Trailrunner7 writes "In a sudden about-face, Sun has rushed out a Java update to fix a drive-by download vulnerability that exposed Windows users to in-the-wild malware attacks. The patch comes less than a week after Sun told a Google researcher it did not consider the issue serious enough to warrant an out-of-cycle patch and less than a day after researchers spotted live exploits on a booby-trapped Web site. The flaw, which was also discovered independently by Ruben Santamarta, occurs because the Java-Plugin Browser is running 'javaws.exe' without validating command-line parameters. Despite the absence of documentation, a researcher was about to figure out that Sun removed the code to run javaws.exe from the Java plugin. The about-face by Sun is another sign that some big vendors still struggle to understand the importance of working closely with white hat researchers to understand the implications of certain vulnerabilities. In this case, Google's Tavis Ormandy was forced to use the full-disclosure weapon to force the vendor into a proper response."

Trailrunner7 writes "Joanna Rutkowska, a security researcher known for her work on virtualization security and low-level rootkits, has released a new open-source operating system meant to provide isolation of the OS's components for better security. The OS, called Qubes, is based on Xen, X and Linux, and is in a basic, alpha stage right now. Qubes relies on virtualization to separate applications running on the OS and also places many of the system-level components in sandboxes to prevent them from affecting each other. 'Qubes lets the user define many security domains implemented as lightweight virtual machines (VMs), or 'AppVMs.' E.g. users can have 'personal,' 'work,' 'shopping,' 'bank,' and 'random' AppVMs and can use the applications from within those VMs just like if they were executing on the local machine, but at the same time they are well isolated from each other. Qubes supports secure copy-and-paste and file sharing between the AppVMs, of course.'" Xen's also just reached 4.0; some details below.

This weekend saw the delivery of iPads into hundreds of thousands of filthy hands. I managed to get my hands on a 32GB unit and put it through its paces for a battery charge and a half, and wanted to take a few minutes to share some notes with you. But if you don't care to read the whole review, let me give you a hint: I am typing this review on my laptop.

snydeq writes "Peter Wayner provides a developer's comparison of Android and the iPhone and finds Android not only competitive but in fact a better choice than the iPhone for many developers, largely due to its Java foundation. 'While iPhone developers have found that one path to success is playing to our baser instincts (until Apple shuts them down), a number of Android applications are offering practical solutions that unlock the power of a phone that's really a Unix machine you can slip into your pocket,' Wayner writes, pointing out GScript and Remote DB as two powerful tools for developers to make rough but workable custom tools for Android. But the real gem is Java: 'The pure Java foundation of Android will be one of the biggest attractions for many businesses with Java programmers on the staff. Any Java developer familiar with Eclipse should be able to use Google's Android documentation to turn out a very basic application in just a few hours. Not only that, but all of the code from other Java programs will run on your Android phone — although it won't look pretty or run as fast as it does on multicore servers.'"

jimjimovich writes "One new feature in Ubuntu 10.04 that caught my attention is the Desktop in the Cloud project. Ubuntu already has great EC2 support, and it's getting even better. Now you can launch Ubuntu Desktop instances on EC2 and connect to them with an NX client."

timothy found this link (hat-tip to Tim O'Reilly) to a paean to the joys of tethering. "In a short post, Steve Souders explores the current state of tethering 3G connections via iPhone (on which he basically gives up, for the perfectly decent reason of not wanting to jailbreak his iPhone) and the Nexus One, with which he has great success. His writeup serves as a micro-tutorial ('use PdaNet's Android app') as well as an endorsement."

Johnny Fusion writes "The writer of the Securi Security Blog had an alarming awakening when a honeypot on port 22 on a GoDaddy-hosted VPS recorded login attempts using his GoDaddy username and password and even an attempt to login as root. It turns out the attempt was actually from within GoDaddy's network. Before he could 'alert' GoDaddy about the security breach, he got an email from GoDaddy Demanding his root login credentials. There is an update where GoDaddy explains itself and says they will change policy."

happylunarnewyear writes "The first new rocket to be launched from the Cape since 2002 is assembled and upright on Launch Complex 40. Falcon 9 will undergo fueling testing and live firing tests before the launch occurs as soon as next month. The stakes couldn't be higher, either. The much politicized proposal for a change in direction for NASA, which includes scrapping the Constellation program in toto in favor of privatization and a new heavy lift vehicle, veritably rides on this rocket. If the launch goes well, the plan for increased reliance on privatized cargo missions and eventually privatized manned missions will soar with it. However if something goes wrong, those plans will come crashing to Earth along with Falcon 9. Given the stakes, this launch is one of the most important in recent history. From the article, 'President Obama's proposal to shift transport of US astronauts to the space station from government launchers to privatized ones could suffer politically if there's a high-profile problem with the first mission of the Falcon 9, by far the most talked-about newcomer vying for the opportunity.'" Reader FleaPlus contributes related news about NASA's proposed funding for scientific payloads on commercial space flights, which would be a huge boon to researchers.