July 2008 Archives

This is a less-then-subtle attack on network neutrality. Service providers (including, in this case, wireless network providers) keep confusing providing the network and providing content. Everything that happens on the application layer is, frankly, none of their business. Besides, if they begin attacking p2p users systematically, all they're going to do is force the next generation of software to encrypt its traffic.

From IP Democracy:

AT&T will jettison wireless users that engage in P2P file-sharing over its network, the company said Friday in a letter PDF filed at the FCC (and flagged today by Ted Hearn at Multichannel News). Senior lobbyist Robert Quinn answered a question posed at hearing last week by Republican FCC Commissioner Robert McDowell about the company's policies of managing P2P network traffic on its broadband wireless platform.

uinn said that AT&T's terms of service (as well as the TOS for most other carriers) bars the use of P2P applications on the wireless platform. "Use of a P2P file sharing application would constitute a material breach of contract for which the user's service could be terminated," he said. [From IP Democracy]

In an interesting turn of events, the controversial release of the BailWicked Metasploit modules has led to BreakingPoint research director and Metasploit author HD Moore getting hacked. We he targeted? Coincidence? Or is it karma?

From NetworkWorld:

HD Moore has been owned. That's hacker talk, meaning that Moore, the creator of the popular Metasploit hacking toolkit, has become the victim of a computer attack.

It happened on Tuesday morning, when Moore's company, BreakingPoint, had some of its Internet traffic redirected to a fake Google page that was being run by a scammer. According to Moore, the hacker was able to do this by launching what's known as a cache poisoning attack on a DNS server on AT&T's network that was serving the Austin, Texas, area. One of BreakingPoint's servers was forwarding DNS traffic to the AT&T server, so when it was compromised, so was HD Moore's company. [From DNS attack writer a victim of his own creation - Network World]

The Metasploit BailiWicked modules for Kaminsky's DNS vulnerabilities have been updated for automatic tuning.

From the Metasploit blog:

The bailiwicked modules (host and domain) were updated today to include the ability to predict the time window between the outgoing request from the target nameserver and the response from the real nameserver(s). This measurement is used to tune the number of spoofed replies sent by the exploit. The result is a big increase in exploit reliability, especially when the target domain has a ton of nameservers (Yahoo has eight) or changes its responsiveness during the test (BIND tends to slow down when it has a full cache). [From BailiWicked Automatic Tuning]

Infobyte has released a tool that targets insecure online updates. This is a case where I'm not sure that an automated testing tool is actually a good thing -- I'm sure that the problem with many of the exploitable applications is the process itself rather than a bit of insecure code that can be patched or disabled. In that situation, I'm not sure how constructive this tool would be for a pentester or analyst.

On the other hand, if it is used widely enough for illicit purposes, it may put enough pressure on vendors to fix flawed processes. I'm sure the repercussions of this tool will be felt for a long time to come.

From the Metasploit blog:

Francisco Amato of Infobyte Security Research just announced ISR-evilgrade v1.0.0, a toolkit for exploiting products which perform online updates in an insecure fashion. This tool works in conjunction with man-in-the-middle techniques (DNS, ARP, DHCP, etc) to exploit a wide variety applications. The demonstration video uses the CAU/Metasploit DNS exploit in conjunction with the Sun Java update mechanism to execute code on a fully patched Windows machine. For more information, see the README and slide deck. The first release includes exploits for Sun Java, Winzip, Winamp, Mac OS X, OpenOffice, iTunes, Linkedin Toolbar, DAP, Notepad++, and Speedbit [From Metasploit: Evilgrade Will Destroy Us All]

Just what the world needs, another Storm campaign. This is an example of the mixed threat that modern worms such as Storm and Kraken pose. It uses social engineering -- in this case threatening Facebook users' privacy -- to bring victims to a page that launches both browser-based threats (an iFrame attack) and a trojan horse download.

