Tom Ptacek at Matasano Chargen has a rundown on the new security features in Mac OS X Leopard, which are still not quite up to snuff with what’s in Windows Vista or OpenBSD. Here’s a followup with more details.
From metafilter: When Ron Paul email spam started hitting inboxes in late October, UAB Computer Forensics Director Gary Warner published findings on the spam’s textual patterns and the illicit botnet used to spread it – findings which were picked up by media outlets and tech websites like Salon, Ars Technica, and Wired Magazine’s “Threat Level” blog, the latter in a set of followup posts by writer Sarah Stirland: 1, 2, 3. The Ron Paul fan response was swift and decisive: clearly the botnet was the work of anti-Ron Paul hackers trying to discredit his campaign, and Rudy Giuliani had paid Stirland (and not UAB Computer Forensics) to do a smear piece – as claimed by a YouTube video pointing to posts on RudyGiulianiForum.com. Thus proving, once again, that the Ron Paul campaign’s greatest liability is not so much his far-right conspiracy-driven antifederal libertarianism, but rather the spittle-flecked anger of his own noisiest supporters.There are definitely a lot of nuts among Ron Paul’s supporters. Meanwhile, he raised $3.8 million yesterday (apparently a number revised downward from $4.3 million) in the largest one-day online political fundraiser ever. Intrade currently shows Paul as the third most likely GOP nominee, after Giuliani and Romney. A few other Ron Paul-related blog posts that I realize I’ve neglected to mention here, from Dispatches from the Culture Wars: “Is Ron Paul a Dominionist?" Argues that Paul appears to have much in common with some theocrats. “Sandefur on Ron Paul” Doubts that Paul is a dominionist, but suggests he might be a Thomas DiLorenzo-style neo-confederate who thinks we don’t even need a federal government (in which case he wouldn’t really be the supporter of the Constitution that he seems to be) and that the U.S. Civil War wasn’t about slavery (which is pernicious nonsense). I also just came across this story, which says that Paul would like to see the U.S. Constitution amended to remove the subject of abortion from the purview of the courts, which is yet more anti-constitutional insanity. ...
The Register (UK) reports that C I Host, a webhosting provider, has now had a fourth break-in at its Chicago colocation facility. Someone cut through a wall with a saw and stole customer equipment (and the DVRs or tape recording devices for the CCTV system). C I Host apparently took days to inform its customers of the break-in, and some have voiced suspicions that it was an inside job. UPDATE (February 4, 2007): There was some followup discussion.
Friedrich Kirschner has built a device to make 3D image scans of objects placed in a small plastic container, using a webcam and a platform built of Legos, and some milk. (Hat tip to Dave Palmer on the SKEPTIC list.)
A hacker has found a flaw in Adobe’s PDF file format which can be used to exploit Adobe Reader 8.1 on Windows XP. Dave G. at the Matasano Chargen blog predicts that such attacks–targeting popular applications–will become more common. PDF in particular is a likely target due to its ubiquity and its complexity.
Boston authorities have filed another set of bogus “hoax device” charges, against Star Simpson, a 19-year-old MIT student who was wearing a sweatshirt with a homemade electronic nametag stuck to the front of it. The device was made of a breadboard with LEDs and a 9V battery, and Simpson was also holding “a lump of putty” in her hands, as she was waiting at Logan airport for a friend’s flight to arrive. She explained that she made the device for career day because she wanted to stand out. She was released on $750 bail and will have to appear in court on October 29 on charges of “possessing a hoax device." The Boston Globe’s article says: ...
Municipal wireless has been a failure. The City of Tempe projected 32,000 users, but only had 600 at its last published count, which was back in April 2006. It’s also failing in Philadelphia, Minneapolis, Portland, Chicago, and Taipei. (Also see Technology Liberation Front, which makes the same point.) UPDATE (November 8, 2007): Sprint and Clearwire have scrapped a plan to jointly build out their WiMax networks, and it looks like Sprint may scale back its own WiMax plans, as well. ...
Bruce Schneier brings attention to a 2002 paper by Paul Karger and Roger Schell (PDF) about lessons learned from Multics security that are still relevant today, and Multicians come out of the woodwork in the comments. Karger and Schell were part of the Air Force “tiger team” that ran penetration attacks against Multics in the 1970s. They were successful, which ultimately led to a Multics security enhancement project, the result of which was that Multics was the first commercial operating system to obtain a B2 security rating from the National Computer Security Center. I played a small part in that project, fixing some bugs and helping to run tests of Multics’ Trusted Computing Base (TCB).
Daniel Rozin’s Weave Mirror uses 768 motorized C-shaped prints in what appears like a basket weave patterned screen, each of which can rotate independently to change its shade, producing a grayscale image of whatever is in front of it. Photos and video at Engadget. This reminds me of Julius Popp’s Bitfall, which draws images with falling water drops.
Microsoft has admitted that it has updated nine executable files in XP and Windows on users’ machines even when they have turned off automatic updates. These files are part of the Windows update feature itself. Corporate users who use SMS rather than Windows update for OS patches are not affected. Bruce Schneier raises the question of whether this ability to force updates could be exploited by a third party. I would hope that such updates are digitally signed, so that they can only come from Microsoft, but a commenter at Schneier’s blog notes that even if that is the case there is a potential vulnerability created: There may be an attack vector, even if the updates are signed by Microsoft. The signed updates would always be silently accepted. If Microsoft ever signs an update which later turns out to be vulnerable to some attack (this has happened before with signed activeX components), an attacker could re-push this vulnerable update and introduce a known vulnerability into the target system.Another commenter notes that this feature could be used by law enforcement to install a keylogger on a machine, if Microsoft agreed to do it.