Slashdot Mirror

An anonymous reader writes "While browsing around the Fox News website, I found that directory indexes are turned on. So, I started following the tree up, until I got to /admin. Eventually, I found my way into /admin/xml_parser/zdnet/, in which, there is a shell script. Seeing as it's a shell script, and I use Linux, I took a peek. Inside, is a username and password to an FTP. So, of course, I tried to login. The result? Epic fail on Fox's part. And seriously, what kind of password is T1me Out. This is just pathetic." It's already been changed of course, but that's still pretty amusing.

Paris The Pirate writes "This article at Whitedust displays some very interesting logs from Vista showing connections to the DoD Information Networking Center, United Nations Development program and the Halliburton Company; for no reason other than the machine was running Vista. From the article 'After running Vista for only a few days — with a complete love for the new platform the first sign of trouble erupted. I began noticing latency on my home network connection — so I booted my port sniffing software and networking tools to see what was happening. What I found was foundation shaking. The two images below show graphical depictions of what has and IS trying to connect to my computer even in an idle state'."

An anonymous reader writes "The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon. An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here."

An anonymous reader writes "Whitedust is running an interesting article on honeypots and their uses. From the article: 'Most papers deal with the potential gains a honeypot can give you, and the proper way to monitor a honeypot. Not very many of them deal with the honeypots themselves... Honeypots can be used to ensnare and beguile potential hackers; entice them to give you more research information, and actively defend your production network."" From the article: "Once an attacker has taken all the trouble to set up shop on your honeypot, he'll probably want to see what else there is to play with. If your honeypot is like most traditional honeypots, there's not much for an attacker to do once he gets in. What you really want if for the attacker to transfer down all the other toys in his arsenal so you can have a copy as well. Giving an attacker additional targets with various operating systems and services can help him decide to give you his toys. The targets can be real, but you'll get almost as much mileage if they're simulated. A good place to start is to put a phantom private network up hung off the back of the honeypot."

Slashdot tonight brings some corrections, clarifications, and updates to previous Slashdot stories, including a few thoughts on the McKinnon situation, New Zealand revises their views on OSS, Korean cloners facing possible jail time, the fight for .xxx continues, more details on Diebold problems, the Supreme Court sides with eBay, AT&T denied a closed hearing, and Sony's Blu-Ray demo on the level. -- Read on for details.

Mathew Bevan speaks out on McKinnon case. mrkuji writes "Ex military hacker Mathew Bevan AKA Kuji has released his comments and thoughts about the goings on of the McKinnon hacker extradition trial."

New Zealand revises their view of OSS. sam_vilain writes "As previously noted here on Slashdot, the New Zealand State Services Commission has some problems with open source software. The new version of their legal guidelines document for OSS in NZ government, however, is a breath of fresh air."

Korean cloners facing possible jail time. reporter writes "In a stunning conclusion to the saga of the Korean cloning scientist who fabricated his results, the Korean government wants to throw him in prison. The BBC reports, "The South Korean cloning scientist who faked his stem cell research has been charged with fraud and embezzlement. [...] Prosecutors claim he [, using grant funds,] bought a car and paid contributions to politicians and company officials who helped to arrange his grants. [...] The misuse of state funds carries a jail term of up to 10 years, while a violation of bio-ethics laws can mean up to three years in prison.'"

The fight for .xxx to continue? Robert writes "ICANN has played down the role that the conservative US government had in its decision to reject a plan to launch a porn-only internet domain, while the company backing the .xxx proposal said it was considering an appeal. From the article: 'Stuart Lawley, president of ICM, after spending at least two years and over $2m on campaigning for .xxx to be approved, told us he thought the deal was shot down for political reasons, and said he was weighing a response. [...] The reason people suspect that US concerns were key, and the reason that the media keeps harping on about it, is because ICANN's powers are granted under a contract with the US Department of Commerce. That contract ends in four months, and so far nobody seems to know what happens after it expires.'"

