Submission + - KDE 4.0 Release Candidate 1
An anonymous reader writes: The KDE Community is happy to announce the immediate availability of the first release candidate for KDE 4.0. Download the sources here.
Submission + - FOX News content too racy for Digg and YouTube (bravenewfilms.org) 1
Leighton Woodhouse writes: "Hi, my name is Leighton Woodhouse and I'm the Communications Director at Brave New Films. Last week, we had an experience with our latest YouTube video release that we thought you might be interested in hearing about.
The editors at Digg.com temporarily banned Brave New Films from posting on their site, and YouTube flagged our latest video as inappropriate for minors. We've been penalized for submitting "Adult Content" to each of the web sites.
What did we post? Clips from FOX News.
A little background: Brave New Films is the producer of "OutFoxed: Rupert Murdoch's War on Journalism." Following on the success of that feature length documentary, BNF has been busy producing short online videos highlighting FOX's flagrant biases and the speciousness of its claim to be a real news organization. The series is called "FOX Attacks."
We've produced videos focused on FOX's racism, its warmongering, its global warming denial, and numerous other issues. Our latest video, which has garnered well over half a million views and counting, focuses on FOX's technique of driving up ratings by featuring explicit sexual content, frequently in stories denouncing the moral depravity of the "liberal media" for broadcasting that very material. The video, as you will see, masquerades as adult entertainment:
http://foxnewsporn.com/
You might wonder, as we did: Are the editors at Digg and YouTube just clueless, and incapable of understanding parody? After all, we weren't posting actual "adult content," just content lifted from FOX News programs that we facetiously labeled X-rated. Right?
Apparently not, according to one such Digg editor, who patiently explained to us that "that submission was Adult content. Yes, it was against our TOS, even though it was broadcast on FOX."
We thought we were doing parody, but apparently we weren't. According to Digg, FOX News IS porn. No irony necessary.
Our question is: Could Digg have banned BNF to cozy up to the News Corp., owner of FOX News, which they're rumored to be courting for a possible acquisition?
http://www.techcrunch.com/2006/10/24/digg-does-the-acquisition-dance-with-news-corp/
Our privileges have now been reinstated at Digg, after we were forced to promise that we wouldn't post FOX News' inappropriate content again. And after a minor rebellion by Digg users, Digg founder Kevin Rose was even forced to post a personal apology for censoring us.
YouTube, however, still has our sample of FOX News' footage behind an adult content firewall.
If you're interested in learning more about this story, please let me know. We'd like people to learn about this ridiculous episode, and I'm happy to help however I can."
The editors at Digg.com temporarily banned Brave New Films from posting on their site, and YouTube flagged our latest video as inappropriate for minors. We've been penalized for submitting "Adult Content" to each of the web sites.
What did we post? Clips from FOX News.
A little background: Brave New Films is the producer of "OutFoxed: Rupert Murdoch's War on Journalism." Following on the success of that feature length documentary, BNF has been busy producing short online videos highlighting FOX's flagrant biases and the speciousness of its claim to be a real news organization. The series is called "FOX Attacks."
We've produced videos focused on FOX's racism, its warmongering, its global warming denial, and numerous other issues. Our latest video, which has garnered well over half a million views and counting, focuses on FOX's technique of driving up ratings by featuring explicit sexual content, frequently in stories denouncing the moral depravity of the "liberal media" for broadcasting that very material. The video, as you will see, masquerades as adult entertainment:
http://foxnewsporn.com/
You might wonder, as we did: Are the editors at Digg and YouTube just clueless, and incapable of understanding parody? After all, we weren't posting actual "adult content," just content lifted from FOX News programs that we facetiously labeled X-rated. Right?
Apparently not, according to one such Digg editor, who patiently explained to us that "that submission was Adult content. Yes, it was against our TOS, even though it was broadcast on FOX."
We thought we were doing parody, but apparently we weren't. According to Digg, FOX News IS porn. No irony necessary.
