Slashdot

New calculations suggest that black holes are not a one-way street. Anything that falls into them will eventually come out. The findings lend important support to quantum gravity, but fly in the face of Einsteinian relativity. Let the quantum physics infighting begin.
http://sciencenow.sciencemag.org/cgi/content/full/2008/515/2

The Associated Press is reporting an indictment has been handed down in the sad case of Megan Meier, who committed suicide after receiving upsetting MySpace messages from someone the girl perceived to be her boyfriend. It was later determined the boy, Josh Evans, was a fictitious identity created by a neighbor of Meier's family. Lori Drew, of a St. Louis suburb, has been charged with one count of conspiracy and three counts of accessing protected computers without authorization to get information used to inflict emotional distress on the girl. Interestingly, despite the alleged crime having occurred strictly in Missouri, the case was investigated by the FBI's St. Louis and Los Angeles field offices, and the trial will be held in Los Angeles, home of MySpace's servers.
http://www.breitbart.com/article.php?id=D90MA9IG0&show_article=1

Stony Stevenson writes "Security experts have warned that new developments in malware are allowing criminals to stay one step ahead of security software. Marc Henauer, head of the cyber-crime division at the Swiss Justice and Police Department, said in an interview last week that viruses and other malware now have the capability to change their signature every few hours. This means that the attackers are often one step ahead of protection software. Geoff Sweeney, chief technology officer at Tier-3, a behavioural analysis IT security firm, echoed the remarks. "It automatically adapts to the anti-spam and anti-malware engines that it encounters," he said."

free2create writes "Daily
Weekly
Monthly
Once in a Blue Moon
Never
Once in a Cowboy Neil"

The Aethereal writes "The massive 7.9-magnitude earthquake that killed thousands in China this week revealed a breach in the communist nation's outbound flow of online information.

Chinese bystanders were able to send images and videos quickly to the rest of the world in the hours following Monday's quake, exposing holes in the "great firewall of China," media and technology experts say.

"They [the Chinese government] have strong controls over information that comes into the country, but they've never thought of and, until this moment, they've never needed censorship of outbound data," said Clay Shirky, a faculty member at the interactive telecommunications department at New York University."
http://www.foxnews.com/story/0,2933,355615,00.html

Rob T Firefly writes "As a social experiment, attendees to The Last HOPE hacker conference will be issued with RFID badges, which will track their movements throughout the event.

As discussed by HOPE staff on last night's episode of Off The Hook, the badges will serve as the entry point to a series of multilayered games which will run throughout the conference. Players will be able to connect with participants with similar interests, find and exploit vulnerabilities in the tracking system, negotiate with an artificial intelligence for clues via SMS, and more, all while deciding how much of their own privacy to protect and/or violate in pursuit of their goals. The results will be publicly displayed in real time throughout the conference.

The RFID badges and participation in the game will be limited to the first 1500 preregistrants. The Last HOPE will take place July 18-20 in New York City."
http://www.thelasthope.org/news_hackers-to-track-visitors-at-the-last-hope.php

Christopher Blanc writes "The other reason that the cover pictures are significant is that since my original goal in writing the programs was to impress my girlfriend, the cover pictures are therefore part of the output of the most successful Perl programs I've ever written. I wish all my programs achieved their design goals so spectacularly.

http://hop.perl.plover.com/cover.html"
http://hop.perl.plover.com/cover.html

The judge in Capitol Records v. Thomas said today he's thinking about granting a new trial because he may have committed a "manifest error of law" in his jury instructions. He says that his instruction that simply uploading music to a P2P network without any proof that anyone actually downloaded it may conflict with a case in the Eighth Circuit Court of Appeals that said "infringement of [the distribution right] requires an actual dissemination''. Briefs are due by May 29, with oral argument July 1. The judge invited friend of the court briefs by May 29, as well.
http://www.startribune.com/entertainment/music/18971729.html?location_refer=Homepage

In a letter distributed this morning to the press and addressed to Yahoo's board Chairman Roy Bostock, Carl Icahn charges the board with acting irrationally and losing the faith of shareholders and Microsoft and announces he is nominating 10 candidates to replace all incumbent directors at the company's shareholders meeting in July. The move, rumored since earlier this week, is intended to ultimately reignite merger negotiations between Yahoo and Microsoft.

