Slashdot

theodp writes "Over at CNET, James Urquhart sings the praises of cloud computing, encouraging folks to 'really listen to what is being said, understand how the cloud is being used, and seriously evaluate how this disruptive model will change your projects, your organization, and even your career.' Fair enough. Over at the Google Docs Help Forum, some perplexed cloud computing users spent the month of November unsuccessfully trying to figure out why they've been zinged for inappropriate content. Among the items deemed inappropriate and unshareable include notes on Henry David Thoreau ('the published version of this item cannot be shared until a Google review finds that the content is appropriate'), homework assignments, high school yearbook plans, wishlists, documents containing botanical names for plants, a list of websites for an ecommerce class, and a list of companies that rent motorcycles in Canada. When it comes to support in the cloud, it kind of looks like you might get what you pay for."

Trailrunner7 writes "A researcher has published an explanation of a new flaw in FreeBSD that allows a remote attacker to take control of a vulnerable machine. The vulnerability could give an attacker root access to the FreeBSD machine, and the FreeBSD developers have published a patch for the flaw early Tuesday. The vulnerability lies in run-time link-editor and, if exploited, gives an attacker the ability to run arbitrary code. The researcher, Kingcope, has posted an explanation of the flaw on the Full Disclosure mailing list. In a message to FreeBSD users, Colin Percival, the project's security officer, said that because of the severity of the flaw and the fact that exploit code already is available, he felt it was necessary to post the patch as soon as possible, without even publishing a security advisory."

Lucas123 writes "Researchers at Harvard Medical School pored over survey data from more than 4,000 'wired' hospitals and determined that computerization of those facilities not only didn't save them a dime, but the technology didn't improve administrative efficiency either. The study also showed most of the IT systems were aimed at improving efficiency for hospital management — not doctors, nurses, and medical technicians. 'For 45 years or so, people have been claiming computers are going to save vast amounts of money and that the payoff was just around the corner. So the first thing we need to do is stop claiming things there's no evidence for. It's based on vaporware and [hasn't been] shown to exist or shown to be true,' said Dr. David Himmelstein, the study's lead author."

buchner.johannes writes "I was fed up with the general consensus that Linux is oh-so-secure and has no malware. After a week of work, I finished a package of malware for Unix/Linux. Its whole purpose is to help white-hat hackers point out that a Linux system can be turned into a botnet client by simply downloading BOINC and attaching it to a user account to help scientific projects. The malware does not exploit any security holes, only loose security configurations and mindless execution of unverified downloads. I tested it to be injected by a PHP script (even circumventing safe mode), so that the Web server runs it; I even got a proxy server that injects it into shell scripts and makefiles in tarballs on the fly, and adds onto Windows executables for execution in Wine. If executed by the user, the malware can persist itself in cron, bashrc and other files. The aim of the exercise was to provide a payload so security people can 'pwn' systems to show security holes, without doing harm (such as deleting files or disrupting normal operation). But now I am unsure of whether it is ethically OK to release this toolkit, which, by ripping out the BOINC payload and putting in something really evil, could be turned into proper Linux malware. On the one hand, the way it persists itself in autostart is really nasty, and that is not really a security hole that can be fixed. On the other hand, such a script can be written by anyone else too, and it would be useful to show people why you need SELinux on a server, and why verifying the source of downloads (checksums through trusted channels) is necessary. Technically, it is a nice piece, but should I release it? I don't want to turn the Linux desktop into Windows, hence I'm slightly leaning towards not releasing it. What does your ethics say about releasing such grayware?"

jtavares2 writes "In what is being dubbed Throttlegate, scores of users on many message boards have been complaining about nexplicably aggressive throttling policies on their Dell Latitude E6500 and E6400 laptops which cause their CPUs to be throttled to less than 5% of their theoretical maximums even while at room temperatures. In many cases, the issue can be triggered just by playing a video or performing some other trivial, but CPU intensive, task. After being banned [PDF] from the Dell Forums for revealing 'non-public information,' one user went so far as to write and publish a 59-page report [PDF] explaining and diagnosing the throttling problem in incredible detail. Dell seems to be silent on the issue, but many users are hoping for a formal recall."

