Slashdot Mirror

Futurepower(R) writes "Even though I have Automatic Updates turned off, on August 28, 2007, between 3:49 and 3:51 AM PDT, Microsoft installed new files on my Windows XP computer." Nine files are updated on Vista and on XP SP1, a different set of on each, relating to Windows Update itself. Microsoft-watch.com's Joe Wilcox and ZDnet's Adrian Kingsley-Hughes confirm the stealth update.

mjasay writes "ZDNet is reporting that Google has a potentially worrisome clause in its User Agreement for Google Apps. Namely, that any content put into the system and 'intended to be available to the members of the public' is free game for Google, reserving the right for Google 'to syndicate Content submitted, posted or displayed by you on or through Google services and use that Content in connection with any service offered by Google.' Google may not be evil, but giving it these (and other) rights to one's data should be ringing alarm bells in the Google Apps user base."

quirdan writes "With the discovery last week of the connection between Vista's poor networking performance and audio activities, word quickly spread around the Net. No doubt this got Microsoft's attention, and they have responded to the issue. Microsoft states that 'some of what we are seeing is expected behavior, and some of it is not'; and that they are working on technical documentation, as well as applying a slight sugar coating to the symptoms. Apparently they believe an almost 90% drop in networking performance is 'slight,' only affects reception of data, and that this performance trade-off is necessary to simply play an MP3."

tom66 writes "Seems like a long time coming, as Microsoft today has axed it's Anti-Linux campaign 'Get the Facts', and Microsoft has replaced it with a new campaign, called 'compare'. This article touches up on why they may have done it, and the criticism surrounding Get the Facts."

Roland Piquepaille writes "Physicists from the University of Illinois at Urbana-Champaign (UIUC) say they have improved the performance of solar cells by 60 percent. And they obtained this spectacular result by using a very simple trick. They've coated the solar cells with a film of 1-nanometer thick silicon fluorescing nanoparticles. The researchers also said that this process could be easily incorporated into the manufacturing process of solar cells with very little additional cost. Read more for additional references and a photo of a researcher holding a silicon solar cell coated with a film of silicon nanoparticles."

willdavid sends us to the ZDNet blogs for a provocative opinion piece by John Carroll. He points to Microsoft's evident cross-platform strategy with Silverlight, and wonders whether the company couldn't make money — and win friends — by extending its excellent development ecosystem cross-platorm. "Microsoft, apparently, is helping the folks at Mono to port Silverlight to Linux. This is good news, as the primary fear I've heard from developers is that Silverlight will be locked to Microsoft platforms and products. Microsoft has already committed to supporting Silverlight cross-browser on Windows, and has a version that runs on Mac OS X (which is even available from the Apple web site). The last step is Linux, and Microsoft is working with Novell and Mono to make this happen."

Roland Piquepaille writes "Neptec Design Group, a Canadian company and a NASA prime contractor for 25 space missions, was kind enough to send me exclusive images of Endeavour's damaged tiles during its last take-off. So here are some of these pictures" The pictures are pretty amazing and make the urgency of this whole thing much more amazing.

bheer writes "The Guardian points out a page on the Mozilla wiki noting that 'only 50% of the people downloading Firefox actually try it out, and only a further half of those continue to use it actively.' ZDNet has some commentary on the browser's retention rate. While a 25% retention rate isn't necessarily bad, Mozilla is trying to improve these figures with a 12 point plan that includes more TV and media advertising, a better start page and several installation tweaks."

Shack0ption writes "An unpatched flaw in an ATI driver was at the center of the mysterious Purple Pill proof-of-concept tool that exposed a way to maliciously tamper with the Windows Vista kernel. The utility, released by Alex Ionescu and yanked an hour later after the kernel developer realized that the ATI driver flaw was not yet patched, provided an easy way to load unsigned drivers onto Vista — effectively defeating the new anti-rootkit/anti-DRM mechanism built into Microsoft's newest operating system. Ionescu confirmed his tool was exploiting a vulnerability in an ATI driver — atidsmxx.sys, version 3.0.502.0 — to patch the kernel to turn off certain checks for signed drivers. This meant that a malicious rootkit author could essentially piggyback on ATI's legitimately signed driver to tamper with the Vista kernel."

