naChoZ - Slashdot User

Submission + - Google Sued by Northeastern University (reuters.com)

Submitted by bostonsoxfan on Friday November 16, 2007 @11:57AM

bostonsoxfan writes: Reuters is reporting that Google is being sued by Northeastern University and a a small startup Jarg Corp. The lawsuit is over "Distributed Computer Database System and Method" which Dr. Kenneth Baclawski patented and contends that is the basis of Google's search system. The suit is being brought in the Eastern District of Texas in Marshall, a court known for being plaintiff friendly and significantly quicker than other courts.

TB-Sized Solid State Drives Announced 130

Posted by Zonk on Friday November 16, 2007 @11:45AM from the soon-to-be-implantable dept.

prostoalex writes "Several companies have announced solid state hard drives in excess of one terrabyte in size. ComputerWorld describes one from BitMicro that's just 3.5". Their flash drive will support up to 4 Gbps data transfer rate. From the article: 'SSDs access data in microseconds, instead of the millliseconds that traditional hard drives use to retrieve data. The BitMicro E-Disk Altima 4Gb FC delivers more than 55,000 I/O operations per second (IOPS) and has a sustained data transfer rate over 230MB/sec. By comparison, a fast hard drive for example will run at around 300 IOPS.'" Ah, the speed of tech. Seems like only last month we were talking about 500GB drives.

Submission + - Microsoft PRNG encryption CRACKED! (computerworld.com)

Submitted by

Martin Shin

on Friday November 16, 2007 @11:36AM

Martin Shin writes: "November 15, 2007 (Computerworld) Israeli researchers who have reverse-engineered a critical component of Windows' encryption technology say attackers could exploit flaws to decipher secured information. Microsoft Corp. has downplayed the threat.

In a paper published earlier this month, Benny Pinkas from the University of Haifa and two Hebrew University graduate students, Zvi Gutterman and Leo Dorrendorf, described how they recreated the algorithm used by Windows 2000's pseudo-random number generator (PRNG). They also spelled out vulnerabilities in the CryptGenRandom function, which calls on the algorithm.

Windows and its applications use the PRNG to create random encryption keys, which are in turn used to encrypt files and e-mail messages, and by the Secure Socket Layer protocol. SSL secures virtually every important Internet data transmission, including information from consumers to online retailers, and from bank customers to their online accounts.

By cracking the PRNG's algorithm, Pinkas and his team were able to predict its future results and uncover what it had come up with in the past, which then let them compute both previous and future encryption keys. They also discovered multiple design flaws in the algorithm that they said could give hackers the keys to the kingdom.

One of the flaws let Pinkas calculate the keys that had already been used on a Windows 2000 machine. In effect, given even remote access to the machine, a hacker could uncover encryption keys that had been generated, and thus the passwords — or other information — which had been used, even if they weren't saved elsewhere on the system. "If you know the 'state' of the PRNG, it should be hard to predict its previous state," said Pinkas yesterday. "It should be like a one-way street. Going backward [in time] should be impossible. But we found a way to very efficiently predict previous states of the PRNG."

That's a major bug, and one that should not have been overlooked, Pinkas added. "It's very well known how to construct a one-way generator. The fact that the PRNG used by Windows 2000 does not provide [this] demonstrates that the design is flawed."

Another problem with Windows' PRNG, added Pinkas, is that a single peek at the current state of its calculations can expose a huge amount of information. Unlike other operating systems such as Linux, Windows only refreshes its "randomness" after the PRNG has produced 128K of output. And since a typical SSL connection between, say, Internet Explorer and a bank consumes just 100-200 bytes of output, it's possible to predict 600-1,200 different SSL connections.

"Once we get the state of the PRNG, we can simulate its future state until the generator is refreshed with new random data," said Pinkas. "But that represents several hundred SSL connections."

Pinkas acknowledged that an attacker must have access to the target PC to get a glimpse of the PRNG's current state — the prerequisite to calculating either future or past encryption keys — but in today's security landscape, that's no barrier. "People are finding new ways to get administrative privileges all the time," he argued. By combining a relatively run-of-the-mill attack — one that results in full access to the machine, such as the just-patched vulnerability in Windows' URI protocol handler — with an exploit of the PRNG's design flaws, hackers could decrypt files or reveal secure traffic between the PC and the outside world, Pinkas said. "It should be pretty easy to do our attacks."

That's not a vulnerability, that's a feature

Microsoft downplayed the problem. "We found that there is no security vulnerability," the company said in a statement attributed to Bill Sisk, Microsoft's security response communications manager. "Information is not disclosed inappropriately to unauthorized users on any supported Windows systems. In all cases discussed in the claim, information is visible only to the users themselves or to another user logged onto the local system with administrator credentials."

Sisk then went on to justify Microsoft's position that the flaws did not qualify as security vulnerabilities. "Because administrators by design can access all files and resources on a system, this does not represent inappropriate disclosure of information."