From the Trusted Source blog:

It's another new Storm campaign on the loose, with a minor change in the social-engineering trick. Mail with subjects like "FBI wants instant access to Facebook" is hitting users' inboxes at the moment. If a user follows the trick, he will be presented with the following web site:

As usual the fake web site is hosted on an infected Storm web proxy. The text states that "Your download will start shortly. If you are unable to read the article, save it in and run on your computer". If you follow the lure and click the link you'll end up with an executable named "fbi_facebook.exe". This is the malware - don't run it. Again the malware authors don't just rely on pure social-engineering, the web site also fires a set of browser exploits leveraging known vulnerabilities. [From TrustedSource - Blog - FBI vs. Facebook - Makes Any Sense?]

A University of Michigan study found that 75% of online banking websites suffer from design flaws then open customers to criminals.

From The IT Security Guy:

This should, of course, come as no surprise to anybody in IT security, particularly those specializing in protecting web sites. But a study released by researchers at the University of Michigan says 75% of banking web sites have design flaws that open online customers to cybercriminals, according to Finextra and CNET. [From The IT Security Guy: Banking Web Sites Still Insecure]

You can read the full study here.

Kees Leune has pointed me towards some excellent pentest training resources, a set of live CD's that provide safe and legal targets for learning the tools included in Backtrack.

From Leune's blog:

I've been keeping an eye open for some other challenges, and I found one at The Last HOPE. One of the speakers mentioned that www.de-ice.net hosts some bootable CD images that are used to teach people pentesting skills. They author of the CD's did a nice job and grouped them in different levels of difficulty. The de-ice CD's are designed to be breakable with the tools included on the Backtrack Live CD.

After downloading the images, I was hooked.

Unfortunately there are only three CD's out at the moment, but I am proud to say that I managed to win all three challenges. I also admit that I needed some help getting the last one; I was unfamiliar with one of the tools used and needed a little hint. With that last hint, I was able to solve the third and final challenge. [From De-ice.net pentesting live CD's - Kees Leune]

The Identity Theft Resource Center has released the 2008 Breach List. The 117 page document identifies 377 specific breaches that expose 17,011,691 identities as of July 22. It's a very specific and interesting look into data breaches so far this year.

About the center:

Identity Theft Resource Center® (ITRC) is a nonprofit, nationally respected organization dedicated exclusively to the understanding and prevention of identity theft. The ITRC provides consumer and victim support as well as public education. The ITRC also advises governmental agencies, legislators, law enforcement, and businesses about the evolving and growing problem of identity theft. [From Identity Theft Resource Center | A Nonprofit Organization]

Here's the full report.

NIST has released a new revision of Special Publicatoin 800-55, the "Performance Measurement Guide for Information Security." With all of the blogosphere conversation about security metrics going on right now, I thought this a well-times publication.

From NIST:

NIST is pleased to announce the release of NIST Special Publication 800-55, Revision 1, Performance Measurement Guide for Information Security. This publication provides assistance in the developing, selecting, and implementing security performance measures to be used at the information system and program levels. These measures indicate the effectiveness of security controls applied to information systems and supporting information security program. [From NIST SP 800-55 Rev 1: Performance Measurement Guide for Information Security | Security4all - Dedicated to digital security, enterprise 2.0 and presentation skills]

Here's a direct link to the document.

Today at OSCON, hell froze over.

According to The Register, Microsoft has decided to embrace (some) free/open source software and has joined the Apache software foundation to the tune of $100k a year.

From The Register:

After years of hostility towards Free Software Foundation (FSF) licensing (here and here) Microsoft has announced the first in a series of PHP patches - and it's using an FSF license.

Microsoft told The Reg it's submitted a patch to the community for the ADOdb database abstraction library for PHP to add support for the PHP SQL Driver developed with PHP shop Zend Technologies. The patch is under the FSF's Lesser GPL (LGPL).

And, in a further move towards greater support of open source, Microsoft is becoming a platinum member of the Apache Software Foundation (ASF), paying $100,000 annual membership. The move follows work between the two to support the Office Open XML file formats in Apache's POI project. [From Microsoft pledges love and money to open source | The Register]

This is a smart move on Microsoft's part. There is an enormous amount of innovation going on in the open software communities, and rather than fighting that innovation, Microsoft can now leverage it. This move will make the Windows platform more compatible for open source projects and open a new marketplace for the core operating environments such as Windows Server and SQL server.