Our question is: Could Digg have banned BNF to cozy up to the News Corp., owner of FOX News, which they're rumored to be courting for a possible acquisition?
http://www.techcrunch.com/2006/10/24/digg-does-the-acquisition-dance-with-news-corp/
Our privileges have now been reinstated at Digg, after we were forced to promise that we wouldn't post FOX News' inappropriate content again. And after a minor rebellion by Digg users, Digg founder Kevin Rose was even forced to post a personal apology for censoring us.
YouTube, however, still has our sample of FOX News' footage behind an adult content firewall.
If you're interested in learning more about this story, please let me know. We'd like people to learn about this ridiculous episode, and I'm happy to help however I can."
Submission + - More Malicious TOR Nodes (f-secure.com)
You Read Browser Certificate Warnings... Right? writes: "Apparently the TOR exit node that recently sniffed embassy passwords wasn't the only bad node. F-Secure tested some 400 TOR nodes and found that at least one German node was performing man-in-the-middle attacks against SSL. While that node is now offline thanks to the German authorities, it does raise the question of how you know whether any given node is trustworthy. They note that there are still other "suspicious" nodes out there, like the one that only forwards for people logging into Google and MySpace."
Submission + - DirectX 9.0c on Linux with Wine (blogspot.com)
Tom Wickline writes: "I have posted a howto install DirectX 9.0c into Wine and it passes each of the test that is included in dxdiag.exe.. after the install only five dlls need to be set as builtin Wine dlls and the rest can be run as native Windows dlls. its not 100% DirectX on Linux but its 95% and that's as close as your going to get... as the five dlls that have to be set to builtin need direct access to hardware.
http://wine-review.blogspot.com/2007/11/directx-90c-on-linux-with-wine.html"
Submission + - 15 million personal records lost 1
bestweasel writes: The BBC reports that a UK Government department has lost discs with details of 15 million benefit recipients, including names, addresses, date of birth and bank accounts. The head of the department involved, HM Revenue & Customs, has resigned and his resignation "was accepted because discs had been transported in breach of rules governing data protection" so someone thinks it's not a trivial matter. The Chancellor will try to evade responsibility in the House of Commons at 3.30 GMT.
A similar leak of a mere 15,000 records from the same department happened a month or so ago. At that time, they refused to say "on security grounds" whether the information was encrypted, which I interpreted as "no it wasn't but we're not going to admit to you how lax we are.
Submission + - Open Source Mathematical Software
An anonymous reader writes: The American Mathematical society has an opinion piece about open source software vs propietary software used in mathematics. From the article : "Increasingly, proprietary software and the algorithms used are an essential part of mathematical proofs. To quote J. Neubüser, 'with this situation two of the most basic rules of conduct in mathematics are violated: In mathematics information is passed on free of charge and everything is laid open for checking.'"
Submission + - iphone root exploit
capn_nemo writes: "Surprisingly, I haven't seen this on slashdot (yet), but here's a lovely video of Rik Farrow demonstrating how to remotely gain access to his iphone (by clicking on a link to a particular web page). He then demonstrates how to ssh to his phone, start a recording session, then downloads the resulting file and plays it back. Naturally, there are a lot of "yes buts" as to how he does it and how at risk your phone is, but the video is compellingly scary:
gizmodo video
My favorite part about these mobile device exploits is the "even though it looks like it's off" tagline."
gizmodo video
My favorite part about these mobile device exploits is the "even though it looks like it's off" tagline."
