Thursday, September 30, 2010

PC SECURITY - Biblical Computer Worm?

I debated whether to post this here or on my political blog, but since this is in the context of PC Security and can give us an idea of what is possible, "here" won out.

"In a Computer Worm, a Possible Biblical Clue" by JOHN MARKOFF and DAVID E. SANGER, New York Times 9/29/2010

Excerpt

Deep inside the computer worm that some specialists suspect is aimed at slowing Iran’s race for a nuclear weapon lies what could be a fleeting reference to the Book of Esther, the Old Testament tale in which the Jews pre-empt a Persian plot to destroy them.

That use of the word “Myrtus” — which can be read as an allusion to Esther — to name a file inside the code is one of several murky clues that have emerged as computer experts try to trace the origin and purpose of the rogue Stuxnet program, which seeks out a specific kind of command module for industrial equipment.

Not surprisingly, the Israelis are not saying whether Stuxnet has any connection to the secretive cyberwar unit it has built inside Israel’s intelligence service. Nor is the Obama administration, which while talking about cyberdefenses has also rapidly ramped up a broad covert program, inherited from the Bush administration, to undermine Iran’s nuclear program. In interviews in several countries, experts in both cyberwar and nuclear enrichment technology say the Stuxnet mystery may never be solved.


ALSO

"SECURITY - World Industrial Security Threat?"

"Israeli Test on Worm Called Crucial in Iran Nuclear Delay" by WILLIAM J. BROAD, JOHN MARKOFF, and DAVID E. SANGER; New York Times 1/15/2011

Wednesday, September 29, 2010

SOFTWARE - OpenOffice News

"New bid for freedom by OpenOffice" by Sue Gee, I-Programmer 9/28/2010

The open source community behind the free OpenOffice productivity suite is to create an independent Document Foundation and to rebrand its software as LibreOffice.

This move is being seen as an attempt to distance itself from Oracle which has so far declined to donate the OpenOffice brand to the project.

According to the new foundation's first official press release:

"After ten years' successful growth with Sun Microsystems as founding and principle sponsor, the project launches an independent foundation called The Document Foundation, to fulfill the promise of independence written in the original charter"

The Document Foundation has received support from almost the entire OpenOffice programming community, including Novell, Red Hat and Google, leaving only Oracle with the original OpenOffice repository. The Foundation said that it had invited Oracle to become a member of the new organization, and to donate the brand it acquired with Sun Microsystems 18 months ago but that until a decision is reached the LibreOffice brand will be used to refer to the Document Foundation's software development efforts.

Speaking for the group of volunteers involved in the development of OpenOffice, Sophie Gautier, former maintainer of the French-speaking language project said:

"We believe that the Foundation is a key step for the evolution of the free office suite, as it liberates the development of the code and the evolution of the project from the constraints represented by the commercial interests of a single company."

The beta of LibreOffice is available for download on the Document Foundations website and developers are invited to join the project and contribute to the code in the new friendly and open environment, to shape the future of office productivity suites alongside contributors who translate, test, document, support, and promote the software.

I was wondering if this sort of thing would happen when Oracle bought Sun Microsystems.

Oracle = big-money business NOT interested in supporting non-profit open source community.

UPDATE

"Oracle kicks LibreOffice supporters out of OpenOffice" by Steven J. Vaughan-Nichols, ComputerWorld 10/19/2010

Well, that didn't take long. When The Document Foundation (TDF) created LibreOffice from OpenOffice's code, they let the door open for Oracle, OpenOffice's main stake-owner, to join them. Oracle's reply was to tell anyone involved with LibreOffice to get the heck out of OpenOffice.

This isn't too much of a surprise. Oracle made it clear that wouldn't be joining with The Document Foundation in working on LibreOffice.

What I did find surprising is that Oracle turned a fork into a fight. In a regularly scheduled OpenOffice.org community council meeting on Oct. 14, council chair and Oracle employee Louis Suárez-Potts wrote, "I would like to propose that the TDF members of the CC consider the points those of us who have not joined TDF have made about conflict of interest and confusion ... I would further ask them to resign their offices, so as to remove the apparent conflict of interest their current representational roles produce."

These OpenOffice.org council members, who are also TDF leaders, include Charles H. Schulz, a major OpenOffice.org contributor for almost ten years; Christoph Noack, co-leader of the OpenOffice User Experience Project; and Cor Nouws, a well-known OpenOffice developer with more than six years of experience in the project. In short, these aren't just leaders — they're important OpenOffice developers.