More importantly, though, it makes it much easier for many developers to jump back and forth between platforms, coding in whichever environment makes the most sense for a project.

One has to wonder if this is Ray Ozzie's first major change as the new Chief Software Architect at Microsoft. If so, he's started out on the right foot

It looks like Dan Kaminsky's DNS vulnerability has been released as a pair of metasploit modules, which means the script kiddies are about to unleash it on the unpatched (so patch already).

From the Metasploit Blog:

So, on to our new modules. There's no reason to rehash the deep tech regarding packet formats and spoofing techniques, as most of the speculation linked above was correct, and the original leak has been mirrored just about everywhere. In short, the way this flaw works is that it combines two previously known but somewhat mitigated flaws to achieve success. The first flaw is that since DNS (over UDP) is connectionless, it can easily be spoofed. The original mitigation for this was to make use of a transaction ID to correlate requests and replies that the attacker would have to guess. This makes spoofing harder, but not an insurmountable task. The second flaw was that additional records would be inserted into the cache which were included in replies from another nameserver during a recursive lookup. This original problem was somewhat mitigated by creating the in-bailiwick constraints that essentially limits the domain space for additional records that could be sent in the replies to hostnames from a given domain. Sounds reasonable; this prevents nameservers from doing malicious things to domains that they aren't authoritative for, while still allowing nameservers who are authoritative for a domain to update the records they need to. When you combine attacks for these two flaws however, an attacker can essentially pretend to be the authoritative nameserver, and update the nameserver record for a domain to point to a malicious nameserver address. Because the nameserver's name doesn't change, the update is in-bailiwick. You can also use this trick to inject cache entries for individual hostnames as long as those hostnames are not already cached, and also in-bailiwick.

The two Metasploit modules which implement these attacks are "DNS BailiWicked Host Attack" for injecting individual uncached host records into the target nameserver's cache, and "DNS BailiWicked Domain Attack" for replacing a target domain's nameserver records in a target nameserver's cache. Currently these must be run from the trunk development branch, as they rely on Net::DNS and raw sockets functionality which currently only exists in the development branch for MSF. The raw sockets code also currently only works when running MSF under Linux. [From BailiWicked]

For those who haven't been following the news this month, here is an executive overview, a recording of the press conference is available here, and on a more authoritative note, here is the US-CERT vulnerability note.

UPDATE: The modules have been updated for automatic tuning.

Today at OSCON, David Recordon of Six Apart (which produces Movable Type, the software that drives this blog) announced the formation of the Open Web Foundation.

From O'Reilly Radar:

To make sure that we working towards the same goal foundations (like OpenID) and specs (like OAuth) are created. Each time some of the same mistakes are made. The Open Web Foundation's goal it to provide a home for community created specs. with mentorship, resources and infrastructure. Hopefully this will help teams spend time on making the spec. [From Announcing the Open Web Foundation - O'Reilly Radar]

This is a very good thing -- standardized, community-driven specifications can be written at the speed of innovation instead of waiting for one format or another to win out (or waiting for Steve Balmer to giveth).

Here are the slides from the announcement:

Apparently, spin and image are more important than reality. Microsoft has taken the "new Mojave OS" to a group of Vista critics. They loved it. Thing is, Mojave was actually just Vista.

From CNET:

Spurred by an e-mail from someone deep in the marketing ranks, Microsoft last week traveled to San Francisco, rounding up Windows XP users who had negative impressions of Vista. The subjects were put on video, asked about their Vista impressions, and then shown a "new" operating system, code-named Mojave. More than 90 percent gave positive feedback on what they saw. Then they were told that "Mojave" was actually Windows Vista.

"Oh wow," said one user, eliciting exactly the exclamation that Microsoft had hoped to garner when it first released the operating system more than 18 months ago. Instead, the operating system got mixed reviews and criticisms for its lack of compatibility and other headaches. [From Microsoft looks to 'Mojave' to revive Vista's image | Beyond Binary - A blog by Ina Fried - CNET News.com]

Personally, I've never understood the severity of Vista criticism that accompanied its launch. Sure, you have the somewhat ambitious hardware requirements, but Microsoft has always worked in the planned-hardware-obsolescence mindset. If you chose to use a Microsoft operating system, you chose to adopt that paradigm yourself; it's part of the package.

