QuesarVII writes "Tavis Ormandy and Julien Tinnes have discovered a severe security flaw in all 2.4 and 2.6 kernels since 2001 on all architectures. 'Since it leads to the kernel executing code at NULL, the vulnerability is as trivial as it can get to exploit: an attacker can just put code in the first page that will get executed with kernel privileges.'"

Hugh Pickens writes "NPR reports that owners of ships that ply the dangerous waters near Somalia are looking at options to repel pirates including slippery foam, lasers, electric fences, water cannons and high-intensity sound — almost anything except guns. One defense is the Force 80 squirt gun with a 3-inch nozzle that can send 1,400 gallons a minute 100 yards in any direction. 'It is a tremendous force of water that will knock over anything in its path and will also flood a pirate's ship very quickly,' says Roger Barrett James of the the Swedish company Unifire. Next is the Mobility Denial System, a slippery nontoxic foam that can be sprayed on just about any surface making it impossible to walk or climb even with the aid of a harness. The idea would be to spray the pirate's vessel as it approached, or to coat ropes, ladders, steps and the hull of the ship that's under attack. The Long Range Acoustic Device, or LRAD, a high-powered directional loudspeaker allows a ship to hail an approaching vessel more than a mile away. 'Knowing that they've lost the element of surprise is half the battle,' says Robert Putnam of American Technology Corp. The LRAD has another feature — a piercing "deterrent tone" that sounds a bit like a smoke detector alarm with enough intensity to cause extreme pain and even permanent hearing loss for anyone directly in the beam that comes from the device. But Capt. John Konrad, who blogs for the Web site Gcaptain.com, says no anti-pirate device is perfect. 'The best case scenario is that you find these vessels early enough that you can get a Navy ship detached to your location and let them handle the situation.'"

Hell Yeah! reminds us of a 2-week-old development that somehow escaped notice here. A team of Russian hackers has found a way to decipher a Yahoo CAPTCHA, thought to be one of the most difficult, with 35% accuracy. The Russian group's notice, posted by one "John Wane," is dated January 16. This site hosts a rapidshare link to what looks to be demonstration software for Windows, and quotes the Russian researchers: "It's not necessary to achieve high degree of accuracy when designing automated recognition software. The accuracy of 15% is enough when attacker is able to run 100,000 tries per day, taking into the consideration the price of not automated recognition — one cent per one CAPTCHA."

Not Comcastic writes "Two weeks after officially opening proceedings on Comcast's BitTorrent throttling, angry users are bombarding the FCC with comments critical of the cable provider's practices. 'On numerous occasions, my access to legal BitTorrent files was cut off by Comcast,' a systems administrator based in Indianapolis wrote to the FCC shortly after the proceeding began. 'During this period, I managed to troubleshoot all other possible causes of this issue, and it was my conclusion (speaking as a competent IT administrator) that this could only be occurring due to direct action at the ISP (Comcast) level.' Another commenter writes 'I have experienced this throttling of bandwidth in sharing open-source software, e.g. Knoppix and Open Office. Also I see considerable differences in speed ftp sessions vs. html. They are obviously limiting speed in ftp as well.'"

Stony Stevenson writes "European Union countries can refuse to disclose names of file sharers on the Internet in civil cases, the EU's top court said. The European Court of Justice has ruled on a dispute between Spanish music rights holders association Promusicae and Spain's top telecoms operator Telefonica over Telefonica's Internet clients who shared copyright material on the Web. Telefonica argued that, under a national law based on EU rules, it only had to disclose the name of an Internet subscriber for criminal actions, not civil ones. But the court said: 'Community law does not require the member states, in order to ensure the effective protection of copyright, to lay down an obligation to disclose personal data in the context of civil proceedings.' I wonder if this ruling will have any effect on other cases in other countries."

A group of respected security researchers has released a paper on the security holes that would be opened up if a broad warrantless wiretapping law is passed. The subject could hardly be more timely, as Congress is debating the subject now. Steve Bellovin, Matt Blaze, Whit Diffie, Susan Landau, Peter Neumann, and Jennifer Rexford have released a preprint of Risking Communications Security: Potential Hazards of the Protect America Act (PDF), which will appear in the January/February 2008 issue of IEEE Security and Privacy. It will hit the stands in a few weeks. From Matt Blaze's blog posting: "As someone who began his professional carrier in the Bell System (and who stayed around through several of its successors), the push for telco immunity represents an especially bitter disillusionment for me. Say what you will about the old Phone Company, but respect for customer privacy was once a deeply rooted point of pride in the corporate ethos. There was no faster way to be fired (or worse) than to snoop into call records or facilitate illegal wiretaps, well intentioned or not. And it was genuinely part of the culture; we believed in it, even those of us ordinarily disposed toward a skeptical view of the official company line. Now it all seems like just another bit of cynical, focus-group-tested PR."

jmason reminds us of a story from a few weeks back that got little attention, adding "This doesn't seem to be just bluster; as far as I can tell, everyone who knows the RBN now agrees that this seems likely." Brian Krebs's Security Fix blog at the Washington Post carried a story about the Storm worm containing some pretty staggering allegations. "Dmitri Alperovitch [of Secure Computing] said federal law enforcement officials who need to know have already learned the identities of those responsible for running the Storm worm network, but that US authorities have thus far been prevented from bringing those responsible to justice due to a lack of cooperation from officials in St. Petersburg, Russia, where the Storm worm authors are thought to reside. In a recent investigative series on cyber crime featured on washingtonpost.com, St. Petersburg was fingered as the host city for one of the Internet's most profligate and cyber-crime enabling operation — the Russian Business Network. Alperovitch blames the government of Russian President Vladimir Putin and the political influence of operatives within the Federal Security Service (the former Soviet KGB) for the protection he says is apparently afforded to cybercrime outfits such as RBN and the Storm worm gang. 'The right people now know who the Storm worm authors are,' Alperovitch said. 'It's incredibly hard because a lot of the FSB leadership and Putin himself originate from there, where there are a great deal of people with connections in high places.'"