theodp writes "Fortune's Dear Annie takes on the case of poor Dazed and Confused, an independent webmaster who's expected to be on call for his client at all hours of the day and night, but doesn't get paid for being on call, only for the 40 hours a week that he's in the office. Surprisingly, Annie throws cold water on the contractor's dreams of paid OT, citing these pearls of wisdom from an attorney who's apparently never had the 'privilege' of being a techie on call: 'Many companies see the on-call issue as analogous to a fire fighter's job. Most of the time, a fire fighter is off-duty but on call, hanging around the firehouse, cooking, sleeping, or whatever. What that person really gets paid for is the relatively small, but crucial, amount of time he spends walking into a burning building with an ax. A webmaster, likewise, has slow times and busy times.'" What on call policies are you used to working with and how should it work in an ideal world?

Unexpof writes "A man has been arrested by the British Police Central e-Crime Unit (PCeU), accused of stealing the usernames and passwords from players of the RuneScape MMORPG. Security experts report that this is one of the first occasions when a Brit has been apprehended for 'virtual robbery,' although incidents have happened in the past. For instance, the CEO of the sci-fi trading game EVE Online stole 200 billion 'kredits,' which he then used as a deposit on a real-world house, and in October last year a Japanese woman was arrested by police after allegedly hacking her virtual husband 'to death.'"

truesaer writes "I'll be spending all of next year backpacking through South America. In the past I've used Internet cafes while away, but this time I plan to bring a netbook and rely primarily on Wi-Fi hotspots. I'll be facing the same issues and risks that business travelers in hotels and airports face, as well as those encountered by millions of other backpackers, gap-year travelers, and students. Since my trip is so long I'll have no choice but to access my banking, credit card, and investment accounts on public networks. I will not have a system at home to connect through. Other than an effective firewall, a patched system, and the use of SSL, what else should I do to protect my information? Keep in mind that many places have very poor bandwidth and latency."

An anonymous reader writes "The phrase 'IT' is so overused, I'm not sure what it means any more. OK, maybe it's an ego thing, but I spent a lot of years in grad school, lots of years getting good at creating software, and lots of years getting good at creating technical products and I don't want the same label as the intern who fixes windoze. I'm looking at a tech management job at a content company that is trying to become a software company, and they refer to everything about software development, data center operations, and desktop support as 'IT.' I'd like to tell the CEO before I take the job that we have to stop referring to all these people as 'IT people' or I'm not going to be able to attract and retain the top-tier talent that is required. Am I just being petty? Should I just forget it? Change it slowly over time? These folks are really developing products, but we don't normally call software creators 'product developers.' Just call them the 'Tech Department' or the 'Engineering Deptartment?'"

1sockchuck writes "The data center of the future may have no central UPS units, and be filled with servers with on-board batteries. Facebook says it will adopt a new power distribution design that shifts the UPS and battery backup functions from the data center into the cabinet by adding a 12-volt battery to each server power supply, an approach pioneered by Google. Facebook says the move will slash its power bill and save millions in capital expenses on UPS systems and PDUs. Facebook acknowledged that these types of custom designs are limited to large companies, but called on server vendors and data center builders to adapt their offerings to make them available to smaller companies."