Shack0ption writes "An unpatched flaw in an ATI driver was at the center of the mysterious Purple Pill proof-of-concept tool that exposed a way to maliciously tamper with the Windows Vista kernel. The utility, released by Alex Ionescu and yanked an hour later after the kernel developer realized that the ATI driver flaw was not yet patched, provided an easy way to load unsigned drivers onto Vista — effectively defeating the new anti-rootkit/anti-DRM mechanism built into Microsoft's newest operating system. Ionescu confirmed his tool was exploiting a vulnerability in an ATI driver — atidsmxx.sys, version 3.0.502.0 — to patch the kernel to turn off certain checks for signed drivers. This meant that a malicious rootkit author could essentially piggyback on ATI's legitimately signed driver to tamper with the Vista kernel."

Roland Piquepaille writes "Yesterday, I told you about virtual beer. Today, we follow two North America researchers who are studying the physics of real beer bubbles. 'Singly scattered waves form the basis of many imaging techniques such as radar or seismic exploration.' But pouring beer in a mug involves multiply scattered acoustic waves. They are more complex to study, but they can be used to look at various phenomena, such as predicting volcanic eruptions or understanding the movement of particles in fluids like beer. They also could be used to monitor the structural health of bridges and buildings or the stability of food products over time. Read more for additional references and a photo showing how the researchers monitor beer bubbles."

Roland Piquepaille writes "Yesterday, I told you about virtual beer. Today, we follow two North America researchers who are studying the physics of real beer bubbles. 'Singly scattered waves form the basis of many imaging techniques such as radar or seismic exploration.' But pouring beer in a mug involves multiply scattered acoustic waves. They are more complex to study, but they can be used to look at various phenomena, such as predicting volcanic eruptions or understanding the movement of particles in fluids like beer. They also could be used to monitor the structural health of bridges and buildings or the stability of food products over time. Read more for additional references and a photo showing how the researchers monitor beer bubbles."

Glasswire writes "George Ou, writing in ZDNet's Real World IT blog, accuses AMD of comparing processors the company will not be shipping for months (2.6GHz Barcelona quad core) with older Intel Xeon quad cores rather than currently shipping ones which would beat the (hypothetical) score AMD claims for the future Barcelona. I guess while even the much slower 2.0GHz Barcelona is due soon AMD didn't think results from the 2.0 would look good enough — even against the slower Xeons they picked. Maybe the right comparison should be either best cpu against best cpu — or compare ones at the same price — and only shipped products."

An anonymous reader suggests we stop over to ZDNet for a case where Google may be stepping on the wrong side of that famous Don't Be Evil line. A Google staffer is offering to help the healthcare industry contain the damage that Michael Moore's film is about to do. (Here is the original Google Health Advertisement blog post by Lauren Turner; in case it disappears, it is reproduced in full in the ZDNet post.) Quoting from the Google post: "Many of our clients face these issues; companies come to us hoping we can help them better manage their reputations through 'Get the Facts' or issue management campaigns. Your brand or corporate site may already have these informational assets, but can users easily find them? We can place text ads, video ads, and rich media ads in paid search results or in relevant websites within our ever-expanding content network. Whatever the problem, Google can act as a platform for educating the public and promoting your message. We help you connect your company's assets while helping users find the information they seek."

Mitechsi writes "Dell has struck a deal with Emerson to sell advanced liquid cooling systems and services to data center owners. One type of supplemental cooling technology is called the Liebert XD. The XD consists of refrigerant-filled pipes that snake around the server racks in a data center. The liquid system cuts the cooling power load by about 30%–50% compared to other types of cooling systems."

castrox writes "Microsoft has noted that many corporate users want to run XP instead of Vista. They are now simplifying the downgrade process for top OEMs. Currently, all OEMs must call Microsoft whenever a downgrade is done. After the new procedure is put into place, OEMs may submit batches of keys to Microsoft online. According to the Microsoft blog on ZDNet, the 'downgrade software' will still need to be supplied by the end user. The deal is rather perplexing — it does not seem like you can convert the license since the only eligible versions for downgrading is Ultimate and Business. The company has more details available in a pdf document online."