Submission + - Zune 2.0 Disassembled (rapidrepair.com)
Mike Arnold writes: "Our company recently got their hands on a new flash based, 8GB Zune MP3 Player. In a fury of interest, we decided to do a step by step disassembly of the unit for the DIY who wants to start thinking of mods, or might just be interested in the technology involved. Given the audience that you are geared toward, we would hope that you would be interested in publishing something about the readily available and free disassembly guide. The guide, along with high quality photos can be located at http://www.rapidrepair.com/guides/zune2/Flash-Zune-8GB-Take-Apart-Guide.htm"
Submission + - Amazon's Kindle. Ebooks For People Without Common (fastsilicon.com)
mrneutron2003 writes: "Amazon , the worlds largest online retailer of books, is now entering the E-Book market with it's very own branded E-Book Reader, The Kindle. Apart from the fact that the E-Book format has never really gone anywhere, along with the fact that the print business is experiencing a moderate surge in this day of supposed paperless (yeah right) lifestyles, we have to wonder exactly who Amazon expects to pony up for this $399 device.
Coming in a roughly 5x7.5 inch form factor with a 6 inch 600x800 display, and sporting a massive (this is blatant sarcasm) 256mb of internal storage, it begs the question who in their right mind would pay the estimated $399 Amazon expects. Rounding out the specs it does posess a standard SD card slot for memory expansion, and it does support Wifi and EVDO data services, though it lacks support for open document formats.
A $400 device I can use to read electronic books that usually cost as much as a paperback on sale? With a 6 inch E-Ink screen, and a form factor larger than your average PDA? No support for open document formats? Where do we sign up!!!!! Amazon, drop us an email when your device has a better screen and costs at least a little less than 50 paperbacks. I'd suggest something like an Archos 605 Wi-Fi instead. There 160GB model (apart from having over 600 times the storage capacity of The Kindle) features a touch screen with nearly the same resolution (800x480..and it's color), support not only for open documents formats and web browsing (at an additional cost) but video and audio as well. We'd rather carry around 159GB of video and audio and a few ebooks too.
This is hubris on steroids.
http://www.fastsilicon.com/off-the-wall/amazons-kindle.-ebooks-for-people-without-common-sense.html"
Submission + - Feds Confiscate Private Gold & Silver
CranberryKing writes: I am surprised this hasn't been posted already. Here is TV coverage and the original e-mail I received yesterday:
Dear Liberty Dollar Supporters:
I sincerely regret to inform you that about 8:00 this morning a dozen FBI and Secret Service agents raided the Liberty Dollar office in Evansville.
For approximately six hours they took all the gold, all the silver, all the platinum and almost two tons of Ron Paul Dollars that where just delivered last Friday. They also took all the files, all the computers and froze our bank accounts.
We have no money. We have no products. We have no records to even know what was ordered or what you are owed. We have nothing but the will to push forward and overcome this massive assault on our liberty and our right to have real money as defined by the US Constitution. We should not to be defrauded by the fake government money.
But to make matters worse, all the gold and silver that backs up the paper certificates and digital currency held in the vault at Sunshine Mint has also been confiscated. Even the dies for mint the Gold and Silver Libertys have been taken.
This in spite of the fact that Edmond C. Moy, the Director of the Mint, acknowledged in a letter to a US Senator that the paper certificates did not violate Section 486 and were not illegal. But the FBI and Services took all the paper currency too.
The possibility of such action was the reason the Liberty Dollar was designed so that the vast majority of the money was in specie form and in the people's hands. Of the $20 million Liberty Dollars, only about a million is in paper or digital form.
I regret that if you are due an order. It may be some time until it will be filled... if ever... it now all depends on our actions.
Everyone who has an unfulfilled order or has digital or paper currency should band together for a class action suit and demand redemption. We cannot allow the government to steal our money! Please don't let this happen!!! Many of you read the articles quoting the government and Federal Reserve officials that the Liberty Dollar was legal. You did nothing wrong. You are legally entitled to your property. Let us use this terrible act to band together and further our goal — to return America to a value based currency.
Please forward this important Alert... so everyone who possess or use the Liberty Dollar is aware of the situation.
Please click HERE to sign up for the class action lawsuit and get your property back!