A post by Cyberveillance a couple of weeks back revealed a complex black-hat operation involving Google searches leading to hundreds of thousands of bogus blogs, exploiting the "long tail" of search results and isolated from Google's auto-detection of malware sites by a shifting network of redirectors. The fake blog posts are innocuous when visited directly, but make aggressive attempts to install a fake Windows anti-virus tool (which is actually a Trojan horse) if clicked through from Google. Other search engines do not index the bogus sites. The Unmask Parasites site has a detailed two-part analysis of the badware operation, which puts some numbers on its scope: almost 688,000 bogus scareware blogs can be located in Google; some of them have upwards of 1000 posts. This analysis also reveals that a large majority of the sites hacked to host fake blogs are on the network of Servage.net. From the second Unmask Parasites link: "What we have here is millions of rogue web pages targeting the long tail of web search (millions of keywords) where each page tries to install fake (and malicious) "anti-virus" software on visitors' computers. While this black-hat campaign is active for at least 6 months, webmasters of the compromised sites and their hosting providers don't simply notice this illicit activity. The good news is Google seems to have noticed this problem. Probably thanks to the Cyveillance blog post. During the week after that post I see a steady decrease in search results returned by the queries that you can find in this post."

nk497 writes "F-Secure researchers are calling attention to the fact that it's impossible to run third-party anti-virus on iPhones, because the SDK doesn't allow for it. It's a problem, as they claim malware will start to target the phone. 'None of the existing anti-virus vendors can make one, without help from Apple,' chief research officer Mikko Hypponen said. 'Apple hasn't been too interested in developing antivirus solutions for the iPhone, because there are no viruses, which of course, isn't exactly true.' At the moment, the only worms faced by the iPhone have targeted unlocked, jailbroken devices — so Apple's not too bothered protecting users of such phones." While Apple claims that the iPhone's closed nature offers protection to its users, and security vendors maneuver for a piece of a market now closed to them, clearly both sides are pushing their own self-interest.

An anonymous reader writes "The FreeBSD Release Engineering Team is pleased to announce the availability of FreeBSD 8 stable release. Some of the highlights: Xen DomU support, network stack virtualization, stack-smashing protection, TTY layer rewrite, much improved ZFS v13, a new USB stack, multicast updates including IGMPv3, vimage — a new virtualization container, Fedora 10 Linux binary compatibility to run Linux software such as Flash 10 and others, trusted BSD MAC (Mandatory Access Control), and rewritten NFS client/server introducing NFSv4. Inclusion of improved device mmap() extensions will allow the technical implementation of a 64-bit Nvidia display driver for the x86-64 platform. The GNOME desktop environment has been upgraded to 2.26.3, KDE to 4.3.1, and Firefox to 3.5.5. There is also an in-depth look at the new features and major architectural changes in FreeBSD 8.0, including a screenshot tour, upgrade instructions are posted here. You can grab the latest version from FreeBSD from the mirrors (main ftp server) or via BitTorrent. Please consider making a donation and help us to spread the word by tweeting and blogging about the drive and release."

Eugen tips news that Microsoft has sent DMCA takedown notices to several websites to stop them from offering the Computer Online Forensic Evidence Extractor (COFEE) tool for download after it was leaked earlier this month. One of the sites, Cryptome.org, has posted their correspondence with Microsoft over the software. "... Microsoft contacted Network Solutions, which hosts Cryptome, and since John Young, the owner of the website, wasn't too keen on losing his whole website for the sake of a single 15MB file, he removed the download link and sent Network Solutions a notice of compliance."

derrida writes "After over a year of intensive development and refactoring, Inkscape 0.47 is out. This version of the SVG-based vector graphics editor brings improved performance and tons of new features, including: timed autosave, Spiro splines, auto-smooth nodes, Eraser tool, new modes in Tweak tool, snapping options toolbar & greater snapping abilities, new live path effects (including Envelope), over 200 preset SVG filters, new Cairo-based PS and EPS export, spell checker, many new extensions, optimized SVG code options, and much more. Additionally, it would be wrong to not mention the hundreds of bug fixes. Check out the full release notes for more information about what has changed, enjoy the screenshots, or just jump right to downloading your package for Windows, Linux, or Mac OS X." We've been following the progress of Inkscape for years (2006, 2005, 2004).