Vista is the most secure operating system that Microsoft has ever written. In my experience, it's less crash-prone than its predecessors, and it is designed to run the next-generation of technologies (look at .NET 3.5, there's some goodness packed in there).

I'm not a huge Microsoft fan. Truth be told, OpenBSD is where my heart is at, but I have to give Balmer and friends some credit -- Vista is a huge step forward, and it looks like those that look at the technology instead of the hype are coming around to those same ideas.

Joe Gregorio from Google's Developer Relations group has an quick and easy introduction to the Atom Publishing Protocol. It's rapidly becoming an important Web 2.0 tool, and this may be the clearest introduction I've seen yet.

Here's the video:

It seems like SQL injection is coming back into style. This attack injects some html and a reference to an offsite javascript file. The sad part here is that this stuff still works. If an application is written properly, both input and output is sanitized, so that even if the code gets into the database, it will never be displayed in a form the browser will execute.

From rtraction:

A new SQL injection hack seems to be out in the wild from verynx.cn. The SQL Injection hack uses a CHAR array to hide its payload which will insert some various html garbage along with a reference to a javascript file on the verynx.cn domain that will infect users when they visit your website. Luckily the domain with the offending javascript file now points to 127.0.0.1 which will help stop the spread of the virus. Unfortunately the botnet still seems to be spamming websites with the scripted attack leaving many entirely broken or loading extremely slow as each page might have hundreds of requests to the payload. [From rtraction » Blog Archive » SQL Injection Hack using CAST from 1.verynx.cn]

Here we have another highly publicized act of "cyberwar" (or at least "cyberattack"). In this case, 300 websites were defaced in protest against Lithuania's ban on both Nazi and Soviet symbols. It seems some Russian hackers don't like being equated with Hitler.

From TrustedSource:

In what appears to be an imitation of last year's high profile attacks on Estonian national cyber infrastructure, Russian nationalist hackers once again demonstrated their displeasure at the actions of another Baltic country's political leaders by defacing over 300 Lithuanian websites this week, including the website of the ruling Social-Democratic party.

***

Juozas Olekas, Lithuanian minister of defense, has called the defacements a 'cyberattack on Lithuania,' while the Prime Minister Gediminas Kirkilas, who is visiting in the US this week, called the situation "very serious" and declared that he would to raise it in his discussions with U.S. officials. [From TrustedSource - Blog - Cyberattack on Lithuania]

Is this really an "cyberattack on Lithuania?" Well, yes, but if we're going to label this a nationstate-scale action (which is tantamount to calling it cyberwar), then we might as well call the Microsoft defacements acts of terrorism.

Yes, these are attacks, but this isn't the national emergency that the media (and the Lithuanian minister of defense) would like us to believe. This is nothing like last year's cyberattack on Estonia, where critical infrastructure (the viability of the network itself) was targeted.

This really isn't very different than other acts of hacktivism, which has a history going back into the 80's? Does the fact that the attacks come from Russia make a difference? If they were British of American, would this be a hacktivist cause? China?

Yes, this is bad. Yes, the culprits should be prosecuted. But lets avoid talking about it as an act of international aggression. It's the Internet; even a flamewar is international.

Information Security Magazine's online portal, points to a study released today by Fortify Software software about the security of open source projects.

From Search Security:

Enterprises often rely on open source software to save development time and money, but they should rely on open source for good security, according to a study released today. The review of 11 popular projects revealed numerous vulnerabilities and a general absence of sound security practices.