If the above link does not work you can access the page by copying the following into your web browser. http://www.libertydollar.org/classaction/index.php
Thanks again for your support at this darkest time as the damn government and their dollar sinks to a new low.
Bernard von NotHaus
Monetary Architect
Submission + - Microsoft Claims Patent On Embedded Linux? 1
Preedit writes: This InformationWeek story points out a recent deal between Microsoft and Japanese printer maker Kyocera Mita, under which Kyocera obtained from Microsoft a license to patents used in "certain Linux-based embedded technologies." The question everyone's asking is why Kyocera needs a patent license from Microsoft to develop its embedded Linux products.
Submission + - Hushmail giving 'The Man' your private PGP keys 1
teknopurge writes: "Apparently Hushmail has been providing information to law enforcement behind the backs of their clients. Billed as secure email because of their use of PGP, Hushmail has been turning over private keys of users to the authorities on request. Yet another reason to use private hosting."
Submission + - Microsoft PRNG encryption CRACKED! (computerworld.com)
Martin Shin writes: "November 15, 2007 (Computerworld) Israeli researchers who have reverse-engineered a critical component of Windows' encryption technology say attackers could exploit flaws to decipher secured information. Microsoft Corp. has downplayed the threat.
In a paper published earlier this month, Benny Pinkas from the University of Haifa and two Hebrew University graduate students, Zvi Gutterman and Leo Dorrendorf, described how they recreated the algorithm used by Windows 2000's pseudo-random number generator (PRNG). They also spelled out vulnerabilities in the CryptGenRandom function, which calls on the algorithm.
Windows and its applications use the PRNG to create random encryption keys, which are in turn used to encrypt files and e-mail messages, and by the Secure Socket Layer protocol. SSL secures virtually every important Internet data transmission, including information from consumers to online retailers, and from bank customers to their online accounts.
By cracking the PRNG's algorithm, Pinkas and his team were able to predict its future results and uncover what it had come up with in the past, which then let them compute both previous and future encryption keys. They also discovered multiple design flaws in the algorithm that they said could give hackers the keys to the kingdom.
One of the flaws let Pinkas calculate the keys that had already been used on a Windows 2000 machine. In effect, given even remote access to the machine, a hacker could uncover encryption keys that had been generated, and thus the passwords — or other information — which had been used, even if they weren't saved elsewhere on the system. "If you know the 'state' of the PRNG, it should be hard to predict its previous state," said Pinkas yesterday. "It should be like a one-way street. Going backward [in time] should be impossible. But we found a way to very efficiently predict previous states of the PRNG."
That's a major bug, and one that should not have been overlooked, Pinkas added. "It's very well known how to construct a one-way generator. The fact that the PRNG used by Windows 2000 does not provide [this] demonstrates that the design is flawed."
Another problem with Windows' PRNG, added Pinkas, is that a single peek at the current state of its calculations can expose a huge amount of information. Unlike other operating systems such as Linux, Windows only refreshes its "randomness" after the PRNG has produced 128K of output. And since a typical SSL connection between, say, Internet Explorer and a bank consumes just 100-200 bytes of output, it's possible to predict 600-1,200 different SSL connections.
"Once we get the state of the PRNG, we can simulate its future state until the generator is refreshed with new random data," said Pinkas. "But that represents several hundred SSL connections."
Pinkas acknowledged that an attacker must have access to the target PC to get a glimpse of the PRNG's current state — the prerequisite to calculating either future or past encryption keys — but in today's security landscape, that's no barrier. "People are finding new ways to get administrative privileges all the time," he argued. By combining a relatively run-of-the-mill attack — one that results in full access to the machine, such as the just-patched vulnerability in Windows' URI protocol handler — with an exploit of the PRNG's design flaws, hackers could decrypt files or reveal secure traffic between the PC and the outside world, Pinkas said. "It should be pretty easy to do our attacks."
