2.5 *terabyte* hot-swap storage — for $730 by ZDNet's George Ou -- I still remember the first hard drive I ever bought. The year was 1992, and I had my friend drive me 70 miles into the silicon valley for the deal of the month in hard drives. The prize at the end of that grueling drive without air conditioning was a whopping 200-megabyte IDE hard drive [...]
Monday, April 30, 2007
Saturday, April 28, 2007
Friday, April 27, 2007
Sound crazy? Perhaps no more than the stampede to ban the incandescent light bulb in favor of compact fluorescent lightbulbs (CFLs) — a move already either adopted or being considered in California, Canada, the European Union and Australia.
According to an April 12 article in The Ellsworth American, Bridges had the misfortune of breaking a CFL during installation in her daughter’s bedroom: It dropped and shattered on the carpeted floor.
Aware that CFLs contain potentially hazardous substances, Bridges called her local Home Depot for advice. The store told her that the CFL contained mercury and that she should call the Poison Control hotline, which in turn directed her to the Maine Department of Environmental Protection.
The DEP sent a specialist to Bridges’ house to test for mercury contamination. The specialist found mercury levels in the bedroom in excess of six times the state’s “safe” level for mercury contamination of 300 billionths of a gram per cubic meter.
Even if you don’t go for the full-scale panic of the $2,000 cleanup, the do-it-yourself approach is still somewhat intense, if not downright alarming.
Consider the procedure offered by the Maine DEP’s Web page entitled, “What if I accidentally break a fluorescent bulb in my home?”
Don’t vacuum bulb debris because a standard vacuum will spread mercury-containing dust throughout the area and contaminate the vacuum. Ventilate the area and reduce the temperature. Wear protective equipment like goggles, coveralls and a dust mask.
Collect the waste material into an airtight container. Pat the area with the sticky side of tape. Wipe with a damp cloth. Finally, check with local authorities to see where hazardous waste may be properly disposed.
The only step the Maine DEP left off was the final one: Hope that you did a good enough cleanup so that you, your family and pets aren’t poisoned by any mercury inadvertently dispersed or missed.
This, of course, assumes that people are even aware that breaking CFLs entails special cleanup procedures.
The potentially hazardous CFL is being pushed by companies such as Wal-Mart, which wants to sell 100 million CFLs at five times the cost of incandescent bulbs during 2007, and, surprisingly, environmentalists.
It’s quite odd that environmentalists have embraced the CFL, which cannot now and will not in the foreseeable future be made without mercury. Given that there are about 4 billion lightbulb sockets in American households, we’re looking at the possibility of creating billions of hazardous waste sites such as the Bridges’ bedroom.
Usually, environmentalists want hazardous materials out of, not in, our homes.
These are the same people who go berserk at the thought of mercury being emitted from power plants and the presence of mercury in seafood. Environmentalists have whipped up so much fear of mercury among the public that many local governments have even launched mercury thermometer exchange programs.
As the activist group Environmental Defense urges us to buy CFLs, it defines mercury on a separate part of its Web site as a “highly toxic heavy metal that can cause brain damage and learning disabilities in fetuses and children” and as “one of the most poisonous forms of pollution.”
Greenpeace also recommends CFLs while simultaneously bemoaning contamination caused by a mercury thermometer factory in India. But where are mercury-containing CFLs made? Not in the U.S., under strict environmental regulation. CFLs are made in India and China, where environmental standards are virtually non-existent.
And let’s not forget about the regulatory nightmare known as the Superfund law, the EPA regulatory program best known for requiring expensive but often needless cleanup of toxic waste sites, along with endless litigation over such cleanups.
We’ll eventually be disposing billions and billions of CFL mercury bombs. Much of the mercury from discarded and/or broken CFLs is bound to make its way into the environment and give rise to Superfund liability, which in the past has needlessly disrupted many lives, cost tens of billions of dollars and sent many businesses into bankruptcy.
As each CFL contains 5 milligrams of mercury, at the Maine “safety” standard of 300 nanograms per cubic meter, it would take 16,667 cubic meters of soil to “safely” contain all the mercury in a single CFL. While CFL vendors and environmentalists tout the energy cost savings of CFLs, they conveniently omit the personal and societal costs of CFL disposal.