* * *

The study discovered thousands of vulnerabilities, including nearly 23,000 cross-site scripting flaws and more than 15,000 SQL injection flaws. Of more concern, perhaps, is that there's little evidence open source projects have made finding and remediating security issues a priority. The number of flaws stayed about the same or even increased through each of three new versions of six of the packages tested. (CRM/groupware Hipergate had by far the most issues, more than 14,000.) [From Open source projects fall short on security]

Linus Torvalds doesn't think that security issues are any more important than other bugs. I think that attitude is reflected in results like these. The vulnerabilities in the study were located via an automated scanner then verified by hand. These are the types of bugs that an attacker can find with minimal effort.

With proprietary software, massive vulnerability such as this would express its urgency in the stock price, forcing management to expedite patching. At Microsoft, the security team has the power to stop software from shipping if there are significant vulnerabilities that put their customers at risk.

In open source software, bug fixes are prioritized according to the interests of charismatic leaders instead of being driven be the needs of the end user. Linus is, in effect, making Steve Balmer's case for him.

The full text of the study can be found here.

Another video, this time from a new electronics-hacking series called Citizen Engineer. The first installment premiered at HOPE over the weekend.

Here's the description of the first installment from the series site:

Learn how a SIM card works (the small card inside GSM cell phones) make a SIM card reader, view deleted messages, phone book entries and clone/crack a SIM card.

Modify a "retired" payphone so it can be used as a home telephone and for VoIP (Skype). Then learn how to modify the hacked payphone so it accepts quarters - and lastly, use a Redbox to make "free phone" calls from the modified coin-accepting payphone. [From citizen engineer]

And here's the video:

Citizen Engineer from citizen engineer on Vimeo.

Peteris Krumins has pointed out a great lecture from Google TechTalks via his blog. This one, called "How Cyber Criminals Steal Money" is a fabulous overview of some common attack vectors.

From Krumins' blog, good coders code, great reuse:

This lecture is given by Neil Daswani, who has a Ph.D. from Stanford and currently works at Google as a security engineer. He is also an author of a book entitled "Foundations of Security: What Every Programmer Needs to Know", which teaches you state-of-the-art software security design principles, methodology, and concrete programming techniques you need to build secure software systems.

Neil talks about top three web application vulnerabilities that cybercriminals use to steal money. These three vulnerabilities are:

• SQL Injection attacks,
• Cross-Site Request Forgery (XSRF) attacks,
  
• and Cross-Site Script Inclusion (XSSI) attacks.
  

I was surprised that he did not cover plain, old Cross-Site Scripting (XSS) attacks, but jumped right to dynamic XSS. You'll have to get familiar with this type attack on your own.[From How Cybercriminals Steal Money - good coders code, great reuse]

And here is the video:

In a prime example of better living through math, the group behind the Pirate Bay wants to encrypt everything, or at least everything that moves across a network.

From newteevee.com:

The team behind the popular torrent site The Pirate Bay has started to work on a new encryption technology that could potentially protect all Internet traffic from prying eyes. The project, which is still in its initial stages, goes by the name "Transparent end-to-end encryption for the Internets," or IPETEE for short. It tackles encryption not on the application level, but on the network level, the aim being that all data exchanged on your PC would be encrypted, regardless of its nature -- be it a web browser streaming video files or an instant messaging client. As Pirate Bay co-founder Fredrik Neij (a.k.a. Tiamo) told me, "Even applications that don't supporting encryption will be encrypted where possible." [From The Pirate Bay Wants to Encrypt the Entire Internet « NewTeeVee]

This is sure to annoy Comcast. Here's the project page.

This is a serious victory for network neutrality. The FCC has ruled that Comcast's throttling of peer-to-peer traffic violates internet traffic management rules.

From vnunet.com:

The head of the Federal Communications Commission has accused Comcast of breaking the rules of internet traffic management by throttling or blocking peer-to-peer traffic.

"The FCC has adopted a set of principles that protects consumer access to the internet," FCC chairman Kevin Martin told Associated Press on 10 July. "We found that Comcast's actions in this instance violated our principles." [From FCC rules against Comcast on network throttling - vnunet.com]

The United States was ranked 48th in press freedom by Reporters Without Borders 2007 index. Countries with greater freedoms include Estonia, Boznia, Ghana, and Taiwan.

