BlueMerle - Slashdot User

Submission + - Google purges thousands of suspected malware sites (itnews.com.au) 1

Submitted by

Stony Stevenson

on Wednesday November 28, 2007 @06:37PM

Stony Stevenson writes: "In response to a concerted effort by cyber criminals to infect the computers of Google users with malware and make them unwitting partners in crime, Google has apparently purged tens of thousands of malicious Web pages from its index. Alex Eckelberry, CEO of Sunbelt Software, noted that many search results on Google led to malicious Web pages that expose visitors to exploits that can compromise vulnerable systems. Sunbelt published a list of search terms that returned malicious pages, the result of search engine optimization (SEO) campaigns by cyber criminals to get their pages prominently ranked in Google — Sunbelt refers to this as "SEO poisoning."

Let's hope Google has done its research and hasn't purged legitimate sites."

Submission + - Mission to Mars: Possible or Impossible?

Submitted by BlueMerle on Wednesday November 28, 2007 @12:41AM

BlueMerle writes: Mission to Mars: I've been watching Mars Rising on SciCh and find myself asking, is it possible? And in almost every case my answer is No! Not under current conditions, with existing, think proven, technology.

Gravity: Without some sort of artificial gravity the crew would most likely not be able to stand when they reached Mars. And to the best of my knowledge there are no actual plans for building any type of spacecraft that has the ability to generate artificial gravity. There are many ideas, and CGI renderings of possibilities, but no actual blueprints or technical drawings, and there is certainly nothing that exists to prove the concept.

My best guess, 25 — 30 years of testing and billions of dollars until a viable solution.

Shielding: Without adequate shielding from intense radiation the crew may not survive the trip. This is perhaps the easiest problem to solve. There are currently several research projects working on this issue, and some have shown real progress without having to build a 3 foot thick lead room.

My best guess, 2 — 10 years with relatively minimal funding.. tens of millions.

Human Factor: Is it really possible to put 6 or 8 people in a spacecraft the size of a small apartment and lock them in for up to 2.5 years (round trip, including time on Mars)? This in my opinion is the biggest single obstacle to be overcome. Oh and BTW, personal hygiene consists of a small towelette with 2 or 3 drops of water. And you may not get even that on a daily basis! The nastiest bathroom in the nastiest gas station would seem like the essence of floral nirvana compared to the smell inside the spacecraft after just a few weeks.

Not to mention sexual tension, personality conflict, stress, boredom etc.. etc..

I don't see this one being overcome until a spacecraft is built that offers enough room to allow some sense of personal space, or some sort of suspended animation system is developed, and frankly neither one is in the cards anytime soon.

My best guess, > 100 years and zillions and zillions of dollars in R&D, Process Development, and testing of a very large and expensive spacecraft. ( Developing a transporter... Priceless!)

It's not that I don't look forward to mankind going into space, it's just that I don't think it's possible for anything other than short duration, low earth orbit jaunts. And even if I'm way off on this, could we send a maned mission to orbit Saturn? No we couldn't so what does it really matter. Until we can solve some very basic "Human" issues, or are willing to spend obscene amounts of money on spacecraft we are doomed to stay put.

I'd be interested to hear what others here at /. think.

Submission + - What Geeky Things Must Be Done? 2

Submitted by John on Tuesday November 27, 2007 @04:36PM

John writes: A few weeks ago, my friends were discussing "The Princess Bride", and most of the references went completely over my head — I've not seen it all the way through, nor read the book. Naturally, revealing this fact made these people look at me as if I'd just moved into town from under some rock. This led into a discussion of the things that most general geeks should be expected to know; for example, reciting the inscription on the One Ring, or (apparently) quoting "Princess Bride" on-demand. The suggestions we came up with ranged from personal things, like having one's movie/game library in an online database, to big, world-scoped things like contributing to an open-source project of your choosing. I'm curious to know what the general consensus is on the most obvious or biggest geek/nerd things that should be seen, done, or read/watched/heard.