Not only are CFLs much more expensive than incandescent bulbs and emit light that many regard as inferior to incandescent bulbs, they pose a nightmare if they break and require special disposal procedures. Should government (egged on by environmentalists and the Wal-Marts of the world) impose on us such higher costs, denial of lighting choice, disposal hassles and breakage risks in the name of saving a few dollars every year on the electric bill?
Tuesday, April 24, 2007
"Security flaws are abundant on these devices," Jack said. "Security needs to reach further than a home PC. Insecure devices pose a threat to the entire network. Hardware vendors must take security into consideration."
There hasn't yet been a large amount of security research into the type of software Jack looks at. This is code that runs gadgets equipped with ARM, MIPS, XScale and PowerPC microprocessors. However, researchers appear increasingly interested in finding ways to attack routers and other such "embedded" devices.
In examining software from various devices, Jack found that there are many exploitable "null pointers" in the code. "Vulnerabilities that are near dead in the PC realm are abundant," he said. "This is a new class of attack...This is a remote attack the same way as a buffer overflow or a heap overflow, but it is more reliable."
Null pointers have often been disregarded as insignificant bugs, but according to Jack, the bugs can in fact allow full compromise on embedded devices. A null pointer is a command used in programming to direct a software program to an empty location in memory.
An attacker could run unauthorized software on a device connected to a network. Criminals could use this kind of attack to steal sensitive information from mobile phones and PDAs or monitor and redirect Internet traffic on routers.
To find bugs, the software needs to be extracted from the device and analyzed, Jack said. This could be done using a gadget that connects to hardware interfaces, such as JTAG (Joint Test Action Group) or UART (Universal Asynchronous Receiver Transmitter), commonly available on the devices, he said. Alternatively, manufacturers sometime conveniently make their software available online.
In a demonstration, Jack launched an attack on a D-Link router. He showed how he could remove password protection on the router and enable remote administration capability. He subsequently uploaded modified software to the router that included a "watchdog" tool he created to monitor activity.
The particular D-Link hole Jack used in the demonstration is not exploitable over the Internet--an attacker has to be connected to the vulnerable device. However, many other vulnerabilities of this type exist that do allow attacks via the Internet, he said.
One way hardware makers can prevent bug hunters from finding flaws in their code is by hiding their software better, Jack said. For example, commercial devices should not have JTAG traces that let people copy the software. "No debugging functionality needs to remain," he said.
"We don't know who's inside our networks," subcommittee chairman Rep. James Langevin (D-R.I.) said at an afternoon hearing here. "We don't know what information has been stolen."
Indeed, 21 of 24 major federal agencies had weak or deficient information security controls in place during the last fiscal year, according to audit reports, said Gregory Wilshusen, director of information security issues for the Government Accountability Office.
Pitfalls ranged from failing to replace well-known vendor-supplied passwords on systems to not encrypting sensitive information to not creating adequate audit logs to track activity on their systems, according to a new GAO report (PDF) he summarized at the hearing.
One of the main purposes of the hearing was to allow officials at the State and Commerce departments to give the first complete public accounts of the cyberattacks since news reports brought the incidents to light several months ago.
The State Department troubles began in May, said Donald Reid, senior coordinator for security infrastructure for the agency's Bureau of Diplomatic Security. An employee at an office in the East Asia Pacific region opened an e-mail message that contained what appeared to be a legitimate Microsoft Word document of a congressional speech--but when opened, actually unleashed malicious code that allowed the intruder backdoor access to the State Department's network.
The agency's intrusion detection system "immediately" detected the flaw and later discovered additional breaches on its systems in other Asian outposts and at its Washington headquarters, Reid said. In the process of analyzing that malicious code, analysts also discovered another previously unknown hole in the Windows operating system that lacked a security patch.
Realizing that Microsoft would not be able to issue a fix as speedily as necessary, the department developed a temporary "wrapper" designed to protect the systems from continued exploits, Reid said. All the affected systems were brought back up and running by July, and the department has not encountered further troubles, Reid said. (Microsoft ultimately released the new patch in August.)