That's not a vulnerability, that's a feature
Microsoft downplayed the problem. "We found that there is no security vulnerability," the company said in a statement attributed to Bill Sisk, Microsoft's security response communications manager. "Information is not disclosed inappropriately to unauthorized users on any supported Windows systems. In all cases discussed in the claim, information is visible only to the users themselves or to another user logged onto the local system with administrator credentials."
Sisk then went on to justify Microsoft's position that the flaws did not qualify as security vulnerabilities. "Because administrators by design can access all files and resources on a system, this does not represent inappropriate disclosure of information."
"We got basically the same [response] when we reported our findings in May," said Pinkas, who believes that the risk is greater than Microsoft wants users to believe. An attacker does not need physical access to the PC to carry out an attack that leverages the PRNG's flaws, for example. "Once you have a way to do remote code execution, you can grab the state of the generator," he said. "Any hacker who knows the OS, could grab the state, and as I said, it's not difficult to get administrative privileges on a PC."
A Symantec Corp. researcher took a middle position. In a research note made available to customers of Symantec's DeepSight threat network, analyst Erik Kamerling called the level of difficulty of such an attack as "relatively high" even as he said that Pinkas' discovery was "an extremely sought-after tool in cryptanalysis."
"An attacker must first gain some type of privileged access to an affected machine," said Kamerling. "Then the attacker would have to run a custom application or script that reads internal RNG variables. The attacker would also need to compute pending and past state information, and finally correlate and apply this forward and backward state reconstruction with the communications emanating from the target machine. It's a complicated scenario to say the least."
But Kamerling also hedged his bets. "Any development of an automated tool or program that would accomplish the techniques in the paper would increase the severity of this discovery," he admitted.
Microsoft came close to promising that it would fix the random number generator. "We are evaluating changes to further strengthen our random number generation capabilities," Sisk said. In an earlier statement, the company had said it might include an update in a future Windows service pack.
The paper co-authored by Pinkas, Gutterman and Dorrendorf can be downloaded from the Cryptology ePrint Archive in PDF format."
In a paper published earlier this month, Benny Pinkas from the University of Haifa and two Hebrew University graduate students, Zvi Gutterman and Leo Dorrendorf, described how they recreated the algorithm used by Windows 2000's pseudo-random number generator (PRNG). They also spelled out vulnerabilities in the CryptGenRandom function, which calls on the algorithm.
Windows and its applications use the PRNG to create random encryption keys, which are in turn used to encrypt files and e-mail messages, and by the Secure Socket Layer protocol. SSL secures virtually every important Internet data transmission, including information from consumers to online retailers, and from bank customers to their online accounts.
By cracking the PRNG's algorithm, Pinkas and his team were able to predict its future results and uncover what it had come up with in the past, which then let them compute both previous and future encryption keys. They also discovered multiple design flaws in the algorithm that they said could give hackers the keys to the kingdom.
One of the flaws let Pinkas calculate the keys that had already been used on a Windows 2000 machine. In effect, given even remote access to the machine, a hacker could uncover encryption keys that had been generated, and thus the passwords — or other information — which had been used, even if they weren't saved elsewhere on the system. "If you know the 'state' of the PRNG, it should be hard to predict its previous state," said Pinkas yesterday. "It should be like a one-way street. Going backward [in time] should be impossible. But we found a way to very efficiently predict previous states of the PRNG."
That's a major bug, and one that should not have been overlooked, Pinkas added. "It's very well known how to construct a one-way generator. The fact that the PRNG used by Windows 2000 does not provide [this] demonstrates that the design is flawed."
Another problem with Windows' PRNG, added Pinkas, is that a single peek at the current state of its calculations can expose a huge amount of information. Unlike other operating systems such as Linux, Windows only refreshes its "randomness" after the PRNG has produced 128K of output. And since a typical SSL connection between, say, Internet Explorer and a bank consumes just 100-200 bytes of output, it's possible to predict 600-1,200 different SSL connections.