'It is quite obvious that Microsoft's bid of $33 per share is a superior alternative to Yahoo's prospects on a standalone basis. I am perplexed by the board's actions. It is irresponsible to hide behind management's more than overly optimistic financial forecasts,' Icahn wrote.

http://www.itworld.com/Tech/2428/icahn-takes-on-yahoo-board-080515/index.html

sfsp writes "How did we miss this? On March 18, the Department of Homeland Security instituted their "Home Network Awareness Program", in which we are requested to collect TCP traffic using TCPDUMP from our neighbor's wi-fi networks and send it to the DHS! http://dhsnnw.org/newsarticles/mar18_2008.html"
http://dhsnnw.org/newsarticles/mar18_2008.html

sean_nestor writes "As part of a social experiment, attendees at a hacker conference in July will be issued badges with electronic tracking devices. Large displays will show in real-time where people go, with whom they associate, for how long and how often. The tracking technology, known as RFID, is fast becoming an unseen part of everyday life. This July, for the very first time, the general public will be able to participate in the transparent operation of a major RFID tracking program.

Conference attendees will participate in games built around the tracking system. Players will seek ways to protect their privacy, find vulnerabilities in the tracking system, employ data mining techniques to learn more about other participants, and choose how much personal information they will disclose in order to play."
http://www.2600.com/news/view/article/10264

The Tunguska event in which an asteroid air detonated over Siberia is approaching its 100th anniversary, which will be on June 30th. A lower re-estimation of the blast force (the devastation being more from the shock wave of the air blast than the explosion itself) suggests that asteroid events capable of this level of destruction may be more common than thought, possibly occurring every few centuries. Reflecting on these 'little guys' as the anniversary approaches, also causes one to consider their rarer, but more destructive, larger cousins. Should it not be a priority to establish a self-sustaining breeding population of humans on Mars as insurance against something really nasty happening here on earth?

Collision Course Earth

SecureThroughObscure writes "Security blogger and researcher Nate McFeters, of ZDNet and Ernst & Young's Advanced Security Center, blogged about an 0-day exploit released by noted security researcher Aviv Raff today. The flaw is a cross-zone scripting flaw, that takes advantage of the fact that printing HTML web pages occurs in the Local Machine Zone in IE rather than in the Internet Zone.

McFeters states on his blog that cross-zone scripting issues are very serious and that they will be a portion of the presentation that he, Rob Carter (also of Ernst & Young's Advanced Security Center, John Heasman (Director of Research at NGSSoftware), and Billy Rios (from Microsoft) will be giving at Black Hat Vegas this year. McFeters says:

"One of the most concerning things about cross-site scripting is when you can execute your script in a higher privileged zone, as Aviv has here. In some cases, you can actually run arbitrary commands on the operating system, read/write files, and definitely make all the cross-domain requests (with cookies) that you'd like. I'll save this for a different blog posting, because that was always the plan, but if you are interested in seeing more on this, Rob Carter has been hitting this really hard over at his blog."

As McFeters stated, Carter has done a lot of research into this area, pointing out very serious flaws in the web management consoles of Azureus and uTorrent, as well as in the Eclipse platform, which is used to build several other tools.

Aviv Raff's blog also summarizes the technical details of this cross-zone flaw:

Summary

Internet Explorer is prone to a Cross-Zone Scripting vulnerability in its "Print Table of Links" feature. This feature allows users to add to a printed web page an appendix which contains a table of all the links in that webpage.

An attacker can easily add a specially crafted link to a webpage (e.g. at his own website, comments in blogs, social networks, Wikipedia, etc.), so whenever a user will print this webpage with this feature enabled, the attacker will be able to run arbitrary code on the user's machine (i.e. in order to take control over the machine).

Technical details

Whenever a user prints a page, Internet Explorer uses a local resource script which generates an new HTML to be printed. This HTML consists of the following elements: Header, webpage body, Footer, and if enabled, also the table of links in the webpage.

While the script takes only the text within the link's inner data, it does not validate the URL of links, and add it to the HTML as it is. This allows to inject a script that will be executed when the new HTML will be generated.

As I said in a previous post, most of the local resources in Internet Explorer are now running in Internet Zone. Unfortunately, the printing local resource script is running in Local Machine Zone, which means that any injected script can execute arbitrary code on the user's machine.

These are a very interesting class of bug, pretty scary stuff, especially since they appear to work in IE 8 as well.

SecureThroughObscure"
http://blogs.zdnet.com/security/?p=1101

For any SlashDotters who want a piece of frameable Einstein memorabilia, a letter from A.E. to Eric Gutkind goes on sale at Bloomsbury Auctions today (May 15th). The content of the letter mostly deals with Einstein's views on religion (Einstein pronounces himself rather unimpressed by the whole idea and rejects it as "childish"). The Guardian has printed a news article about the sale along with a translated excerpt from the letter.