Controll3r writes "Three high-profile security researchers — Thomas Ptacek of Matasano Security, Nate Lawson of Root Labs and Symantec's Peter Ferrie — have issued a challenge to Joanna Rutkowska to prove that her 'Blue Pill' technology can create "100 percent undetectable" malware. The Black Hat 2007 challenge will feature two untouched laptops of the make/model of Rutkowska's choosing for her to plant Blue Pill on one. From the article: 'She picks one in secret, installs her kit, sets them up however she wants,' Lawson explained in an interview. 'We get to install our software on both and run it, [and] we point out which machine [Blue Pill] is on. If we're wrong, she keeps the laptop.' No word on whether Rutkowska will accept the challenge."

christian.einfeldt writes "The next version of openSUSE, due out in the fall, will include an add-on CD optimized for educators. According to the Education section of the openSUSE wiki, the openSUSE community sees the add-on as a way to make it easy for school administrators to create both networked systems and stand-alone desktops for teachers and students. To tailor the add-on CD to the needs of educators, the openSUSE community is asking educators and technologists to submit their software successes, applications used, and 'HOW-TOs' for writing applications and using applications. Dubbed the SLEDucator, the package collection is being included as an add-on, as opposed to a new distro or a fork."

virgil_disgr4ce writes "In an impressive example of the gap of understanding between legal officials and technology, U.S. Magistrate Judge Jacqueline Chooljian 'found that a computer server's RAM, or random-access memory, is a tangible document that can be stored and must be turned over in a lawsuit.' ZDNet, among others, reports on the ruling and its potential for invasion of privacy."

walterbyrd sends us to the ZDNet blog, where Dan Farber & Larry Dignan write: "Intuit said Wednesday it will allow QuickBooks Enterprise Solutions to operate on Linux servers. For Intuit, the move is a bit of a milestone — QuickBooks is the first of its products [to] work on open source software."

Several notes about Google and privacy. First, Lucas123 informs us that Google's global privacy counsel blogged about an improvement in Google's data-retention policies: the company plans to anonymize data it stores about users after 18 months — a slight improvement on the "18 to 24 months" of the previous policy. This move may have come as a response to pressure from European regulators. Next, Spamicles sends in word that an EFF attorney has been photographed by Google's Street View. The funny thing is, this isn't the first time it's happened. Finally, word from reader tamar that if you choose to share a video from Google Video to another social network like MySpace, your username and password get sent over http in plaintext, rather than the more secure https.

Presto Vivace writes "Under the guise of fighting spam, five of the largest Internet service providers in the U.S. plan to start charging businesses for guaranteed delivery of their e-mails. In other words, with regular service we may or may not deliver your email. If you want it delivered, you will have to pay deluxe. 'According to Goodmail, seven U.S. ISPs now use CertifedEmail, accounting for 60 percent of the U.S. population. Goodmail--which takes up to 50 percent of the revenue generated by the plan--will for now approve only mail sent by companies and organizations that have been operational for a year or more. Ordinary users can still apply to be white-listed by individual ISPs, which effectively provides the same trusted status.'"

eldavojohn writes "At the ZDNet site, Jeremy Allison (a well-known employee of the Google corporation) goes on a hilarious rant against Digital Rights Management. He compares the access restriction technology with underwear gnomes & Star Trek while ending with: 'Believing in a DRM business model is like joining Star Fleet security, putting on your red shirt, and volunteering to beam down to the new unexplored planet with Kirk, Spock and McCoy. Someone will be coming back from that mission, it's just not likely to be the security guard. Always a true engineer, Scotty had the good sense to stay safely on board the ship.'"