From the announcement:

There were slightly fewer press freedom violations in the United States (48th) and blogger Josh Wolf was freed after 224 days in prison. But the detention of Al-Jazeera's Sudanese cameraman, Sami Al-Haj, since 13 June 2002 at the military base of Guantanamo and the murder of Chauncey Bailey in Oakland in August mean the United States is still unable to join the lead group. [From Reporters sans frontières - Annual Worldwide Press Freedom Index - 2007]

Here's a link to the index itself, and its methodology.

Yesterday Linus Torvalds called the OpenBSD developers a bunch of "masturbating monkeys." Seriously, he did.

Security people are often the black-and-white kind of people that I can't stand. I think the OpenBSD crowd is a bunch of masturbating monkeys, in that they make such a big deal about concentrating on security to the point where they pretty much admit that nothing else matters to them. [From Re: stable Linux 2.6.25.10]

While OpenBSD founder Theo de Raadt has a reputation for brusqueness, he makes arguments and doesn't result to simple name-calling. Linus wasn't making an argument in that e-mail, simply expressing on opinion (and an offensive one at that).

Paired with Free Software Foundation Richard Stallman's recent unwarranted vilification of Bill Gates, the charismatic leaders of the free software world are going to destroy it with their posturing and strutting.

Or maybe it's just time for both of them to step down. Gates recognized that the time was right. Will they?

Christopher Hitchens writes about a need for English-language technical (and other) books at the American University of Iraq in Slate.com:

I recently received a progress report from Sulaymaniya from Thomas Cushman, who is a professor in the sociology department at Wellesley College and the founding editor of the Journal of Human Rights. He tells me that the American University attaches very special importance to the establishment of a library in English. An initiative has been set up to furnish the campus with the most up-to-date books that can be provided.

As Cushman writes:

What I did was ask colleagues to donate books, which they did in good numbers. We sent thirty cartons of first-rate books, especially on global affairs, history and literature and they are housed in the new library. ... The university is especially in need of technical books, social science books, software even. ... Nathan Musselman, the Prefect of the University who is teaching a class, wrote to me thrilled to tell me that the students were now writing their term papers in English and using many of these books as their main sources for research. He is greatly desirous of receiving more, now that the initial library is set up. ... So the idea is to get people to donate in a more micro way; to send one or two new, current and important books (perhaps they have review copies, extra copies, etc) to the new library of the University. All of these small polyps could yield a substantial coral reef of knowledge for the new generation of students there.

So here's what to do. Have a look at the university's Web site. Get some decent volumes together, pass the word to your friends and co-workers to do the same, and send them off to:

Nathan Musselman
Building No. 7, Street 10
Quarter 410 Ablakh Area
Sulaimani, Iraq
(+964) (0)770-461-5099

It's important to include the number at the end. [From Send a book, build democracy. - By Christopher Hitchens - Slate Magazine]

This is an amazing opportunity to help shape a nation's technology. Students can only read books that are available to them, so if you're of a particular religious persuasion, start sending them those Ruby or C# or Cobol (if that's your thing) texts. In addition to looking through my library for relevant books I don't use any more, I'm ordering Restful Web Services, Secure Coding: Principals and Practices, and a couple of others.

Walter Lamaga has assembled a set of links to (legally) free books on Perl, from beginning to pro.

From ServerSolaris.com

Here is a nice list of perl book available in Internet, they are open to public and can be read without paying, this is a nice initiative to give people with less acquisition power (poor countries for example) the possiblity to learn a language that with some effort can give you the possibility to know people and work together or in offshore projects. [From » Perl books free and legal ServerSolaris.Com: Solaris Administration secrets and programming]

Knowledge should always be this free and open. Kudos to Lamaga for his effort in assembling the links. Here is his list:

• CGI Programming on the World Wide Web
• Perl 5 by Example
• Picking Up Perl
• Learning Perl the Hard Way
• Web Client Programming with Perl
• Extreme Perl
• Beginning Perl
• Perl for the Web
• Embedding Perl in HTML with Mason
• Practical mod_perl
• Perl 5 Internals
• Impatient Perl
• Perl Design Patterns

Can you believe that Apple just handed out an Apple ID password in response to a one-line request? From Marko Karppinen:

I tried to log in to Apple Developer Connection this morning to find out that my password had been changed and the email associated with my account was now a yahoo.com address that wasn't mine. Luckily, my "security question" was still the same, so I was able to reset the password and email address back.