Some politicians targeted Reid's assurances that the attacks only affected "unclassified" systems. Because government auditors have determined that the State Department lacks a complete inventory of its computer systems, "how can you be certain your classified networks aren't touching your unclassified networks, and can you really know hackers have only accessed unclassified networks?" Langevin asked. He also suggested that even unclassified networks can contain "sensitive" data.
Also encountering pointed questions from the handful of politicians present Thursday was Dave Jarrell, manager of the Commerce Department's Critical Infrastructure Protection Program.
Jarrell recounted events that transpired beginning in July at his department's Bureau of Industry and Security, which handles the sometimes thorny topic of export controls. After a senior BIS official discovered one morning that he could not log in to his machine, an agency computer security team went on to discover 33 computers that had attempted to establish connections to suspicious Internet protocol addresses originating from Internet servers in China.
Some politicians criticized the bureau for admittedly not knowing exactly how long the attackers were able to gain access to their systems. Jarrell said the agency was "very confident" that the data on existing machines is safe. He blamed the inability to pinpoint the time of the intrusion on faulty audit logs and said the agency was fixing that problem.
Politicians also used the hearing to lash out again at the Department of Homeland Security's persistently lagging cybersecurity efforts. They lamented that the agency had only managed to pull up its own information security grade, as determined by its compliance with federal standards, to slightly above failing this year. (The State and Commerce departments, for their part, both received F's.)
"I'll be honest with you," Langevin said. "I don't know how the department thinks it's going to lead this nation in securing cyberspace when it can't even secure its own networks."
Thursday, April 12, 2007
"There is one heap-overflow flaw that might be exploited for code execution," Karthik Raman, a McAfee researcher wrote on the blog on Tuesday. Typically such flaws are exploited by tricking a targeted victim into opening a rigged Office document.
Microsoft is investigating the bug reports as well, a company representative said in an e-mailed statement. The initial investigation has found that none of these zero-day claims demonstrates any vulnerability in the products of Office 2007, the latest version of Office, the representative said. Also, Microsoft is not aware of any attacks that exploit any of the issues at this time, he said.
In addition to the Office bugs, a zero-day vulnerability has been reported in Windows. Sample code that exploits a flaw in the way Windows handles help system files has been posted to the Internet.
"This is another heap-overflow flaw that might be exploited for code execution," McAfee's Raman wrote in an update to the Avert Labs blog late Tuesday.
Microsoft said it is aware of the issue. "Microsoft has listed .hlp files as unsafe file types and recommends customers exercise the same cautions with .hlp as .exe, as both file types are executable," it said. An attacker would have to use rigged .hlp files to exploit the flaw, according to Microsoft.
Word of the flaws comes on the day that Microsoft issued five security bulletins as part of its monthly patch cycle. The company is still dealing with the aftermath of an emergency patch released last week.
"This is yet another time that zero-day flaws have been published around a Patch Tuesday, possibly to maximize the exposure to these flaws until the next month�s Patch Tuesday," Raman wrote.
Cybercrooks have found that they can take advantage of Microsoft's security update cycle by timing new attacks right before or just after Patch Tuesday--the second Tuesday of each month when the software maker releases its fixes. Some security watchers have coined the term "zero-day Wednesday" to describe that strategy.
McAfee is still investigating the security vulnerabilities. They may not actually all be new, said Dave Marcus, security research and communications manager at the Santa Clara, Calif.-based security firm. "Sometimes what people claim to be zero-days may in fact be related to something that's already known," he said.
Should the three Office bugs be new, the tally of zero-day vulnerabilities in the productivity suite waiting for a fix would jump to five. Microsoft did not deliver any patches for Office on Tuesday, despite two vulnerabilities in the software that have been previously disclosed, according to eEye Security's zero-day flaw tracker.
Tuesday, April 10, 2007
For months, hackers--most likely in China and Russia, according to security watchers--have been surreptitiously installing keylogging software on WoW players' Windows computers, hijacking their accounts and selling off their often valuable in-game assets.
And the problem doesn't show any signs of going away.
The gangs perpetrating the hacking are "incredibly active, and it's a good exploit," said Roger Thompson, CTO of security software developer LinkScanner. "It's probably a conservative estimate to say that there's tens of thousands of victims."