Submission + - Documenting Firewall Rulesets ?

Submitted by on Monday November 26, 2007 @07:45PM

An anonymous reader writes: I have a substantial amount of experience on "both sides of the firewall" and to date have used my knowledge and experience as wisely as possible. For much of the past decade I have been the primary administrator of an enterprise class firewall for a fairly large entity, having designed and built the current infrastructure from the initial installs. The firewall ruleset has grown quite large with our ever increasing dependence on internet connectivity and now supports several dozen DMZ resident systems as well as hundreds of site to site VPNs. We use an industry leader, enterprise class firewall, which allows central management of multiple enforcement points and does a nice job of self-documentation within the management console. I am now being asked by upper management to extract the detailed ruleset configuration from the safety of the management console and publish this information to an "internal document" which will be available to corporate resources other than the small team changed with firewall administration. It was offered that we can document the process of obtaining this information through the firewall management interface, but this was rejected and upper management is insisting that we publish every detail of the firewall ruleset to a shared directory on our network. Am I the only one that thinks this is a horrible idea and a potentially serious security issue? Can anyone provide any "best practices" documentation to support either side of the issue? I'm having real concerns with simply handing over the security information that I've spent many years protecting to those who may not understand the potential problems in publishing this data.

Submission + - Review: Sony's flash-based notebook (computerworld.com)

Submitted by

Lucas123

on Monday November 26, 2007 @05:55PM

Lucas123 writes: "Computerworld's Rich Ericson reviewed Sony's first all flash-based laptop, which carries a whopping $3,200 price tag. Ericson says the laptop runs incredibly fast, with an average data transfer rate of 33.6MB/sec and great battery life. But, the laptop is also limited to certain uses. While lending itself to travel, the small capacity of its hard drive doesn't make it a real competitor for a main PC workhorse. "While there's a lot to like [about the VAIO TZ191N notebook], there's only very limited uses for which I'd recommend this system. The best features — its size and the flash drive — are also its biggest limitations.""

Submission + - CNet rates Vista one of "history's worst produ (cnet.co.uk)

Submitted by DrNick on Monday November 26, 2007 @04:40PM

DrNick writes: It could be one of the most controversial decisions in recent times online, but CNet UK has rated Windows Vista as one of the worst tech products in history.

From the article: "Its incompatibility with hardware, its obsessive requirement of human interaction to clear security dialogue box warnings and its abusive use of hated DRM, not to mention its general pointlessness as an upgrade, are just some examples of why this expensive operating system earns the final place in our terrible tech list.

Submission + - Print-On Solar Panels: Innovation of the Year (nanosolar.com)

Submitted by

nweaver

on Wednesday November 14, 2007 @05:41PM

nweaver writes: "Popular Science Magazine has announced its Innovation of the year, which are Nano Solar's Print on Solar Cells. Unlike conventional solar cells, these are printed onto sheets of flexible aluminum, with the company claiming a cost of $.30/W for solar cells. Nano Solar's Factory for producing mile long rolls of solar cells is almost online. The potential is staggering. Even assuming that the completed cells, in a household system, cost $2000/kW to produce, this will easily undercut electricity as even at just $.10/kwh and producing for just 8 hours per day and 300 days in a year, a solar installation with such cells would have a 12%/year return on investment. We may be only a few years away from the Solar Age."

Submission + - Tor: The hack of the year (theage.com.au)

Submitted by

mlauzon

on Tuesday November 13, 2007 @08:06PM

mlauzon writes: "A Swedish hacker tells how he infiltrated a global communications network used by scores of embassies over the world, using tools freely available on the internet.

In August, Swedish hacker Dan Egerstad gained access to sensitive embassy, NGO and corporate email accounts. Were they captured from the clutches of hackers? Or were they being used by spies? Patrick Gray investigates the most sensational hack of 2007.