Roland Piquepaille writes "Computer scientists at the University of Southern California (USC) have developed DEFACTO, a training program which uses artificial intelligence (AI) to help firefighters practice simulated emergency situations. The system is currently used by the Los Angeles Fire Department. DEFACTO has committees of AI 'agents' which can create disaster scenarios with images and maps seen in 3-D by the trainees. The software agents also evaluate the trainees' answers and help them to take better decisions. As one LAFD captain said, 'You can see if you're heading toward a mistake much more quickly.' Read more for additional details about this AI project and a photo of a LAFD Fire Captain using the system."

40by40 writes "A Web application security specialist has figured out a way to launch man-in-the-middle attacks against a computer with a fully patched Google Desktop installed. With knowledge of the Google Desktop security model (a combination of one-time tokens, iFrames and JavaScript), hacker Robert Hansen figured out a way to sit between a target launching a Google search query and manipulate the search results to take control of other programs on the desktop. From the article: 'This should drive home the point that deep integration between the desktop and the web is not a good idea, without tremendous thought put into the security model. As Google's site is unencrypted, and they place their content that can run executables on their site, it can be subverted by an attacker," Hansen warns. Hansen's advisory comes just days after a Chris Soghoian's exposé of a similar man-in-the-middle attack scenario against a remote vulnerability in the upgrade mechanism used by a number of commercial Firefox extensions.'"

J Tomas writes "Google has quietly made its first anti-malware acquisition, snapping up GreenBorder Technologies, a venture-backed company that sells browser virtualization security software. GreenBorder's software creates a DMZ (demilitarized zone) between the Windows desktop and programs downloaded from Web pages or opened from e-mail messages in Microsoft Outlook. The early speculation is that Google will add the sandbox technology to the Google Toolbar or release a rebranded version as a standalone download."

ppadala writes "AT&T is upgrading their phone lines to offer video programmes over phone line. The service, called U-verse TV will be available in parts of Southern California communities initially. Channel lineups will be similar to traditional cable and dish offerings. AT&T is insisting that, 'This offering is on par with those of its cable rivals. But AT&T claims that it offers customers more for their money, including fast channel changing, video-on-demand, three set-top boxes, a digital video recorder, a picture-in-picture feature that allows viewers to surf channels without switching channels and an interactive program guide.'"

MrSmith writes "Is Linux's less than impressive market share an indication that the movement is out of touch with the average computer user? ZDNet examines five reasons that could explain why people are still willing to pay for (or pirate) an operating system when free alternatives exist. One of the reasons seems to be that despite what many Linux advocates claim, Windows users aren't on the whole dissatisfied with their OS: 'Despite what you read on websites and blogs, newspapers and magazines, people on the whole aren't all that dissatisfied with Windows. There are millions of users out there who just get on and use their PCs without any real difficulty.'"

Moochman writes "New Scientist reports on a technology Microsoft is developing to identify users based on their browsing habits. Quote: 'The software could get its raw information from a number of sources, including a new type of 'cookie' program that records the pages visited. Alternatively, it could use your PC's own cache of web pages, or proxy servers could maintain records of sites visited. So far it can only guess gender and age with any accuracy,' but the aim is to be able to identify name, occupation and location as well. On a related note, The Inquirer reports on Microsoft's plans to widen the use of its identity-verification technology CardSpace, which is built into Windows Vista and available as an add-on to XP. It's being envisioned as an identity solution for the entire internet: says Kim Cameron, pioneer of the technology, 'We feel it has to solve all use cases.' (Aha, so the anonymous use cases, too, eh?) One might ask, with all of this user-ID information on hand, how long will it be until the Feds come knocking on Microsoft's door asking for help? They already have."

De Garmo writes "A Ukranian hacker known as "MustLive" has announced plans for a Month of Search Engine Bugs project in June 2007. The plan is to shake out cross-site scripting bugs in the most popular search engines (think Google, Yahoo, MSN, Ask.com) and publish details on these flaws. From the article: "[The] purpose of this Month of Bugs is a demonstration of real state with security in search engines, which are the most popular sites in Internet. To let users of search engines and web community as a whole to understand all risks, which search engines bring to them. And also to draw attention of search engines' owners to security issues of their sites.""