The exploit works when unsuspecting WoW players visit any number of Web sites infected by the hackers with keylogging software. When the players visit the sites--which are often unrelated to WoW, but that players frequent, Thompson said--the software is quietly installed on their computers, allowing the hackers to spy on keystrokes and steal players' WoW passwords.
While the software could easily be used to hack into players' accounts in almost any online game, there's no evidence the victims are anybody but players of WoW.
"It's only a matter of what they want to do," Thompson said of the hackers' choice to attack only WoW accounts. "The guys working out how to do it are WoW players. We're pretty sure we know who (most of them) are: a couple of Chinese college students, and it turns out they're interested in WoW."
Thompson said he suspects that a Russian gang may also be involved.
Many of the victims, no doubt, have experiences similar to that of Dag Friedman, a 37-year-old math teacher from Sacramento, Calif.
Last month, Friedman wrote on the WorldofWar.net--an unofficial WoW community site--that he had recently discovered that one of his WoW accounts had been permanently banned by the game's publisher, Blizzard Entertainment. According to an e-mail he received, the banning was punishment for "account sharing," a violation of the game's terms of service in which players give others their passwords and access to their accounts.
Friedman wrote that he had tried to get Blizzard to explain what happened, but had gotten no initial response. Weeks later, however, he was contacted by Blizzard, which told him it had reinstated his account and restored his lost items.
Contacted by CNET News.com, Friedman said he had since had another WoW account hacked, and that he was disturbed that someone had broken into his computer.
Worse, in the middle of an instant-message conversation with CNET News.com, Friedman reported that he had just discovered that yet another of his accounts had been broken into and all its contents pilfered.
For its part, Blizzard said it's addressing the problem by informing players that they should ensure their computers are safe against malware.
An "important means of protecting your account information is keeping your system up-to-date," Blizzard wrote in an April 6 forum posting on the official WoW Web site. "For instance, installing the latest Windows security patch is a good way to avoid exploits designed to steal your login and password details."
But some players would be the first to admit they do a poor job of updating their security software. As a result, they are perfect targets for hackers.
Friedman, in fact, acknowledged that he is lax about such things.
"This really comes down to a security issue," Friedman said, "and obviously I am not taking the necessary steps to make my home computer secure enough."
Friedman also said he appreciates that Blizzard is acting quickly to shut down accounts after they have been compromised, since it alerts players to problems with their computers.
"I think that it is good that they are so quick to ban the account," he said. "I would not have been aware of this situation if they had not been so quick to act. Who knows what other types of information could have been accessed?"
There are more than 8 million WoW players, so even if tens of thousands are finding their accounts compromised, that's still a very small percentage of the total.
But for the hackers, the rewards can be substantial. That's because many players hoard gold, weapons, spells or armor worth a lot of money on the open market. Even though Blizzard doesn't officially allow players to buy or sell those goods, there is a thriving market for them (and that's in spite of the fact that eBay, one of the most popular venues for such transactions, recently decided to ban them).
"People are willing to buy on the black market," said Javier Santoyo, senior manager of Symantec's security response team. "If players themselves were not willing to go outside the games to improve their characters, then there wouldn't be such a need."
But for players like Adam Satterfield, a 28-year-old IT consultant from Atlanta, the downside to having a WoW account hacked and subsequently banned goes beyond losing in-game assets.
Several months ago, Satterfield said, his computer was infected by keylogging software. His account was hacked, his assets were stolen and the account was banned.
"It's unfortunate to lose your in-game stuff," Satterfield said, "but what was really important was to play and hang out with my friends."
Once his account was deactivated, Satterfield said he had to go back and forth with Blizzard to prove his account truly belonged to him. All told, the process took nearly a month, and Blizzard ended up charging him for that month of service anyway.
Blizzard spokesperson Shon Damron said the company recommends using the Blizzard Launcher, a console that delivers WoW news and at the same time runs a scan of players' computers. If it finds something amiss, it alerts the player. Damron said Blizzard also recommends players use virus-scanning software.
Thompson agreed, and said the best thing a WoW user on a Windows machine can do is use the very latest Windows patches from Microsoft.