IT WASN'T supposed to be this easy. Swedish hacker Dan Egerstad had infiltrated a global communications network carrying the often-sensitive emails of scores of embassies scattered throughout the world. It had taken him just minutes, using tools freely available for download on the internet.

In time, Egerstad gained access to 1000 high-value email accounts. He would later post 100 sets of sensitive email logins and passwords on the internet for criminals, spies or just curious teenagers to use to snoop on inter-governmental, NGO and high-value corporate email.

The question on everybody's lips was: how did he do it? The answer came more than a week later and was somewhat anti-climactic. The 22-year-old Swedish security consultant had merely installed free, open-source software — called Tor — on five computers in data centres around the globe and monitored it. Ironically, Tor is designed to prevent intelligence agencies, corporations and computer hackers from determining the virtual — and physical — location of the people who use it.

"Tor is like having caller ID blocking for your internet address," says Shava Nerad, development director with the Tor Project. "All it does is hide where you're communicating from."

Tor was developed by the US Navy to allow personnel to conceal their locations from websites and online services they would access while overseas. By downloading the simple software, personnel could hide the internet protocol address of their computers — the tell-tale number that allows website operators or intelligence services to determine a user's location.

Eventually the navy realised it must take Tor beyond the armed forces. "The problem is, if you make Tor a tool that's only used by the military . . . by using Tor you're advertising that you're military," Nerad says.

So Tor was cast into the public domain. It is now maintained and distributed by a registered charity as an open-source tool that anyone can freely download and install. Hundreds of thousands of internet users have installed Tor, according to the project's website.

Mostly it is workers who want to browse pornographic websites anonymously. "If you analyse the traffic, it's just porn," Egerstad told Next by phone from Sweden. "It's kind of sad."

However, Dmitri Vitaliev, a Russian-born, Australian-educated computer security professional who lives in Canada, says Tor is a vital tool in the fight for democracy. Vitaliev trains human-rights campaigners on how to stay safe when online in oppressive regimes. "It's incredibly important," he said in a Skype chat from the unrecognised state of Transnistria, a breakaway region in Moldova where he's assisting a local group working to stop the trafficking of women. "Anonymity is a high advantage in countries that perform targeted surveillance on activists."

It's also used to bypass website censorship in more than 20 countries that censor political and human rights sites, he says.

Tor works by connecting its users' internet requests, randomly, to volunteer-run Tor network nodes. Anyone can run a Tor node, which relays the user's traffic through other nodes as encrypted data that can't be intercepted.

When the user's data reaches the edge of the Tor network, after bouncing through several nodes, it pops out the other side as unencrypted, readable data. Egerstad was able to get his mitts on sensitive information by running an exit node and monitoring the traffic that passed through it.

The problem, says Vitaliev, is some Tor users assume their data is protected from end to end. "As in pretty much any other internet technology, its vulnerabilities are not well understood by those who use it (and) need it most," he says.

The discovery that sensitive, government emails were passing through Tor exit nodes as unencrypted, readable data was only mildly surprising to Egerstad. It made sense — because Tor documentation mentions "encryption", many users assume they're safe from all snooping, he says.

"People think they're protected just because they use Tor. Not only do they think it's encrypted, but they also think 'no one can find me'," Egerstad says. "But if you've configured your computer wrong, which probably more than 50 per cent of the people using Tor have, you can still find the person (on) the other side."

Initially it seemed that government, embassy, NGO and corporate staffers were using Tor but had misconfigured their systems, allowing Egerstad to sniff sensitive information off the wire. After Egerstad posted the passwords, blame for the embarrassing breach was initially placed on the owners of the passwords he had intercepted.

However, Egerstad now believes the victims of his experiment may not have been using Tor. It's quite possible he stumbled on an underground intelligence gathering exercise, carried out by parties unknown.

"The whole point of the story that has been forgotten, and I haven't said much about it, (is that) many of these accounts had been compromised," he says. "The logins I caught were not legit users but actual hackers who'd been reading these accounts."