After this weekend's report of a dangerous flaw in IE (which Microsoft confirmed today), intrudere points out an exclusive report in The Register on a new hole in IE8 that could allow an attacker to pull off cross-site scripting attacks on Web sites that ought, by rights, to be safe from XSS. This is according to two anonymous sources, who told El Reg that Microsoft had been notified of the vulnerability a few months ago.

tsu doh nimh writes "Alan Ralsky, the 64-year-old dubbed the 'Godfather of Spam,' was sentenced to 51 months in prison on Monday, the Washington Post's Security Fix blog reports. According to anti-spam group Spamhaus.org, Ralsky has been spamming since at least 1997, using dozens of aliases and tens of thousands of 'zombies' or hacked PCs to relay junk e-mail. Also sentenced — to 40 months in jail — was Ralsky's 48-year-old son-in-law, Scott K. Bradley, and two other men named last year in a 41-count indictment for wire fraud, mail fraud, money laundering and violations of the CAN-SPAM Act." And eldavojohn writes "19-year-old Dmitriy Guzner, Anonymous member and Scientology DDoS attacker, received one year and one day in jail for his admitted crime. His sentence could have been a maximum ten years. According to the Church of Scientology, Anonymous has harassed and attacked them with '8,139 threatening phone calls, 3.6 million e-mails, 141 million hits on its website, ten acts of vandalism against its property, 22 bomb threats, and eight death threats against Church leaders.'"

1sockchuck writes "Virginia's new state IT system is experiencing downtime in key services because of a mind-boggling oversight: the state apparently neglected to require network backup in a 10-year, $2.3 billion outsourcing deal with Northrop Grumman. The issue is causing serious downtime for state services. This fall the Virginia DMV has suffered 12 system outages spanning a total of more than 100 hours, and downtime hampered the state transportation department when a state of emergency was declared during the Nov. 11 Northeaster."

An anonymous reader writes to tell us that finding malicious code might have just become a little harder. Last week at the ACM Conference on Computer and Communications Security, security researchers Joshua Mason, Sam Small, Fabian Monrose, and Greg MacManus presented a method they developed to generate English shell code [PDF]. Using content from Wikipedia and other public works to train their engine, they convert arbitrary x86 shell code into sentences that read like spam, but are natively executable. "In this paper we revisit the assumption that shell code need be fundamentally different in structure than non-executable data. Specifically, we elucidate how one can use natural language generation techniques to produce shell code that is superficially similar to English prose. We argue that this new development poses significant challenges for in-line payload-based inspection (and emulation) as a defensive measure, and also highlights the need for designing more efficient techniques for preventing shell code injection attacks altogether."

Pickens writes "The NY Times reports that a program to detect plutonium or uranium in shipping containers has stalled because the United States has run out of helium 3, a crucial raw material needed to build the 1,300 to 1,400 machines to be deployed in ports around the world to thwart terrorists who might try to deliver a nuclear bomb to a big city by stashing it in one of the millions of containers that enter the United States every year. Helium 3 is an unusual form of the element that is formed when tritium, an ingredient of hydrogen bombs, decays — but the government mostly stopped making tritium in 1989 after accumulating a substantial stockpile of Helium 3 as a byproduct of maintaining nuclear weapons. 'I have not heard any explanation of why this was not entirely foreseeable,' says Representative Brad Miller, chairman of a House subcommittee that is investigating the problem. Helium 3 is not hazardous or even chemically reactive, and it is not the only material that can be used for neutron detection. The Homeland Security Department has older equipment that can look for radioactivity, but it does not differentiate well between bomb fuel and innocuous materials that naturally emit radiation like cat litter, ceramic tiles and bananas — and sounds false alarms more often. In a letter to President Obama, Miller called the shortage 'a national crisis' and said the price had jumped to $2,000 a liter from $100 in the last few years. With continuing concern that Al Qaida or other terrorists will try to smuggle a nuclear weapon into the United States, Congress has mandated that, by 2012, all containers bound for the US be inspected overseas."