"Once we get the state of the PRNG, we can simulate its future state until the generator is refreshed with new random data," said Pinkas. "But that represents several hundred SSL connections."
Pinkas acknowledged that an attacker must have access to the target PC to get a glimpse of the PRNG's current state — the prerequisite to calculating either future or past encryption keys — but in today's security landscape, that's no barrier. "People are finding new ways to get administrative privileges all the time," he argued. By combining a relatively run-of-the-mill attack — one that results in full access to the machine, such as the just-patched vulnerability in Windows' URI protocol handler — with an exploit of the PRNG's design flaws, hackers could decrypt files or reveal secure traffic between the PC and the outside world, Pinkas said. "It should be pretty easy to do our attacks."
That's not a vulnerability, that's a feature
Microsoft downplayed the problem. "We found that there is no security vulnerability," the company said in a statement attributed to Bill Sisk, Microsoft's security response communications manager. "Information is not disclosed inappropriately to unauthorized users on any supported Windows systems. In all cases discussed in the claim, information is visible only to the users themselves or to another user logged onto the local system with administrator credentials."
Sisk then went on to justify Microsoft's position that the flaws did not qualify as security vulnerabilities. "Because administrators by design can access all files and resources on a system, this does not represent inappropriate disclosure of information."
"We got basically the same [response] when we reported our findings in May," said Pinkas, who believes that the risk is greater than Microsoft wants users to believe. An attacker does not need physical access to the PC to carry out an attack that leverages the PRNG's flaws, for example. "Once you have a way to do remote code execution, you can grab the state of the generator," he said. "Any hacker who knows the OS, could grab the state, and as I said, it's not difficult to get administrative privileges on a PC."
A Symantec Corp. researcher took a middle position. In a research note made available to customers of Symantec's DeepSight threat network, analyst Erik Kamerling called the level of difficulty of such an attack as "relatively high" even as he said that Pinkas' discovery was "an extremely sought-after tool in cryptanalysis."
"An attacker must first gain some type of privileged access to an affected machine," said Kamerling. "Then the attacker would have to run a custom application or script that reads internal RNG variables. The attacker would also need to compute pending and past state information, and finally correlate and apply this forward and backward state reconstruction with the communications emanating from the target machine. It's a complicated scenario to say the least."
But Kamerling also hedged his bets. "Any development of an automated tool or program that would accomplish the techniques in the paper would increase the severity of this discovery," he admitted.
Microsoft came close to promising that it would fix the random number generator. "We are evaluating changes to further strengthen our random number generation capabilities," Sisk said. In an earlier statement, the company had said it might include an update in a future Windows service pack.
The paper co-authored by Pinkas, Gutterman and Dorrendorf can be downloaded from the Cryptology ePrint Archive in PDF format."
Submission + - SPAM: Microsoft wins patent suit over XP boot-up tech 1
alphadogg writes: Microsoft defeated a major patent licensing firm in a lawsuit over technology that helps computers boot up faster Thursday. The suit asked the court to award the patent holder $2.50 per copy of Windows XP sold in the U.S. By Microsoft's account, that could have amounted to $600 million to $900 million. Microsoft argued that there are many ways to improve the boot speed of PCs and that XP uses different technology than that in the patent.
Link to Original Source
Link to Original Source
Submission + - The Vista Death Watch (pcmag.com)
Corporate Troll writes: John C. Dvorak muses over the current state of Vista and he isn't very optimistic. Still, his biggest grip seems to be price and not the other problems that Vista has.
Microsoft has extended the life of Windows XP because Vista has simply not shown any life in the market. We have to begin to ask ourselves if we are really looking at Windows Me/2007, destined to be a disdained flop. By all estimates the number of Vista installations hovers around the number of Macs in use.
How did this happen? And what's going to happen next? Does Microsoft have a Plan B? A number of possibilities come to mind, and these things must be considered by the company itself.
