Ron Guilmette writes "As reported in the Washington Post's Security Fix blog, a substantial hunk of IP address space has apparently been taken over by notorious mass e-mailing company Media Breakaway, LLC, formerly known as OptInRealBig, via means that are at best questionable. The block in question is 134.17.0.0/16, which I documented in depth in an independent investigation. (Apparently, the President of Media Breakaway has now admitted to the Washington Post that his company has been occupying and using the 134.17.0.0/16 block and that front company JKS Media, which provides routing to the block, is actually owned by Media Breakaway.) Remarkably, the president of Media Breakaway, who happens to be an attorney, is trying to defend his company's apparent snatching of this block based upon his own rather novel legal theory that ARIN doesn't have jurisdiction over any IP address space that was handed out before ARIN was formed, in 1997."

goombah99 writes "Princeton Professor, Ed Felton, has posted a series of blog entries in which he shows the printed tapes he obtained from the NJ voting machines don't report the ballots correctly. In response to the first one, Sequoia admitted that the machines had a known software design error that did not correctly record which kind of ballots were cast (republican or democratic primary ballots) but insisted the vote totals were correct. Then, further tapes showed this explanation to be insufficient. In response, State officials insisted that the (poorly printed) tapes were misread by Felton. Again further tapes showed this not to be a sufficient explanation. However all those did not foreclose the optimistic assessment that the errors were benign — that is, the possibility that vote totals might really be correct even though the ballot totals were wrong and the origin of the errors had not been explained. Now he has found (well-printed) tapes that show what appears to be hard proof that it's the vote totals that are wrong, since two different readout methods don't agree. Sequoia has made trade-secret legal threats against those wishing to mount an independent examination of the equipment. One small hat-tip to Sequoia: at least they are reporting enough raw data in different formats that these kinds of errors can come to light — that lesson should be kept in mind when writing future requirements for voting machines."

IGnatius T Foobar writes "Microsoft has developed a small plug-in device that investigators can use to quickly extract forensic data from computers that "may have been used in crimes." It basically bypasses all of the Windows security (decrypting passwords, etc.) in order to eliminate all that pesky privacy when the police have physical access to your computer. Just one more reason not to run Windows on your computer."

Microsoft Watch writes "Microsoft downplays a recent DNS vulnerability in all Microsoft operating systems (XP, Vista, 2000, and 2003), claims Amit Klein, the security researcher who published the original vulnerability description (PDF) earlier this month. According to Klein, the description in Microsoft's Secure Windows Initiative blog entry is misleading, contains disinformation about the DNS transaction ID algorithm, and downplays the severity of the issue. Klein refutes Microsoft's claim that there is no way to reproduce the next transaction ID, given a series of observed transaction IDs. He shows that this is possible in his paper, which Microsoft had before publishing the SWI post, as well as on the series of data provided in the SWI blog itself."

Anonymous Meoward writes "Today Hans Reiser was found guilty of first degree murder in Oakland, California. Quoting Wired: 'In a murder case with no body, no crime scene, no reliable eyewitness and virtually no physical evidence, the prosecution began the trial last November with a daunting task ahead... The turning point in the trial came when Reiser took the stand in his own defense March 3.' Whether he really did it or not, Hans basically just didn't know when to shut up."

Titus Germanicus writes to tell us that a recent attack has compromised somewhere in the neighborhood of 500,000 pages with a SQL injection attack. The vulnerability seems to be limited to Microsoft's IIS webserver and is easily defeated by the end user with Firefox and "NoScript." "The automated attack takes advantage to the fact that Microsoft's IIS servers allow generic commands that don't require specific table-level arguments. However, the vulnerability is the result of poor data handling by the sites' creators, rather than a specific Microsoft flaw. In other words, there's no patch that's going to fix the issue, the problem is with the developers who failed follow well-established security practices for handling database input. The attack itself injects some malicious JavaScript code into every text field in your database, the Javascript then loads an external script that can compromise a user's PC." Ignoring corporate spin-doctoring, there seems to be plenty of blame to go around.

John Resig is reporting on his blog that a recent trip to Tokyo opened up some very interesting JavaScript projects to him that haven't met with widespread popularity outside of Japan yet. "One project, in particular, really caught my eye. It's called Orto and is an implementation of the Java Virtual Machine (JVM) in JavaScript. This means that you can take an existing Java application, compile it to bytecode, run it through Orto (which produces the JavaScript, and embed it in a web page. While it doesn't provide the full capabilities of most Java code it does provide enough to make for some interesting demos." In a separate post he also detailed how the HotRuby project is allowing a Ruby VM to run in a browser using JavaScript or even indirectly using ActionScript in Flash.