to go there,' Sinofsky said. 'If you don't want to do ... 'PC' things, then you don't have to and you're not paying for them in memory, battery life or hardware requirements.' If using a conventional PC with keyboard and mouse, Windows 8 users will run an 'app' to load the desktop, he said. 'Essentially, you can think of the Windows desktop as just another app.'"