"We got basically the same [response] when we reported our findings in May," said Pinkas, who believes that the risk is greater than Microsoft wants users to believe. An attacker does not need physical access to the PC to carry out an attack that leverages the PRNG's flaws, for example. "Once you have a way to do remote code execution, you can grab the state of the generator," he said. "Any hacker who knows the OS, could grab the state, and as I said, it's not difficult to get administrative privileges on a PC."

A Symantec Corp. researcher took a middle position. In a research note made available to customers of Symantec's DeepSight threat network, analyst Erik Kamerling called the level of difficulty of such an attack as "relatively high" even as he said that Pinkas' discovery was "an extremely sought-after tool in cryptanalysis."

"An attacker must first gain some type of privileged access to an affected machine," said Kamerling. "Then the attacker would have to run a custom application or script that reads internal RNG variables. The attacker would also need to compute pending and past state information, and finally correlate and apply this forward and backward state reconstruction with the communications emanating from the target machine. It's a complicated scenario to say the least."

But Kamerling also hedged his bets. "Any development of an automated tool or program that would accomplish the techniques in the paper would increase the severity of this discovery," he admitted.

Microsoft came close to promising that it would fix the random number generator. "We are evaluating changes to further strengthen our random number generation capabilities," Sisk said. In an earlier statement, the company had said it might include an update in a future Windows service pack.

The paper co-authored by Pinkas, Gutterman and Dorrendorf can be downloaded from the Cryptology ePrint Archive in PDF format."

Submission + - Feds Raid LibertyDollar.org

Submitted by Anonymous Coward on Friday November 16, 2007 @11:25AM

An anonymous reader writes: (Disclaimer: This reporter is affiliated in no other way than empathy with any of the named parties. Surely people should learn from this?)

US citizens' rights to property and free enterprise are under attack again. From TFA:

"For approximately six hours they took all the gold, all the silver, all the
platinum and almost two tons of Ron Paul Dollars that where just delivered last
Friday. They also took all the files, all the computers and froze our bank
accounts. ...all the gold and silver that backs up the paper
certificates and digital currency held in the vault at Sunshine Mint has also
been confiscated. Even the dies for mint the Gold and Silver Libertys have been
taken.

This in spite of the fact that Edmond C. Moy, the Director of the Mint,
acknowledged in a letter to a US Senator that the paper certificates did not
violate Section 486 and were not illegal. But the FBI and Services took all the
paper currency too."

http://libertydollar.org/ld/legal/raid.htm

This story, in various forms, has been covered today and yesterday by the Evansville Courier & Press and appears in several places on Digg.

Submission + - Cable Speed in Germany now up to 30MBit/s

Submitted by

micropitt

on Friday November 16, 2007 @10:40AM

micropitt writes: "Another Cable Company in Germany (http://www.kabeldeutschland.de) now is offering higher down — and upload speeds. 30MBit/s down and 2MBit/s up for 39.90 Euro which is basically the same what I pay here in the US for 3MBit/s down and 260kb/s up. The question is, why is this kind of speed not here in the US possible? Even DSL in Europe is faster then here. What we are missing? The original article is in german: http://www.heise.de/newsticker/meldung/99098"

Submission + - SPAM: Microsoft wins patent suit over XP boot-up tech 1

Submitted by alphadogg on Friday November 16, 2007 @10:24AM

alphadogg writes: Microsoft defeated a major patent licensing firm in a lawsuit over technology that helps computers boot up faster Thursday. The suit asked the court to award the patent holder $2.50 per copy of Windows XP sold in the U.S. By Microsoft's account, that could have amounted to $600 million to $900 million. Microsoft argued that there are many ways to improve the boot speed of PCs and that XP uses different technology than that in the patent.
Link to Original Source

Submission + - High-quality YouTube videos coming soon (webware.com)

Submitted by

mlauzon

on Friday November 16, 2007 @10:07AM

mlauzon writes: "YouTube co-founder Steve Chen, speaking at the NewTeeVee Live conference today, confirmed that high-quality YouTube video streams are coming soon. Although YouTube's goal, he said, is to make the site's vast library of content available to everyone, and that requires a fairly low-bitrate stream, the service is testing a player that detects the speed of the viewer's Net connection and serves up higher-quality video if viewers want it.

Why wouldn't they? Because the need to buffer the video before it starts playing will change the experience. Hence the experiment, rather than just a rapid rollout of this technology. On stage, he said the current resolution of YouTube videos has been "good enough" for the site untill now.

Chen told me he expects that high-quality YouTube videos will be available to everyone within three months.

Chen also confirmed that in YouTube's internal archive, all video is stored at the native resolution in which it was sent. However, he said, a large portion of YouTube videos are pretty poor quality to begin with — 320x240. Streaming them in high-quality mode isn't going to help much."