More details on the Diebold problem. An anonymous reader writes "SecurityFocus' Rob Lemos has published an article with many more details on the critical Diebold problems, implications for upcoming state elections next week, and quotes from key scientists who have detailed knowledge of how easily the flaws can be exploited." Relatedly eldavojohn writes "USA Today is reporting that Diebold CEO Walden O'Dell has resigned. From the article: "The board of directors and Wally mutually agreed that his decision to resign at this time for personal reasons was in the best interest of all parties," said John Lauer, Diebold's non-executive chairman of the board."

Supreme Court sides with eBay in patent suit. theodp writes "In a unanimous decision, the Supreme Court sided with eBay in a fight over the use of its 'Buy It Now' feature, which will make it easier for companies to avoid court injunctions barring the continued use of technology after a patent infringement finding, such as the one used by Amazon against Barnes & Noble in the midst of the Christmas holiday season over its soon-to-be-reexamined 1-Click patent."

AT&T denied a closed hearing. guygee writes "According to the San Francisco Chronicle, AT&T has lost its '11th hour bid' to force closed hearings on unsealing critical documents in EFF's class-action lawsuit alleging AT&T's illegal transfer of its customer's telephone and Internet records and communications to the National Security Agency. According to the report, 'An AT&T lawyer sent a letter by fax to Chief U.S. District Judge Vaughn Walker on Tuesday asking that the courtroom be closed during any discussion of its trade secrets or confidential information.' EFF is also reporting the breaking news on the case." Relatedly DarkAudit writes "A commissioner for the FCC wants an investigation into whether or not phone companies broke the law by handing over their records to the NSA."

Sony's Blu-Ray demo on the level. eaglebtc writes "Gearlog.com has retracted a previous accusation against Sony regarding their alleged use of a DVD+R instead of a Blu-Ray disc in a demonstration. In the original announcement, Gearlog.com claimed that Sony was using a DVD+R to demonstrate Blu-Ray technology, in an attempt to show that Sony was not ready to market the product."

An anonymous reader writes "Whitedust has some interesting commentary on this BBC article which claims that 'UK hackers' have condemned Gary Mckinnon's trial. From the article: 'Another example of some truly awful and misinformed mainstream tech reporting here. The article claims that UK hackers are almost all in support of Mr Mckinnon when in truth as we all know the entire tech community has agreed that Mr Mckinnon is not only an idiot but a deluded attention seeker.'"

Slashback, as always, provides updates and clarifications to previous Slashdot stories. Tonight we bring you updates on Australian Smart ID Cards, the security danger that USB memory sticks pose, Wal-Mart's Wikipedia War, Lego Mindstorms, LiveJournal's stance on Ad-Blocking software, and news about 'Spam King' Alan Ralsky. Read on for more. Update on Australian Smart ID Card. CaptainDefragged writes "According to an article at Australian IT News, the data from Smart Card that our government is introducing is going to be used for a lot more than just health care and welfare fraud prevention. From the article: 'Intelligence agencies and police will be given access to a vast database of biometric photographs of Australians to be created for the new health and welfare smart card to fight terrorism and more general crime. ASIO and the Federal Police will be allowed routine access to the smart card database on national security issues, while state police will have restricted access for general crime investigations.'"

USB sticks as a security threat. martijnd writes "The BBC follows up on the risks of USB sticks as a threat to business by looking at data theft and virus-spreading-as-from-a-floppy infiltration."

More On Wal-Mart's Wikipedia War. An anonymous reader writes "Past the media coverage of their article 'Wal-marts Wikipedia War', Whitedust has apparently received an interesting email from Mike Krempasky (representing Edelman Public Affairs in Washington, DC). While maintaining that Whitedust has no actual specific issue with Wal-Mart - the article was published on the simple premise that Wikepedia's important neutrality was apparently being compromised - and in the interests of a more balanced argument, Whitedust have published the email in full to their readership along with some other interesting notes."