Vix666 writes with a link to a ZDNet article on the final chapter of a story we've discussed before: the first user convicted of piracy for using BitTorrent to download a movie has really, finally, lost his case. Chan Nai-ming was sentenced in November of 2005, lost an appeal in December of last year, and appears to have once again failed to convince a judge to let him out. "The Hong Kong government welcomed the judgment, saying it clarified the law regarding Internet piracy. 'This judgment has confirmed that it commits a crime and violates copyright laws for the act of using (BitTorrent) software to upload and distribute,' said customs official Tam Yiu-keung in a written statement. He added the judgment would have a deterrent effect, a view endorsed by industry watchdogs such as the Hong Kong branch of the International Federation of the Phonographic Industry."

Famestay writes "Verisign's iDefense is putting up a $16,000 prize for any hacker who can find a remotely exploitable vulnerability in six critical Internet infrastructure applications. The bounty is for a zero-day code execution hole on the following Internet infrastructure technologies: Apache httpd, Berkeley Internet Name Domain (BIND) daemon, Sendmail SMTP daemon, OpenSSH sshd, Microsoft Internet Information (IIS) Server and Microsoft Exchange Server. 'Immunity founder Dave Aitel, who also purchases flaws and exploits for use in the CANVAS pen testing tool, says its doubtful iDefense will get any submissions from hackers. "It's very hard to exploit [those listed applications]," Aitel said. "IIS 6 hasn't had a public remotely exploitable bug in it. Ever." Several other hackers I spoke to had very much the same message, arguing that $16,000 can never equate to the amount of work/expertise required to find and exploit a hole in the six targeted technologies.'"

Roland Piquepaille writes "In a short article, Popular Science reports that researchers at the University of Washington have built a robotic cable inspection system. This system should help utility companies to maintain their networks of subterranean cables. The robot, dubbed Cruiser, is about 4-feet-long and is designed like a snake. When it detects an anomaly on an underground cable, it sends a message to a human operator via Wi-Fi. The first field tests took place in New Orleans in December 2006. But a commercial version should not be available before 2012."

Staska writes "A new Apple patent filing shows new directions for Apple's touch interface design. For smaller devices like iPod Nano, touchscreen interface may not be feasible — the screen is just too small for touch operation. According to the patent, Apple can still make full screen iPods and put a touch panel on the backside of the device with transparent controls on the front screen. In addition to iPod, patent filing also describes controls for the phone. ZDNet even thinks that this patent can hint about future touch interfaces for all Apple products."

Cheesy Balogna writes "Microsoft has just released seven advisories — all rated critical — with patches for at least 19 vulnerabilities affecting the Windows operating system, the widely deployed Office productivity suite and the dominant Internet Explorer browser. Six of the 19 vulnerabilities affect Windows Vista. 'There are patches for 7 different vulnerabilities that could lead to code execution attacks against Word, Excel and Office. Users of Microsoft Exchange are also urged to pay attention to one of the critical bulletins, which cover 4 different flaws. A cumulative IE update addresses six potentially dangerous bugs. There are the six that apply to IE 7 on Windows Vista. The last bulletin in this month's batch apples to CAPICOM (Cryptographic API Component Object Model) and could also put users at risk of complete system hijack attacks.'"

LWATCDR writes "It looks like more issues with Vista drains notebook batteries. Using the Aero interface really eats into your notebooks battery life. Of course one of the new 'features' of Vista is supposed to be better power management. This provides a great opportunity for a showdown. How long until someone loads Vista on a MacBook and compares run time? It would provide a flat playing field now that Apple makes Intel-powered notebooks."

axlrosen alerts us to a Microsoft sleeper announcement from Mix07: a version of its Common Language Runtime will be available cross-platform. The Core CLR shows up as part of the Silverlight SDK that Redmond is open sourcing. From the blog posting: "The biggest Mix '07 announcement made on opening day of this week's show was one that Microsoft didn't call out in any of its own press releases: Microsoft is making a version of its Common Language Runtime available cross-platform. The CLR is the heart of Microsoft's .Net Framework programming model. So, by association, the .Net Framework isn't just for Windows any more."