"The moral of the story is that if you patch, you're safe," Thompson said. "If not, be afraid, be very afraid. Complacency is the enemy."
Monday, April 09, 2007
Not Steganography anyway… by ZDNet's Paul Murphy -- Did somebody just copy a whole bunch of stuff to a USB drive that was passed around? do an ftp -i; mget *? fall victim to desktop, word, or outlook corruption? download a virus from a porn site - one that stole documents?
The fix will be delivered as a "high priority" update alongside Microsoft's regular security updates, Christopher Budd, a Microsoft security staffer wrote on a corporate blog on Friday.
Microsoft has identified three additional applications that conflict with last week's "critical" MS07-017 security update. Originally the company listed only the Realtek HD Audio Control Panel as software that would not function and cause error messages to appear. CD-Tag, ElsterFormular and TUGZip have been added to that list.
"While the impact of these issues is clearly not widespread, it is affecting some of our customers," Budd wrote. For example, in Germany the issue with ElsterFormular is causing headaches because companies use it to file their taxes, according to the Elster Web site.
Microsoft broke with its monthly patch cycle to repair a bug in the way Windows handles animated cursors. Cybercrooks had been using the hole to attack Windows PCs. Microsoft knew about conflicts with Realtek's audio software before releasing the fix and published a support article with the security bulletin.
Microsoft's Automatic Updates, the Windows feature that automatically downloads and installs fixes, will install the fix only on PCs that run conflicting applications, Budd wrote. The Windows Update and Microsoft Update Web sites will also offer it only if conflicting software is found on a PC, he wrote.
For organizations, Microsoft will make the fix available through its Windows Server Update Services and Software Update Services patch installation tools, though with a possible delay until later next week, Budd wrote. The fix is already available for download from Microsoft's Web site.
Microsoft on Tuesday also plans to release five security bulletins, four of which will address Windows flaws. The bulletins, part of Microsoft's monthly patch cycle, will provide fixes for an undisclosed number of security vulnerabilities.
Tuesday, April 03, 2007
The move to turn the clocks forward by an hour on March 11 rather than the usual early April date was mandated by the U.S. government as an energy-saving effort.
But other than forcing millions of drowsy American workers and school children into the dark, wintry weather three weeks early, the move appears to have had little impact on power usage.
"We haven't seen any measurable impact," said Jason Cuevas, spokesman for Southern Co., one of the nation's largest power companies, echoing comments from several large utilities.
That may come as no surprise to the Energy Department, which last year predicted only modest energy savings because the benefits of the later daylight hour would be offset.
For example, households may draw less electricity for lights at night, but will use more power in the early in the day as they wake to darker and chillier mornings.
Residential lighting comprises only about 10 percent of the average homeowner's electricity use, while air conditioners, heaters and refrigerators consume much more power. Washers, dryers and plasma televisions are also bigger users of electricity than lighting.
"There might have been a small increase in morning lighting, and a slightly larger decline in evening lighting usage," said a spokeswoman at New Jersey utility Public Service Enterprise Group, but that modest decline will have no effect on its overall sales or earnings.
Congress plans to evaluate the effects of the earlier switch to daylight saving time.
Perhaps the biggest effect was felt by the computer and gadget users who needed software patches to keep their digital devices on the right time.
Dan Hermann, a computer programmer in New York, updated his gadgets to the new daylight saving time three weeks ago, only to have them automatically shift forward by another hour on Sunday, the previous start date for daylight saving time.
"I panicked. I thought I was late for church," Hermann said.
Even without an energy savings benefit, some Americans gave a good review to the new daylight saving time.
"I love that you can leave work and it's still daylight," said Todd Knapp, an avid runner in New York.
Monday, April 02, 2007
Trojan masquerades as IE 7 downloads by ZDNet's Ryan Naraine -- Spammers are using fake Internet Explorer 7 (Beta 2) downloads to lure Windows users into downloading a nasty backdoor Trojan. The fake downloads are part of a massive spam run that includes an official-looking graphic (see image below) linked to Web sites that auto-launch an executable named "ie7.exe." A copy of this spam that landed in my [...]