Mindstorms NXT: Mindstorms Resurrected?. Since the announcement of Mindstorms NXT; many people believe that my earlier article was completely off target. My latest article, Mindstorms NXT: Mindstorms Resurrected?, attempts to complete the analysis. It concludes that Mindstorms NXT does not represent any change of direction for Lego; and unless forced by competition to act otherwise, Lego will continue to market Mindstorms as a niche product line."

Spam King Alan Ralsky NOT Jailed. narzy writes "DailyTech.com is reporting that contrary to reports last week, spam king Alan Ralsky was in fact not picked up by the Feds. Inquires put in to the DoJ and Detroit FBI field office resulted in puzzling dead ends as both agencies had no information as to having Mr. Ralsky in custody. Early Monday morning the original source recanted the story of Mr. Ralsky's arrest."

LiveJournal Explains Ban on Ad-Blocking Software. An anonymous user writes "LJ Founder, Brad Fitzpatrick, blames the change to the Terms of Service on boilerplate language put into the document by 'some lawyers'." From the article: "This is a pre-announcement that a more user-friendly TOS change is on its way. (After all, we can't even detect that you're even using ad blockers to begin with, so there's no point in us saying you can't. Plus you might not even have control over what's installed on your computer, etc.) So, yeah, sorry: we messed up."

An anonymous reader writes "Whitedust is running an article which claims that lobbyists for Wal-mart have successfully waged a war against a fair viewpoint on Wikipedia's Wal-mart page. From the article: "Although Wikipedia maintains a 'Neutral Point of View' (NPOV) policy, the Wal-mart page is highly biased. Additionally, all criticism has, contrary to policy, practice, and the general opinion of those concerned, been moved to a Debates Over Wal-mart section. Even that page has noticeable resistance to negative points of view about Wal-mart."

An anonymous reader writes "Whitedust is running an informative interview with their Founders - Mark Anderson and Mark Hinge. In the interview the two Mark's set out the reasoning behind and the future of Whitedust.net." From the article: "Mark Anderson had been on at me as regards doing what he coined 'HTML Ezine' for a long time - I had been a bit of a purist about it but he finally won me around to his mode of thinking. At the same time there was something that had personally been bugging me since @stake took over hackernews and that was the lack of centralized INFOsec information; people had tried to produce a site along these lines but had either become totally bias, or been maintained badly (lack of updates etc). I saw what I considered a gap in the market and convinced Mark that the topic of any 'HTML Ezine' should be Information Security (something we both knew a fair bit about anyway)."

An anonymous reader writes "Whitedust is running a very interesting article with the DEF CON speaker and cryptographer Elonka Dunin. The article covers her career and specifically her involvement with the CIA and other US Military agencies."

An anonymous reader writes "What are the driving forces behind the rise of malware? Who's behind it, and what tactics do they use? How are vendors responding, and what should organizations, researchers, and end users keep in mind for the upcoming future? All these questions and more are answered in the well written (MHO) Future Trends of Malware"

An anonymous reader writes "Whitedust Security are reporting on a new exploit for Firefox which apparently affects all versions of the browser from 1.0.7 down. From the article: "If this exploit has made it out into, or indeed been retrieved from the wild is unknown at this time. However it is clear that this exploit will indeed need patching as soon as possible.""

An anonymous reader writes "Whitedust has an interview with Fyodor, creator of NMAP. The interview covers a broad range of topics from Fyodor's roots and motivations in the security world to his newer projects and even mentions Fyodor's forthcoming book on NMAP network scanning."

An anonymous reader asks: "The argument regarding the principle nature of hacking - be it an art or a science is not a new one. This paper hopes to discuss both the meaning of the term 'hack' and the underlying arguments for it being defined as an art or a science, in reference to the base principles and basic methodologies of the discipline. So in your opinion, is hacking art or science?"

