Is news subject to Apple's developers' agreement?
While bitterness continues over the implications of Sections 3.3.1 through 3.3.3 of Apple's recently modified Developers' Agreement (PDF available here, through the Electronic Frontier Foundation), there's lingering suspicion about the indeterminate boundaries pointed to by the long-standing Section 3.3.14, which now applies to iPad content as well as iPhone.
"Applications may be rejected if they contain content or materials of any kind (text, graphics, images, photographs, sounds, etc.) that in Apple's reasonable judgment may be found objectionable, for example, materials that may be considered obscene, pornographic, or defamatory," the section reads.
One very false positive: McAfee in full damage control mode
Many instances of malware on Windows-based systems masquerade themselves as system services -- the various independent processes that respond to requests from both the operating system and applications with functions that users typically need. Network connectivity and printing are among the more common Windows services; and if you've ever perused the processes list of Task Manager (or, better yet, Process Explorer), you'll find these processes are represented by the single .EXE file that hosts them, svchost.exe.
Any anti-virus database looking for a rogue system service will probably have to refer to svchost.exe as the process that launches it, even though that process is clearly part of Windows itself. On Wednesday, McAfee distributed a .DAT file to many of its enterprise customers that may have had a single faulty character. As a result, their anti-virus systems successfully quarantined not the service launched by svchost.exe, but svchost.exe itself.
Security researcher: 'Trivially easy' to buy SSL certificate for domain you don't own
Last week, Betanews reported on the discovery by two university researchers, made at a recent security conference, that security companies often deal with governments that can compel certificate authorities to produce SSL security keys for them. Those keys can then be used to sign certificates as any other Web site, enabling a law enforcement authority -- hypothetically speaking, of course -- to spoof virtually any other site.
Today, Betanews heard from world-renowned security expert Kurt Seifried, author of numerous books on Linux system administration, network security, and cryptography. In the May 2010 issue of Linux Magazine, Seifried reports on his own discovery, which goes one very critical step further: You don't need to be a government, he found, to compel a certificate authority (CA) to issue an SSL certificate for a major Web mail service of your choice. You just need a valid credit card.
Test of China Internet connections reveals heavy filtering
Using a Firefox 3.0 add-on created by developers in Hong Kong, Betanews was able to briefly establish a connection with the Internet via a proxy based in mainland China. With that proxy, we were able to confirm that searches performed using Google's Hong Kong-based page were effectively blocked.
Firefox 3.0 reported the blockage with this message: "The connection to the server was reset while the page was loading" -- a message from the browser, not from an ISP. We used version 3.0.16 of Firefox (an older edition) because it is the only version compatible with China Channel, a tool made for the express purpose of testing China's filtering ability. It has not been upgraded for version 3.6.
It's not dead yet: Microsoft's out-of-band IE6 fix impacts IE8
Last month, Microsoft sent flowers to a mock funeral for Internet Explorer 6, in a show of support for the ideal that the old browser should be declared defunct worldwide. But for a few years yet, the company is still bound to support the product for those users (generally businesses) who refuse to upgrade it. That's why new exploits that continue to target old browsers, such as IE6 and IE7, continue to get attention even a full year after the proper security fix -- IE8 -- has been deployed.
One of the libraries that, among other functions, helps IE to print is the target of an exploit released to the wild earlier this month. The exploit creatively overloads the system with JavaScript variables, then places function calls to IEPEERS.DLL. Once the library is effectively crashed, its used memory isn't cleaned up, enabling binary code seeded into that memory to be executed -- a classic use-after-free scenario.
With three months to go to DNSSEC, someone's fudging root zone records
One of the extraordinary truths about the Internet as a mechanism is that the databases that enable every IP address to be resolved, are maintained and published by a very small number of organizations acting as a cooperative. The health of the entire network depends on these groups' vigilance. One of these groups is Autonomica AB, a division of the Swedish ISP Netnod. It operates the "I" root server, which in recent weeks has been the apparent victim of a kind of spoofing attack that's been harmless thus far, but could conceivably demonstrate the capability of one rogue element to pollute the entire Internet.
Thanks to the current state of affairs, some are now suspecting a China-based culprit. But as we all know with the Internet, just because a malicious server resides in one country doesn't mean its malicious operator works there as well.
GAO: More security training leads to less compliance, including Los Alamos, NASA
A US Government Accounting Office report released yesterday (PDF available here) reveals an astonishing and counter-intuitive trend: Government agencies' compliance with directives intended to improve information security has declined in inverse proportion to the amount of training they receive.
In a report to the House Government Management Subcommittee yesterday, the GAO cited increased awareness of the provisions of the Federal Information Security Management Act (FISMA), due to increased awareness training among the 24 federal agencies tested: 91% of employees in those agencies received testing in fiscal 2009, up 3% from the previous year. But specifically in light of increased exposure to the Gumblar Trojan and the Conficker worm, at least 17 of those agencies were reported to have enacted deficient responses to these increasing threats, including essentially assigning the entire job of security to just one person -- against FISMA's mandate.
Has SSL become pointless? Researchers suspect state-sponsored CA forgery
The most powerful deterrent against the use of man-in-the-middle attacks against SSL/TLS-encrypted connections may be how much easier it may be to simply attack from the endpoint. Certainly "man-in-the-middle" sounds more sophisticated, and as a pair of well-known academic researchers are preparing to report, the phrase has actually become a "starburst" marketing point for the sale of digital surveillance equipment to government agencies.