In other words, the people using Tor to access embassy email accounts may not have been embassy staff at all. Egerstad says they were computer hackers using Tor to hide their origins from their victims.

The cloaking nature of Tor is appealing in the extreme to computer hackers of all persuasions — criminal, recreational and government sponsored.

If it weren't for the "last-hop" exit node issue Egerstad exposed in such a spectacular way, parties unknown would still be rifling the inboxes of embassies belonging to dozens of countries. Diplomatic memos, sensitive emails and the itineraries of government staffers were all up for grabs.

After a couple of months sniffing and capturing information, Egerstad was faced with a moral dilemma: what to do with all the intercepted passwords and emails.

If he turned his findings over to the Swedish authorities, his experiment might be used by his country's intelligence services to continue monitoring the compromised accounts. That was a little too close to espionage for his liking.

So Egerstad set about notifying the affected governments. He approached a few, but the only one to respond was Iran. "They wanted to know everything I knew," he says. "That's the only response I got, except a couple of calls from the Swedish security police, but that was pretty much all the response I got from any authority."

Frustrated by the lack of a response, Egerstad's next step caused high anxiety for government staffers — and perhaps intelligence services — across the globe. He posted 100 email log-ins and passwords on his blog, DEranged Security. "I just ended up (saying) 'Screw it, I'm just going to put it online and see what happens'."

The news hit the internet like a tonne of bricks, despite some initial scepticism. The email logins were quickly and officially acknowledged by some countries as genuine, while others were independently verified.

US-based security consultant — and Tor user — Sam Stover says he has mixed feelings about Egerstad's actions. "People all of a sudden (said) 'maybe Tor isn't the silver bullet that we thought it was'," Stover says. "However, I'm not sure I condone the mechanism by which that sort of information had to be exposed in order to do that."

Stover admits that he, too, once set up a Tor exit node. "It's pretty easy . . . I set it up once real quick just to make sure that I could see other people's traffic and, sure enough, you can," he says. "(But) I'm not interested in that sort of intelligence gathering."

While there's no direct evidence, it's possible Egerstad's actions shut down an active intelligence-gathering exercise. Wired.com journalist Kim Zetter blogged the claims of an Indian Express reporter that he was able to access the email account for the Indian ambassador in China and download a transcript of a meeting between the Chinese foreign minister and an Indian official. In addition to hackers using Tor to hide their origins, it's plausible that intelligence services had set up rogue exit nodes to sniff data from the Tor network.

"Domestic, or international . . . if you want to do intelligence gathering, there's definitely data to be had there," says Stover. "(When using Tor) you have no idea if some guy in China is watching all your traffic, or some guy in Germany, or a guy in Illinois. You don't know."

Egerstad is circumspect about the possible subversion of Tor by intelligence agencies. "If you actually look in to where these Tor nodes are hosted and how big they are, some of these nodes cost thousands of dollars each month just to host because they're using lots of bandwidth, they're heavy-duty servers and so on," Egerstad says. "Who would pay for this and be anonymous?"

While Stover regards Tor as a useful tool, he says its value is greatly overestimated by those who promote and use it. "I would not use or recommend the tool to hide from people between you and your endpoint. It's really purely a tool to hide from the endpoint," he says.

As a trained security professional, Stover has the nous to understand its limitations, he says. Most people don't.

The lesson remains but the data Egerstad captured is gone, the Swedish hacker insists. He's now focusing on his career as a freelance security consultant. "I deleted everything I had because the information I had was belonging to so many countries that no single person should have this information so I actually deleted it and the hard drives are long gone," he says."