An anonymous reader writes "Whitedust Security have released an interesting article discussing online reconnaissance techniques. From the article: 'Sometimes thirty-two bits are all you need. This is a guide to Internet reconnaissance - a guide to finding out as much as you can concerning a target via the Internet'."

An anonymous reader wonders: "SC Magazine are running an article on the growth of so called Dark Mail Attacks. Whitedust Security appear to have identified this as a potential problem way back in December 2004. Since that time, a marked increase in attacks of this nature, including the recent attacks on the UK Government infrastructure, have been recorded. Are these types of attack a new large scale threat or just a passing fad?"

An anonymous reader wonders: "SC Magazine are running an article on the growth of so called Dark Mail Attacks. Whitedust Security appear to have identified this as a potential problem way back in December 2004. Since that time, a marked increase in attacks of this nature, including the recent attacks on the UK Government infrastructure, have been recorded. Are these types of attack a new large scale threat or just a passing fad?"

An anonymous reader writes "The final issue of Phrack has been released. From the introduction: 'For 20 years PHRACK magazine has been the most technical, most original, the most Hacker magazine in the world. The last five of those years have been under the guidance of the current editorial team. Over that time, many new techniques, new bugs and new attacks have been published in PHRACK. We enojoyed every single moment working on the magazine.'" Despite earlier reports to the contrary, though, "this is NOT to be the end of Phrack." All straight?

An anonymous reader writes "Whitedust is running an interview with Paul Watson. Watson, who discovered a flaw in TCP/IP that could allow attackers to reset connections last year, made a splash with the media. He talks about how he got his start in computer security, as part of the early warez scene, his work in the Air Force and the US Government, and his current projects. He is now working at the leading search engine in the world, Google."

An anonymous reader writes "Whitedust are running an interesting article on the security aspects of VoIP. From the article: "The fact that VoIP operates across standard networks makes it vulnerable to all manner of IP hacking - including man in the middle attacks,sniffing, session hijacking, etc." Considering it's recent growth, how secure is VoIP?" PCM2 sent us a wired bit about Phil Zimmerman of PGP working on a privacy system for Voice over IP calling

An anonymous reader writes "Whitedust is running a interesting article on Tor, The Onion Router project sponsored by the EFF. Tor aims to offer anonymous internet use. Once sponsored by the Naval Research Lab with support from DARPA, it is now managed by The Free Haven Project. Although Tor claims to improve safety and security, the article goes into detail on how Tor can be used as a anonymous attack platform."

An anonymous reader writes "SecurityFocus has published an interview with Dan Kaminsky. He was guest-hacker at Microsoft Blue-Hat event. At the same time, Whitedust is running an interview with Richard Thieme from back in April. Richard is best known for his column 'Islands in the Clickstream' which is syndicated in over 60 countries." Thieme also wrote a column or two for Slashdot back in the day. From the Kaminsky interview: "Corporations are not monolithic -- there is no hive mind that can one day change every opinion towards some sort of 'rightthink'. Microsoft has said the right things about security for years, but then, who hasn't? Security requires more than PR, or even proclamations from C-levels."

An anonymous reader writes "According to a Whitedust article you may currently have more on your network than you think you do. The article claims that not much security attention is generally given to one of the most elusive aspects of computer security; that of physical connectivity." From the article: "Broadcast traffic is on the rise, with more suspicious user activity in the logs every day. Then one morning you get a call from your irate boss wanting to know why he no longer has a network connection, yet the employees - or students or whoever - down the hall are able to play games and visit porn sites, at blazing speeds no less."

An anonymous reader writes "Whitedust has a very interesting article on the recent SSH brute force attacks. The article goes into depth on how to monitor these attackes and to report them to the authorities. It also discusses various tools that are available. According to the article, mostly compromised Linux systems from outside of North America are responsible for the attacks. Even the author's DSL connection was getting break-in attempts."