Based on the emails that have appeared in my .Mac mailbox, this was accomplished by sending this classy one-liner to Apple:

am forget my password of mac,did you give me password on new email marko.[redacted]@yahoo.com

To which Apple reacted by doing the only reasonable thing - saying Sir, Yes Sir! and handing my account over. [From Apple just gave out my Apple ID password because someone asked - MK&C]

You have to believe that Apple actually does have procedures in place (based on the "security question") that were ignored in this case. This is just evidenced that no matter how strict security policies are, there is always going to be a McEmployee that will ignore them; even technical constraints that enforce policy can usually be overridden by somebody who is too busy to ask a couple of extra questions.

What's the better solution, to pour money into building more sophisticated safeguards or to outsource the risk?

It's a sad day -- the Star Trek-themed section of the Las Vegas Hilton is closing. I've never been -- I've always visited Vegas with non-Trek types and assumed that I'd have another opportunity. I had been leaning against going to Defcon this year (mostly due to the cost of an urgent and unplanned home improvement), but this may push me over to the line.

From Wil Wheaton's blog:

It was bound to happen sooner or later, and though I've known this was coming for a few months now, I was still really sad to read confirmation that Star Trek: The Experience is closing September first. [From WWdN: In Exile: Star Trek: The Experience is closing]

Make sure to follow the link to Wil Wheaton's blog -- he has a more personal experience posted, excerpted from his excellent book, Dancing Barefoot.

In another step towards OS X on commodity hardware, the EFiX boot dongle's release date has been announced. It's suprising that the company has come this far. I had assumed that Apple's lawyers would kill this off while it was still vaporware.

From slashgear:

EFiX, who promise USB dongles that allow Apple's OS X software to be installed on normal PC hardware, have finally been discussing availability and pricing. The device, which allows you to install OS X from a standard retail DVD, together with install any available patches and tweaks, will now be available in V1 or V2 versions. The first batch, which somewhat confusingly will be V2 models, will cost around €80 ($125); that price, according to EFiX, is artificially inflated courtesy of the chips being basically a handmade series of 200, and future, mass-produced versions will be far cheaper. [From EFiX OS X hack dongle release date and price revealed - SlashGear

I use and enjoy OS X, but outside of specialty apps such as Final Cut Pro, I don't think it really outpaces a good Linux distribution such as Ubuntu. If one is going to go through the hassle of dealing with device drivers and hardware compatibility, why not just use Linux for free?

While I'm thinking about Microsoft, here's an interesting bit for computer historians.

Mithun Dhar's MSDN blog has posted a couple of interesting photos from Microsoft history.

There was a recent reunion of the original eleven Microsoft employees where they re-created a much earlier photo taken just before they moved from Albuquerque to Bellevue (which is about 5 miles west of the current Redmond campus).

First, the Albuquerque photo:

In an article published Wednesday by BBC News, Richard Stallman, founder of the Free Software Foundation, blasts Bill Gates on the occasion of his retirement. Not only does he go after Microsoft, but he swings at the Bill and Melinda Gates Foundation, which does an enormous amount of good around the world:

Gates' philanthropy for health care for poor countries has won some people's good opinion. The LA Times reported that his foundation spends five to 10% of its money annually and invests the rest, sometimes in companies it suggests cause environmental degradation and illness in the same poor countries. [From BBC NEWS | Technology | It's not the Gates, it's the bars]

Stallman clearly has an irrational obsession with vilifying Gates, evening bringing up the infamous Gates letter to computer hobbyists from 1976:

The letter is 32 years old and dates to a completely different era of computing. It's an interesting historical footnote, yes, but isn't it time to give it a rest as a serious argument against proprietary software? Shouldn't the argument be about the success and advantages of open source?