But perhaps the most serious defect in the SSL system, allege Indiana University graduate student Christopher Soghoian and Mozilla security contributor Sid Stamm, lies in the ability of government agencies (or individuals acting in the name of government agencies) to acquire false intermediate certificates for SSL encrypted trust connections. Those certificates could enable them to, in turn, sign and authenticate Web site SSL certificates that purport to be legitimate collectors of personal information, such as banks.
Google's Hong Kong move leads to censorship, followed closely by opportunism
What, exactly, would one be blocked from seeing now that the "Great Firewall of China," as it's been dubbed, separates citizens of mainland China from Google? This morning, Betanews used a fabulous Firefox 3.0 add-in tool called ChinaChannel, created by independent developers in Hong Kong, to set up a proxy connection using a China IP address, so we could peruse Google as though we were in China itself. Then using an ordinary copy of Opera 10.51 on the other side, we browsed Google.com.hk -- the server to which Google is now redirecting Google.cn requests -- using our regular US-based connection.
We've used this tool in the past, and we had an easier time obtaining a proxy connection with a China-based proxy. At first this morning, we found proxy servers were frequently denying connection requests, although repeated requests often got through after 10 or more tries. However, sometimes our connection only lasted as long as a minute.
Welcome back to the big leagues: Opera denies severity of 10.5 exploit
12:02 pm EST March 9, 2010 · A spokesperson for Opera Software provided Betanews this morning with a summary of a complete blog post on the alleged exploit of Opera 10.5, published moments ago:
"The original report about the Windows-only malformed Content-length header problem is not a security issue, but a variant of the issue, brought to our attention by Secunia, has a theoretical possibility of allowing arbitrary code to run. We have developed a fix for the problem, which is being tested, and are planning to release an update of Opera soon. Until then, if Opera crashes on an untrusted site, you should avoid visiting that site again."
China denies it's in any talks with Google, wonders why
After a Reuters report on Friday cited China's Industry and Information Minister, Li Yizhong, as having told an indeterminate parliamentary body that the government was in talks with Google over its claims of having been hacked in early February by a Chinese malicious source, a vice minister for the same government agency issued a statement through China's Xinhua news agency denying any negotiations have taken place at all.
The denial was covered by Reuters as a request by the ministry for more information, so that China could prosecute Google's complaint. The Xinhua report itself (not a Google English-language translation of the report) states the Ministry of Industry and Information Technology's position that Google never filed a complaint in the first place.
Did a Microsoft VP really suggest an Internet tax for cybersecurity?
In a keynote speech to the RSA security convention in San Francisco on Tuesday, Microsoft Corporate Vice President for Trustworthy Computing Scott Charney, spoke to the issue of whether a global organization on the order of the World Health Organization or the Centers for Disease Control -- a public/private cooperative -- should be established to help secure the Internet and its billions of users worldwide. During that speech, Charney tossed out a number of ideas as to how such an organization could conceivably be funded.
A transcript of Charney's comments verified by Microsoft for Betanews this afternoon indicates that he suggested such an organization could conceivably be charged with the task of empowering government regulators in member countries to impose restrictions on the behaviors of enterprises and Internet users whose policies endanger global Internet users at large.
Federal cybersecurity authority awaits break in Senate logjam
One of President Obama's first priorities upon taking office was a comprehensive review, then considered urgent, of federal policies for maintaining Internet security. The report on that review, released last May, recommended further empowering the role of what was then being called the "cybersecurity czar," including the delegation of authority to lead emergency responses in case of an attack on Internet resources that threatened the national security.
Inactivity in enacting those recommendations was blamed for the resignation of Mr. Obama's first czar, Melissa Hathaway, last August. In December, a former security advisor to Pres. George W. Bush, Howard Schmidt, was confirmed to fill Hathaway's post.
PGP security gets Linux and Win7 support, plus more encryption
After rolling out the first Linux edition of its desktop encryption security software last month -- together with new support for the latest versions of Windows and Mac -- PGP Corp. on Monday announced major server updates that will let PGP be managed alongside myriad other approaches to encryption.
Released on January 19, the new PGP Desktop 10.0 product brings new support for Windows 7, MacOS X 10.6 Snow Leopard, and two flavors of Linux: Ubuntu and Red Hat. The software also works on Windows Vista, XP, and 2000, earlier editions of Mac OS, and Windows Mobile and BlackBerry phones, said Karthik Krishnan, senior director of product management, in a briefing for Betanews.
Technologist accused of spreading Vista, Win7 FUD wasn't a real person
Normally, Betanews doesn't like to do "inside baseball" stories, that deal with the individuals in the technology journalism business and all the insights as to "how the sausage is made." I'll try to make this one as painless as possible, but it needs to be done, because the individual involved had been cited by me in Betanews stories in the past.
Yesterday morning, ZDNet Editor-in-Chief Larry Dignan revealed the results of research showing that a blogger for IDG publications, and the CTO of a testing and research firm cited by that blogger, were actually the same person. Blogger Randall C. Kennedy, a trusted InfoWorld contributor up until yesterday, was Devil Mountain Software Chief Technology Officer "Craig Barth," the author of reports over the years claiming that Windows Vista performance was slower than Windows XP, and recently that Windows 7 performance was slower than Windows Vista.
© 1998-2026 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.