Tom Ptacek at Matasano Chargen has a rundown on the new security features in Mac OS X Leopard, which are still not quite up to snuff with what’s in Windows Vista or OpenBSD. Here’s a followup with more details.
From metafilter: When Ron Paul email spam started hitting inboxes in late October, UAB Computer Forensics Director Gary Warner published findings on the spam’s textual patterns and the illicit botnet used to spread it – findings which were picked up by media outlets and tech websites like Salon, Ars Technica, and Wired Magazine’s “Threat Level” blog, the latter in a set of followup posts by writer Sarah Stirland: 1, 2, 3. The Ron Paul fan response was swift and decisive: clearly the botnet was the work of anti-Ron Paul hackers trying to discredit his campaign, and Rudy Giuliani had paid Stirland (and not UAB Computer Forensics) to do a smear piece – as claimed by a YouTube video pointing to posts on RudyGiulianiForum.com. Thus proving, once again, that the Ron Paul campaign’s greatest liability is not so much his far-right conspiracy-driven antifederal libertarianism, but rather the spittle-flecked anger of his own noisiest supporters.There are definitely a lot of nuts among Ron Paul’s supporters. Meanwhile, he raised $3.8 million yesterday (apparently a number revised downward from $4.3 million) in the largest one-day online political fundraiser ever. Intrade currently shows Paul as the third most likely GOP nominee, after Giuliani and Romney. A few other Ron Paul-related blog posts that I realize I’ve neglected to mention here, from Dispatches from the Culture Wars: “Is Ron Paul a Dominionist?" Argues that Paul appears to have much in common with some theocrats. “Sandefur on Ron Paul” Doubts that Paul is a dominionist, but suggests he might be a Thomas DiLorenzo-style neo-confederate who thinks we don’t even need a federal government (in which case he wouldn’t really be the supporter of the Constitution that he seems to be) and that the U.S. Civil War wasn’t about slavery (which is pernicious nonsense). I also just came across this story, which says that Paul would like to see the U.S. Constitution amended to remove the subject of abortion from the purview of the courts, which is yet more anti-constitutional insanity. ...
The Register (UK) reports that C I Host, a webhosting provider, has now had a fourth break-in at its Chicago colocation facility. Someone cut through a wall with a saw and stole customer equipment (and the DVRs or tape recording devices for the CCTV system). C I Host apparently took days to inform its customers of the break-in, and some have voiced suspicions that it was an inside job. UPDATE (February 4, 2007): There was some followup discussion.
A hacker has found a flaw in Adobe’s PDF file format which can be used to exploit Adobe Reader 8.1 on Windows XP. Dave G. at the Matasano Chargen blog predicts that such attacks–targeting popular applications–will become more common. PDF in particular is a likely target due to its ubiquity and its complexity.
I just saw Naomi Wolf on The Colbert Report (Wednesday night’s show), discussing her new book, The End of America: A Letter of Warning to a Young Patriot. She only had time to list a few of the ten steps on her list, but I found all ten in an article from the Guardian: 1. Invoke a terrifying internal and external enemy 2. Create a gulag 3. Develop a thug caste 4. Set up an internal surveillance system 5. Harass citizens’ groups 6. Engage in arbitrary detention and release 7. Target key individuals 8. Control the press 9. Dissent equals treason 10. Suspend the rule of law ...
Boston authorities have filed another set of bogus “hoax device” charges, against Star Simpson, a 19-year-old MIT student who was wearing a sweatshirt with a homemade electronic nametag stuck to the front of it. The device was made of a breadboard with LEDs and a 9V battery, and Simpson was also holding “a lump of putty” in her hands, as she was waiting at Logan airport for a friend’s flight to arrive. She explained that she made the device for career day because she wanted to stand out. She was released on $750 bail and will have to appear in court on October 29 on charges of “possessing a hoax device." The Boston Globe’s article says: ...
It’s becoming a problem for newly popular British bands to tour in the United States, because they are being denied P-1 visas unless they can prove that they have been “internationally recognized” for a “sustained and substantial” amount of time. Recently the band New Model Army, which has actually been around for decades, were denied visas to perform in San Francisco at the DNA Lounge.
Bruce Schneier brings attention to a 2002 paper by Paul Karger and Roger Schell (PDF) about lessons learned from Multics security that are still relevant today, and Multicians come out of the woodwork in the comments. Karger and Schell were part of the Air Force “tiger team” that ran penetration attacks against Multics in the 1970s. They were successful, which ultimately led to a Multics security enhancement project, the result of which was that Multics was the first commercial operating system to obtain a B2 security rating from the National Computer Security Center. I played a small part in that project, fixing some bugs and helping to run tests of Multics’ Trusted Computing Base (TCB).
Microsoft has admitted that it has updated nine executable files in XP and Windows on users’ machines even when they have turned off automatic updates. These files are part of the Windows update feature itself. Corporate users who use SMS rather than Windows update for OS patches are not affected. Bruce Schneier raises the question of whether this ability to force updates could be exploited by a third party. I would hope that such updates are digitally signed, so that they can only come from Microsoft, but a commenter at Schneier’s blog notes that even if that is the case there is a potential vulnerability created: There may be an attack vector, even if the updates are signed by Microsoft. The signed updates would always be silently accepted. If Microsoft ever signs an update which later turns out to be vulnerable to some attack (this has happened before with signed activeX components), an attacker could re-push this vulnerable update and introduce a known vulnerability into the target system.Another commenter notes that this feature could be used by law enforcement to install a keylogger on a machine, if Microsoft agreed to do it.
MediaDefender, a company that attempts to disrupt the sharing of copyrighted material owned by its clients on peer-to-peer filesharing networks, has suffered an embarassing security breach–the leaking of 700 MB of emails from senior employees in the company. The leak allegedly occurred because one senior employee was forwarding company email to his Gmail account, and he used the same password for his Gmail account that he used to register for a P2P service of some kind. This breach demonstrates the importance of adhering to corporate policies about use of external mail providers and using good password security–anything really important should have a unique password, not the same one used for accessing a variety of online websites and services. UPDATE: It’s now being claimed that MediaDefender’s phone systems have also been compromised for the last nine months, and a 25-minute phone call between MediaDefender and the New York Attorney General’s office is circulating, as well as a transcript. The transcript indicates that the AG’s office was concerned (rightly so, apparently) about a possible mail server compromise at MediaDefender; the MediaDefender representative states at one point that he is speaking over a VoIP connection. UPDATE: It seems the record companies are using information about P2P downloads collected by MediaDefender to make marketing decisions. Here’s a quote from one of the leaked emails (quoted from SlashDot): Subject: Nicole Scherzinger Date: Fri, 24 Aug 2007 15:14:31 -0700 Nicole from pussy cat dolls has a single called “whatever u like”. It’s not selling well on itunes or playing that great on radio. A song called “Baby Love” just leaked (I don’t know how long ago). Interscope wants to know if Baby Love is picking up steam on p2p. They need to make a decision by early next week on whether they should switch to this song as the single. Please get me a score comparison on Monday for these two tracks. Also, please put beyonces, fergie, gwen, and nelly furtado singles as comparisons.UPDATE (September 17, 2007): Ars Technica has a good summary of the breach and what the leaked information shows about what MediaDefender has been up to with its video upload service (apparently designed to encourage the upload of copyrighted content as a sort of sting operation), MiiVi. MediaDefender says it was an “internal project” that was supposed to be password protected but was inadvertently made public. CNet has a story on MediaDefender which notes: ...