BlueSharpieOfDoom writes "Whitedust has an interesting article posted about the new zlib buffer overflow. It affects countless software applications, even on Microsoft Windows. Some of the most affected application are those that are able to use the PNG graphic format, as zlib is wildely used in compression of PNG images. Zlib was also in the news in 2002 because of a flaw found in the way it handled memory allocation. The new hole could allow remote attackers to crash the vulnerable program or even the possiblity of executing arbitrary code."

BlueSharpieOfDoom writes "Whitedust has an interesting article posted about the new zlib buffer overflow. It affects countless software applications, even on Microsoft Windows. Some of the most affected application are those that are able to use the PNG graphic format, as zlib is wildely used in compression of PNG images. Zlib was also in the news in 2002 because of a flaw found in the way it handled memory allocation. The new hole could allow remote attackers to crash the vulnerable program or even the possiblity of executing arbitrary code."

An anonymous reader writes "Whitedust is reporting on a HTTP request smuggling vulnerability in Apache. The flaw apparently allows attackers to piggy back valid HTTP requests over the 'Content-Length:' header, which can result in cache poisoning, cross-site scripting, session hijacking and other various kinds of attack. This flaw affects most of the 2.0.x branch of Apache's HTTPD server."

GregThePaladin writes "A 7-year-old flaw that could let an attacker place malicious content on trusted Web sites has resurfaced in the most recent Firefox browser, Secunia has warned. The flaw, which also affects some other Mozilla Foundation programs, lies in the way the software handles frames. The applications don't check whether the frames displayed in a single window all originate from the same Web site." Commentary on this at whitedust as well.

An anonymous reader writes "Whitedust Security is running an interview with Simple Nomad, the Founder of the nomad mobile research centre, an international group of hackers who explore technology. A well established figure in the hacker underground and surrounding community, Simple Nomad here gives his views on his professional past and various IT Security issues."

An anonymous reader writes "Whitedust Security is running an interview with Simple Nomad, the Founder of the nomad mobile research centre, an international group of hackers who explore technology. A well established figure in the hacker underground and surrounding community, Simple Nomad here gives his views on his professional past and various IT Security issues."

An anonymous reader writes "Various news sources including ZDnet are today reporting that Microsoft is considering buying out Red Hat, speculating that 'Microsoft could see Red Hat's acquisition as a nice way to undermine IBM, but might not consider that a sufficient reason to do it,' adding that Red Hat is however '...a company that wants to be Microsoft and, like Microsoft, makes its living packaging and selling other people's ideas.'" That description seems to miss the key point that Red Hat releases the software they package and sell as Free software, and that both companies pay coders to create and improve software in the first place.

An anonymous reader writes "Several flaws have been uncovered by security firm eEye in Microsoft's Internet Explorer. The flaws allow remote compromise of computers running Windows Operating Systems and affect IE, Outlook and possibly other MS software. With the next MS Windows security bulletin release scheduled for June 14, 2005 news sources are reporting that in comparison with the Mozilla Foundation's prompt fix for the recently reported Mozilla 1.0.3 vulnerabilities MS appear to be leaving a large window for the possible malicious exploitation of these flaws."

An anonymous reader writes "News sources are reporting that a 'killer' new Firefox exploit has been revealed today by FrSIRT who warn that this 0day exploit/vulnerability (as yet unpatched) should be rated as critical. Summary of the exploit: If a user clicks anywhere on a specially crafted page, this code will automatically create and execute a malicious batch/exe file. Proof of concept code supplied by FrSIRT."

An anonymous reader asks: "Since 2002, corporate executives have been held accountable through the Sarbanes-Oxley Act (SOX) for their own internal IT security (with heavy fines and even prison terms when SOX isn't complied with) despite the fact that this level of accountability doesn't exist for some critical elements of the internet. Is it high time for industry to collaborate on a stringent security doctrine to hold organizations accountable for operating, providing and commercializing Internet service, in effect a Sarbanes-Oxley Act for the Internet?"