An anonymous reader writes "'Yesterday Nicholas Negroponte, former director of the Massachusetts Institute of Technology Media Lab and current head of the nonprofit One Laptop Per Child project, gave analysts and journalists an update on the OLPC project. Two big changes were announced — the $100 OLPC is now the $175 OLPC, and it will be able to run Windows. Even in a market where there are alternatives to using Windows and Office, there's a huge demand for Microsoft software. The OLPC was seen as a way for open source Linux distributions to achieve massive exposure in developing countries, but now Negroponte says that the OLPC machine will be able to run Windows as well as Linux. Details are sketchy but Negroponte did confirm that the XO's developers have been working with Microsoft to get the OLPC up to spec for Windows.' We also find out that the OLPC gets a price hike and will officially come to the US. Could this be tied into Microsoft's new $3 Windows XP Starter and Office 2007 bundle? Now that the OLPC and Intel's Classmate PC can both run Windows, is Linux in the developing world in trouble?"

Scada Moosh writes "ZDNet has a story about the lessons Microsoft learned from the recent animated cursor (.ani) attacks and some of the broad changes being made to flag this type of vulnerability ahead of time. The changes include a possible addition to the list of banned API function calls, more aggressive checks for buffer overruns and enhancements to existing fuzz testing tools. '[Michael] Howard said Microsoft will "rethink the heuristics" used by the /GS compiler to flag certain issues. "Changing the compiler is a long-term task. In the short-term, we have a new compiler pragma that forces the compiler to be much more aggressive, and we will start using this pragma on new code," he added. Two other Windows Vista security mechanisms -- ASLR and SafeSEH -- were also in place to catch code failures but, in the case of the .ani bug, Howard said the attackers were able to wrap vulnerable code in an exception handler to find ways around those mitigations.'"

Hypertwist writes "Despite all the anti-malware roadblocks built into Windows Vista, Microsoft technical fellow Mark Russinovich is lowering the security expectations, warning that viruses, password-stealing Trojans, and rootkits will continue to thrive as malware authors adapt to the new operating system. Even in a standard user world, he stressed that malware can still read all the user's data; can still hide with user-mode rootkits; and can still control which applications (anti-virus scanners) the user can access. From the article: '"We'll see malware developing its own elevation techniques," Russinovich said. He demonstrated a social engineering attack scenario where a fake elevation prompt can be used to trick users into clicking "allow" to give elevated rights to a malicious file.'

theodp writes "ZDNet reports that as Jeff Bezos tap-danced out of a cringe moment at Web 2.0 Expo prompted by Tim O'Reilly's questioning of why Amazon couldn't get along with Alexaholic (now Statsaholic), Amazon had already filed a lawsuit to legally spank the tiny company into oblivion."

mrspin writes "Having already taken the timid steps of open-sourcing the code for its client software, Linden Lab has confirmed that they'll be going the whole way, and will soon be opening up the server code for Second Life. This furthers Second Life's ambitions to be a fully distributed 3D network — built on interoperability and not owned by one company — a bit like the Internet itself. ZDNet's The Social Web asks: 'who will be the first to offer Second Life hosting or use the server code for their own internal purposes? IBM would be an obvious candidate, perhaps offering corporate Second Life services. And for the rest of us? GoogleLife, free virtual land — ad supported of course. It's certainly a possibility.'"

mrspin writes "Having already taken the timid steps of open-sourcing the code for its client software, Linden Lab has confirmed that they'll be going the whole way, and will soon be opening up the server code for Second Life. This furthers Second Life's ambitions to be a fully distributed 3D network — built on interoperability and not owned by one company — a bit like the Internet itself. ZDNet's The Social Web asks: 'who will be the first to offer Second Life hosting or use the server code for their own internal purposes? IBM would be an obvious candidate, perhaps offering corporate Second Life services. And for the rest of us? GoogleLife, free virtual land — ad supported of course. It's certainly a possibility.'"