New Startup Hopes to Slay the Botnet

Posted by ScuttleMonkey on Monday November 05, 2007 @07:25PM from the saint-nemean-and-the-botnet dept.

eldavojohn writes "How do you identify Botnet traffic on your network? Well, the problem with current commercial technologies is that they generate too many false positives. But a new startup name Nemean Networks hopes to solve all that by building signatures of traffic at many different levels of the network stack. 'Finding the proper sensitivity threshold for NIDS sensors has always been a problem for network and security administrators. Lower the threshold and some attacks get through the signature screening; raise it too high and false positives flourish. Nemean attempts to find the proper balance by gathering traffic sent to a honeynet to build signatures based on weighted data. The numerical weights are entirely subjective and based on the creators' expertise. The data is then clustered and fed through an algorithm to determine threat levels and develop signatures.'"

Submission + - Black holes may harbour their own universes

Submitted by mcgrew on Wednesday October 31, 2007 @03:51PM

mcgrew writes: From the "head explodes" department:

When matter gets swallowed by a black hole, it could fall into another universe contained inside the black hole, or get trapped inside a wormhole-like connection to a second black hole, a new study suggests.
Christian Böhmer of University College London, in the UK and colleague Kevin Vandersloot of the University of Portsmouth in the UK used computers to approximate what would happen to matter falling into a black hole using the Loop Quantum Gravity theory.

"We were very surprised about the results," Böhmer says. Instead of a boundary around the singularity, they got two other kinds of solutions — both bizarre — that replaced the singularity
More at New Scientist.

Submission + - Telcos Pull Rockefeller's Strings (blogspot.com)

Submitted by

Mike Kuykendall

on Wednesday October 31, 2007 @03:44PM

Mike Kuykendall writes: "Senate Select Committee on Intelligence Chairman John Rockefeller shows his bias due to telecom campaign contributions as he advocates for immunity in today's Wapo."

Submission + - Mac OS X gets a trojan

Submitted by Anonymous Coward on Wednesday October 31, 2007 @03:40PM

An anonymous reader writes: MacWorld is reporting that there's a trojan making the rounds for OS X. It's a pretty simple and largely harmless affair that, once onboard, directs users to phishing and porn sites, rather than the sites they intended (it installs a fake DNS on the computer). MacOSXHints provides a method of removing the trojan. This couldn't have come at a worst time for Apple, following revelations of a poor firewall implementation in Leopard that could help avoid things just like this.

Submission + - Ohio University finds key to getting RIAA to stop 7

Submitted by

NewYorkCountryLawyer

on Wednesday October 31, 2007 @03:26PM

NewYorkCountryLawyer writes: "Ohio University, in Athens, Ohio, has found the key to getting the RIAA to stop inundating it and its students with "settlement" letters. According to the university's student online publication, the university paid $60,000, plus $16,000 per year "maintenance", to Audible Magic, the business partner of the RIAA's all-purpose expert witness Dr. Doug Jacobson, for its "CopySense" filtering software. Once it made the payments, the letters stopped. This of course raises a lot of questions as to the 'disinterestedness' of Dr. Jacobson, whose deposition in the UMG v. Lindor case was the subject of interesting Slashdot commentary."

Submission + - Video Professor sues critics! Wait There's More! (arstechnica.com)

Submitted by BlueMerle on Friday October 26, 2007 @12:29PM

BlueMerle writes: I'm so sure you'll like my product that I'll sue if you don't!

John Scherer, the "Video Professor" of infomercial fame, really wants to make his customers happy. That's why he's suing them. Now, it looks like he may get sued in return.

Submission + - In Depth: Apple's Leopard leaps to new heights (computerworld.com)

Submitted by jcatcw on Thursday October 25, 2007 @04:58PM

jcatcw writes: Computerworld begins its Week of Leopard, and first in-depth review and image gallery, with a question: Is it worth the wait? Answers include Yes: it trumps Vista, of course; the Finder, Quick Look and Cover Flow provide better functionality and eye candy; Time Machine is the biggest undelete ever and the restore function is one of the coolest things we've ever seen; it has iChat (bonus pic of CW Editor); and has lots of updates under the hood. Or the answer might be no if you're lacking in the hardware, software or guts departments. And finally, if you live a cave, here's an FAQ.

Slashdot Top Deals