Submission + - The truth about Santa Rosa and Apple (abettergeek.com)

Submitted by

Shifuimam

on Friday November 16, 2007 @09:37AM

Shifuimam writes: "For more than a month now, every Apple user on the planet has been referring to the latest notebook upgrade (to the Intel Crestline chipset) as "Santa Rosa". This isn't right and will never be right. Santa Rosa is a Centrino-specific technology brand, and I'm surprised Intel's not even a little insistent that major news sites stop referring to the MacBook and MacBook Pro upgrade as Santa Rosa. Details here: http://abettergeek.com/?p=5"

Submission + - MS Office 2007 Software As Pre-Paid Service (sify.com)

Submitted by

MissingRainbow

on Friday November 16, 2007 @09:19AM

MissingRainbow writes: "Microsoft Office 2007 software is now available as a pre-paid service in India. While buying a computer you can obtain a pre-paid license for a specific duration (say six months). And after that period, it can be renewed. They are comparing this service with the mobile pre-paid cellular services. The price difference between perpetual license and this pre-paid license is quite huge. A perpetual license would cost INR 15,000/- while a pre-paid license for six months would cost just INR 1500/-. So if the MS Office release cycle is less than 5 years, it would make sense to go with the pre-paid option. Otherwise why would anybody want to go pre-paid?"

Submission + - Cox Communications Disrupting BitTorrent Traffic (dslreports.com)

Submitted by on Friday November 16, 2007 @09:12AM

An anonymous reader writes: According to research of DSLReports.com users, Cox Communications is also disrupting BitTorrent traffic, possibly using Sandvine equipment.

Comcast Sued Over P2P Blocking 268

Posted by samzenpus on Wednesday November 14, 2007 @11:37PM from the let-us-pirate-music-at-a-reasonable-speed dept.

CRISTAROL writes "Comcast has been sued by a California resident for blocking BitTorrent and other traffic. 'John Hart describes himself as a Comcast customer who has seen performance hits when using "Blocked Applications" targeted by Comcast's traffic management application, Sandvine. In his complaint, Hart says that Comcast severely limits "the speed of certain internet applications such as peer-to-peer file sharing and lotus notes [sic]." Comcast accomplishes this by "transmitting unauthorized hidden messages" to the PCs of those using the applications.' The lawsuit comes on the heels of an FCC complaint over the same issue."

Submission + - CIA Revealing Decades of Their Illegal Abuses (washingtonpost.com)

Submitted by

* * Beatles-Beatles

on Friday June 22, 2007 @08:06AM

* * Beatles-Beatles writes: "long-secret records detailing some of the intelligence agency's worst illegal abuses — the so-called "family jewels" documenting a quarter-century of overseas assassination attempts, domestic spying, kidnapping and infiltration of leftist groups from the 1950s to the 1970s

http://www.washingtonpost.com/wp-dyn/content/artic le/2007/06/21/AR2007062102434.html"

Bookmark Slashdot | Seven Essential Tips for Using Ubuntu Feisty Fawn (slashdot.org)

by wrecked on Friday April 20, 2007 @02:04PM

Submission + - Predictions of the Year 2000 from 1900 writer

Submitted by zxking on Friday April 20, 2007 @01:56PM

zxking writes: I came across this interesting article while doing some history research.

"The Ladies Home Journal from December 1900 contained a fascinating article by John Elfreth Watkins, Jr. titled "What May Happen in the Next Hundred Years". Mr. Watkins wrote: "These prophecies will seem strange, almost impossible. Yet, they have come from the most learned and conservative minds in America. To the wisest and most careful men in our greatest institutions of science and learning I have gone, asking each in his turn to forecast for me what, in his opinion, will have been wrought in his own field of investigation before the dawn of 2001 — a century from now. These opinions I have carefully transcribed.""

Some of the predictions have proved true but not in the way described while others seem to still be dreams. What predictions would slashdotters make for Year 2100.

SQL-Ledger Relicensed, Community Gagged 194

Posted by kdawson on Sunday April 15, 2007 @02:38PM from the i-can't-heear-you dept.

Ashley Gittins writes "Users of the popular accounting package SQL-Ledger were being kept in the dark about a recent license change. Two weeks ago a new version of the software was released but along with it came the silent change of license from GPLv2 to the 'SQL-Ledger Open Source License' — presumably in an effort to prevent future forks like LedgerSMB. As it turns out, the author was making deliberate attempts to prevent the community from finding out about the license change. No posts to the SQL-Ledger mailing lists asking about the license change were getting past moderation and direct questions to the author were going unanswered. Just recently the license was switched back to GPLv2. This behavior is not a first for this particular project, and is part of the reason for the original LedgerSMB fork. Does a project maintainer have an ethical obligation to notify his or her community of a license change? What about a legal obligation?"

Slashdot Top Deals