Slashdot

An anonymous reader writes "Security researchers are warning users about an unpatched cross-site scripting bug in Internet Explorer 6 (IE6) that could be used by hackers to capture keystrokes and steal other information. The vulnerability appears to be a variation of a vulnerability first discussed by researchers Manuel Caballero and Fukami at Microsoft's on-site BlueHat security conference early last month, Yichong Lin, an analyst at McAfee, said in an entry to the company's blog. At BlueHat, Caballero, who has worked for Microsoft as an independent penetration tester, said he had found a way to capture every browser action, including keystrokes used to type passwords. In a videotaped interview that Microsoft conducted during BlueHat, Caballero said that the combination of Flash and any browser, not just IE, could be hacked with a malicious script to give attackers full access to the browser."

The Seattle PI is reporting that NBC has announced the Olympics online will be available to users of Vista only.

I have been looking for decent two-way file replication software either for Windows or Linux for a long time. Until Windows 2003 R2's DFS Replication, I couldn't find a single viable product/application to do it. While Windows 2003 R2's DFS Replication works very well (surprisingly well) I would like to have a non-Microsoft option that doesn't require so many prerequisites (Active Directory, etc) and is a little more lightweight. Something that runs on Linux would be ideal.

If anyone has any suggestions, please, share!

You go through several NAT devices because that is what your government wants. With IPV6, you would go through the same networks, you would just have a longer NAT ip address.

IPV6 will not make the routing table that IPV4 enforces go away, it will just give it the ability to have QOS and a few other features. If your government wants to limit your access, they will still have that ability.

this was entered as evidence in the DoJ trial. It's real and on the books.

Here's a PDF of the original, together with the replies, as submitted to the trial.

http://blog.seattlepi.nwsource.com/microsoft/library/2003Jangatesmoviemaker.pdf

Windows 7 already is being reviewed by U.S. government technical appointees, under the terms of Microsoft's November 2001 Justice Department settlement and final court judgment issued about a year later, a government-sanctioned "Technical Committee" has overseen Windows development. The TC is responsible for ensuring that Microsoft complies with the terms of the final judgment, investigating complaints about Microsoft abuses and regularly reporting on the company's compliance.
http://www.microsoft-watch.com/content/operating_systems/doj_has_windows_7_why_not_you.html?kc=MWRSS02129TX1K0000535

The struggle to open up Java completely is finally coming to an end.

Simon Phipps, the chief open source officer at Sun Microsystems, said: "There were a couple of holdouts there. One was the area to do with raster graphics and 2D graphics. That turned out to be owned by a company that didn't want us to release that code as open source. We negotiated with them and because they've said 'yes, you can open source the code'..."

The only element that's left now is actually a sound-related component within Java. We finally decided that the vendor that's involved there just isn't going to play ball and we're rewriting the code from scratch. That's going to be done within the next couple of months."

Phipps says Java is expected to be completely free within the coming few months.

Ruby continues to be in the spotlight, but this time for the wrong reasons. "A member of Apple's security team has discovered multiple serious security vulnerabilities in Ruby, the popular open-source scripting language. According to an advisory on the Ruby project site, Apple's Drew Yao reported at least six of the vulnerabilities, which can be exploited to cause a denial-of-service condition or the execution of arbitrary code." The article goes on to state, "These vulnerabilities are likely to crop up in just about any average ruby web application. And by "crop up" I mean "crop up exploitable from trivial user-specified parameters". It's not hard to begin imagining cases where Ruby/Rails programmers use code similar to the samples above to routinely handle user input."
http://blogs.zdnet.com/security/?p=1312

When is it acceptable to encourage users to accept a self-signed SSL cert? Recently the staff of a certain website turned on optional SSL with a self-signed and domain mismatched certificate for its users and encourages them to add an exception for this certificate. Their defense of this certificate is that it is just as secure as one signed by a commercial CA and because their site exists for the distribution of copyrighted material the staff do not want to have their personal information in the hands of a CA. In their situation is it acceptable to encourage users to trust this certificate or is this giving users a false sense of security?

HanoverFist writes "Although glass feels like a solid, its molecules cannot quite settle into a regular 3D lattice and, given enough time, it flows like a liquid. Quite why glass behaves like this has been unclear. Now, however, researchers now say they have found out how it gets its unusual properties. The study could pave the way to developing new materials that combine the best properties of metals and glasses."

Alistair Crooks, president of the NetBSD Foundation, announced recently that it ``has changed its recommended license to be a 2 clause BSD license.'' This makes NetBSD even more easily available to a number of organizations and individuals who may have been put off by the advertising or endorsement clauses. See Alistair's email and NetBSD's licensing information for more details.
http://mail-index.netbsd.org/netbsd-announce/2008/06/20/msg000030.html

sowjetarschbajazzo writes "Air Force Col. Charles W. Williamson III believes that the United States military should maintain its own botnet, both as a deterrent towards those who would attempt to DDoS government networks, and an offensive weapon to be used against the networks of unfriendly nations, criminal groups, or terrorist organizations. "Some people would fear the possibility of botnet attacks on innocent parties. If the botnet is used in a strictly offensive manner, civilian computers may be attacked, but only if the enemy compels us. The U.S. will perform the same target preparation as for traditional targets and respect the law of armed conflict as Defense Department policy requires by analyzing necessity, proportionality and distinction among military, dual-use or civilian targets. But neither the law of armed conflict nor common sense would allow belligerents to hide behind the skirts of its civilians. If the enemy is using civilian computers in his country so as to cause us harm, then we may attack them." What does Slashdot think of this proposal?"

Eric Ciccone writes "The State of Massachusetts initiated a new student fire safety program that utilizes new coatings technology that was used on the Mars Pathfinder air bags. A video of a dorm room test burn shows that a fire can be contained to the room of origin just by painting 10 mills of the special coating on the walls & ceiling. The video can be viewed on YouTube at: www.youtube.com/watch?v=W-AfECHZyNQ or at the web site www.dormroomfire.com"
http://www.dormroomfire.com/

maddogdelta writes "NPR has an article about Slashdot! Read about it here . Cowboy Neal says, "Sometimes, it pays to do your job right!""
http://www.npr.org/templates/story/story.php?storyId=18056096

georgetirebiter writes "At least one large, very successful financial services organization in the last few days fell victim to the Unix year 2038 problem when trying to create a standard 30 year risk contract in their proprietary financial software. The problem occurred when trying to make a standard time call in sql. I wonder how many other programmers have had to try to solve this problem in legacy systems? What solutions did they use? Is this really an incipient and perhaps more serious successor to the Y2K bug?"