In the IT trench writes "How's this for a new twist on the old responsible disclosure debate? Hackers are using clues from Microsoft's pre-patch security advisories to create and publish proof-of-concept exploits. The latest zero-day flaw in the Windows DNS Server RPC interface implementation is a perfect example of the tug-o-war within the Microsoft Security Response Center about how much information should be included in the pre-patch advisory."

Roland Piquepaille writes "Researchers from Illinois and Florida are developing a networking system which will create virtual representations of real people to improve our knowledge. They will use artificial intelligence and natural language processing software to enable us to interact with these avatars. The goal of the project, sponsored by the National Science Foundation (NSF), is to give us the possibility to interact with these virtual representations as if they were the actual person, complete with the ability to understand and answer questions. We should see the results at the beginning of 2008 — if the researchers succeed."

Jud writes "Microsoft's fix for the .ANI vulnerability was part of Patch Tuesday yesterday. However, all is not well with the update. Reportedly, installing the patch will break applications such as Realtek HD Audio Control Panel and CD-Tag, which mentions they are affected by the problem on their main page. A hotfix is currently available from Microsoft, however their current position is this is an isolated problem and the fix is not planned to be pushed out through Microsoft Update. "

A number of readers clued us to the latest development in the saga of te sale of DoubleClick: Google has thrown its hat into the ring against Microsoft and (reportedly) Yahoo and AOL. Most of the stories quote a Wall Street Journal piece that is only available to subscribers. Google's entry into the bidding may boost the price for the remaining pieces of DoubleClick (parts of the company having already been sold off) to $2 billion, twice what its current owners paid for the whole thing. Some reports speculate that this figure could give Microsoft pause.

An anonymous reader sends us to George Ou's blog on ZDNet for a tale of how Apple's PR director reportedly orchestrated a smear campaign against security researchers David Maynor and Jon Ellch last summer. Ou has been sitting on this story ever since and is only now at liberty to tell it. He posits that the Month of Apple Bugs was a direct result of Apple's bad behavior in the Maynor-Ellch affair. From the blog: "Apple continued to claim that there were no vulnerabilities in Mac OS X but came a month later and patched their Wireless Drivers (presumably for vulnerabilities that didn't actually exist). Apple patched these 'non-existent vulnerabilities' but then refused to give any credit to David Maynor and Jon Ellch. Since Apple was going to take research, not give proper attribution, and smear security researchers, the security research community responded to Apple's behavior with the MoAB (Month of Apple Bugs) and released a flood of zero-day exploits without giving Apple any notification. The end result is that Apple was forced to patch 62 vulnerabilities in just the first three months of 2007 including last week's megapatch of 45 vulnerabilities."

rtobyr asks: "I don't allow users at my organization to use any third party e-mail. When users complain, I point out that we can't control the security policies of outside systems. End users tend to think that big business will of course have good security; so I ran a test of the 'Big Four': Hotmail, Yahoo Mail, AOL/AIM Mail, and GMail. Yahoo Mail was the only webmail provider to allow delivery of a VBS script. GMail was the only provider to block a zipped VBS script. End users also tend to think that a big business would never pull security features out from under their customers. Of course, we know that AOL and Microsoft have both compromised the security of their customers. I don't know of any security related bad press for Yahoo or Google. Three of my Big Four either allow VBS attachments or have a poor security track records. So, if you are a network administrator, do you limit your users' ability to use third party e-mail, and if so, do you allow for GMail or other providers that you've deemed to have secure systems and reputations?"

Phill0 submitted a ZD story about Microsoft's week off which says "Microsoft has no new security updates planned for Tuesday, despite at least five zero-day vulnerabilities that are waiting to be fixed. The patch break could be a welcome respite for IT managers still busy testing the dozen fixes Microsoft released last month. Also, many IT pros may be occupied with the switch to daylight saving time, which at the behest of Congress, is happening three weeks earlier this year. "