Gates' villainy -- real or imagined -- has clearly become an idee fix for Stallman, who even goes as far as to insinuate that Gates is a Bush crony:

Microsoft persistently engages in anti-competitive behaviour, and has been convicted three times. George W Bush, who let Microsoft off the hook for the second US conviction, was invited to Microsoft headquarters to solicit funds for the 2000 election. [From BBC NEWS | Technology | It's not the Gates, it's the bars]

I am a supporter of free and open software, but Stallman's behavior makes it more difficult to whole-heartedly support the Free Software Foundation. When he pens polemics this vitriolic, he seriously hurts the GNU cause in the court of public opinion.

More news from Microsoft, this one on a software-as-service business model.

From ArsTechnica:

Microsoft has released more details about its new software subscription bundle that went into testing in mid-April. The bundle has been officially dubbed Microsoft Equipt and will be made available in mid-July 2008 at nearly 700 Circuit City stores in the US. Equipt licenses will cost $70 per year and will include Windows Live OneCare, Microsoft Office Home and Student 2007, Microsoft Office Live Workspace, and Windows Live tools. [From Microsoft Equipt: 3 Office, OneCare licenses for $70/year]

Here's a link to this morning's press release.

Though it hasn't gathered many headlines yet, this is an important departure for Microsoft. As I mentioned briefly last week, I truly believe that cloud computing is the future and represents the death knell for traditional self-owned IT infrastructure. Here, Microsoft is offering a valuable software product -- Office -- as part of the service. Also included is managed security, which can make a huge difference in the home computing market where users seldom worry about the integrity of their systems.

With all of the focus on Microsoft's more visible products such as Vista, XBox, and Zune, it's easy to miss the potentially game-changing offerings that are creeping into their business model.

If this trial goes well, perhaps we'll see a small business bundle that also includes Outlook and an Exchange-like expansion of Office Live Small Business. That would be a winner.

It looks like metasploit is now available on the iPhone as documented on Muts' Blog:

First a recent warning from McAfee -- if you're still using IE 6, it's time to upgrade. From SecurityNewsPortal.com:

Anyone using Internet Explorer 6 should upgrade to the latest version of the browser, IE7, to avoid security risks. A researcher at security firm McAfee said that a scripting flaw in IE6 could lead to hackers gaining access to your computer.

McAfee recommends that users of IE6 should upgrade to IE7 or use an alternative browser such as Firefox. [From SecurityNewsPortal.com: IE 6 users warned to upgrade]

More interesting is that IE 8's XSS filter is being discussed for the first time. From the IE blog at MSDN:

The XSS Filter operates as an IE8 component with visibility into all requests / responses flowing through the browser. When the filter discovers likely XSS in a cross-site request, it identifies and neuters the attack if it is replayed in the server's response. Users are not presented with questions they are unable to answer - IE simply blocks the malicious script from executing.

With the new XSS Filter, IE8 Beta 2 users encountering a Type-1 XSS attack will see a notification like the following:

The page has been modified and the XSS attack is blocked. [From IEBlog : IE8 Security Part IV: The XSS Filter]

The IE folks have been doing a lot to improve security, and it's worth the time to peruse the other improvements they're making.

From Bruce Sterling's blog at Wired:

More Than 630,000 Laptops Lost at Airports Each Year

(June 30, 2008) More Than 630,000 Laptops Lost at Airports Each Year (June 30, 2008) A Ponemon Institute survey of 106 airports in 46 states found that as many as 637,000 laptops are reported lost each year. Overall, more than 12,000 laptops are reported lost at the airports every week, and 67% are never recovered. The 36 largest US airports account for more than 10,000 lost laptops each week. The laptops are most commonly lost at security checkpoints and departure gates. The survey also included feedback from 864 business travelers: 53% said their laptops held confidential data; 42% said their data was not backed up; 16% said they would do nothing if they lost a laptop while traveling on business; 77% said the chance of recovering a lost laptop was less than ten percent. The study was commissioned by Dell, which has just released "a suite of data protection and asset protection services," including laptop tracking and remote data deletion.

Here's a link to the full text of the study. When will people learn that encryption is easy?