They haven't declared yet what they'll do to this de facto ultimatum. It seems to me though that they have little choice but to leave. Certainly Oracle wants them out as soon as possible. Suárez-Potts wrote that he wanted a "final decision on your part" as soon as possible. "It is of [the] utmost importance that we do not confuse users and contributors as to what is what, as to the identity of OpenOffice.org -- or of your organization."

I can understand how Oracle wants to quickly define this matter as Oracle vs. everyone involved with LibreOffice. But it's a really dumb move.

The Document Foundation wasn't so much about setting up a rival to OpenOffice as it was about giving an important but stagnant open-source program a kick in the pants. OpenOffice was and is good, but it's not been getting significantly better in years. TDF wanted to change that.

Oracle thinks it's more important to fight with some of the people who could have been its strongest supporters than try to work with them. Dumb! Cutting off your nose to spite your face is always a mistake.

Of course, this is all a piece of Oracle's "my way or the highway" approach to all the open-source programs it inherited from Sun. Oracle may support open source in general, but it's doing a lousy job of doing what's best for the its own open-source programs.

This is going to come back to haunt Oracle. I fully expect for LibreOffice to replace OpenOffice as the number one open-source office suite and chief rival to Microsoft Office within the next twelve months.

I agree with Steven's last statement. Oracle corporate leaders are just dumb. They just don't understand that open-source means that they do NOT own the source-code for the software. The source-code belongs to the community.

Monday, September 27, 2010

INTERNET - National Security vs User Freedom

"U.S. Wants to Make It Easier to Wiretap the Internet" by CHARLIE SAVAGE, New York Times 9/27/2010

Excerpt

Federal law enforcement and national security officials are preparing to seek sweeping new regulations for the Internet, arguing that their ability to wiretap criminal and terrorism suspects is “going dark” as people increasingly communicate online instead of by telephone.

Essentially, officials want Congress to require all services that enable communications — including encrypted e-mail transmitters like BlackBerry, social networking Web sites like Facebook and software that allows direct “peer to peer” messaging like Skype — to be technically capable of complying if served with a wiretap order. The mandate would include being able to intercept and unscramble encrypted messages.

The bill, which the Obama administration plans to submit to lawmakers next year, raises fresh questions about how to balance security needs with protecting privacy and fostering innovation. And because security services around the world face the same problem, it could set an example that is copied globally.

James X. Dempsey, vice president of the Center for Democracy and Technology, an Internet policy group, said the proposal had “huge implications” and challenged “fundamental elements of the Internet revolution” — including its decentralized design.

“They are really asking for the authority to redesign services that take advantage of the unique, and now pervasive, architecture of the Internet,” he said. “They basically want to turn back the clock and make Internet services function the way that the telephone system used to function.”

But law enforcement officials contend that imposing such a mandate is reasonable and necessary to prevent the erosion of their investigative powers.

“We’re talking about lawfully authorized intercepts,” said Valerie E. Caproni, general counsel for the Federal Bureau of Investigation. “We’re not talking expanding authority. We’re talking about preserving our ability to execute our existing authority in order to protect the public safety and national security.”

Friday, September 24, 2010

IE8 - How to Save the Window Size

Internet Explorer has had this really annoying problem on NOT saving the its window size for a long time and it's incredible that Microsoft has not fixed it yet.

To "fix" this problem (same as in IE 7 and IE6):
  1. Close all Internet Explorer windows except for one.

  2. Right-click on any link in the page and select "Open in New Window."

  3. Close the first browser window using the [X] in the upper right corner in the title bar.

  4. Resize the window manually by dragging the sides to fill the screen.

    Note: Do NOT click the Maximize button
    , you have to do it manually.

  5. Hold the [Ctrl] key and click the [X] in the upper right corner in the title bar.

I've verified this works.

INTERNET - Cyberwars Update

"Cyberwar Chief Calls for Secure Computer Network" by THOM SHANKER, New York Times 9/23/2010

The new commander of the military’s cyberwarfare operations is advocating the creation of a separate, secure computer network to protect civilian government agencies and critical industries like the nation’s power grid against attacks mounted over the Internet.

The officer, Gen. Keith B. Alexander, suggested that such a heavily restricted network would allow the government to impose greater protections for the nation’s vital, official on-line operations. General Alexander labeled the new network “a secure zone, a protected zone.” Others have nicknamed it “dot-secure.”

It would provide to essential networks like those that tie together the banking, aviation, and public utility systems the kind of protection that the military has built around secret military and diplomatic communications networks — although even these are not completely invulnerable.

For years, experts have warned of the risks of Internet attacks on civilian networks. An article published a few months ago by the National Academy of Engineering said that “cyber systems are the ‘weakest link’ in the electricity system,” and that “security must be designed into the system from the start, not glued on as an afterthought.”

General Alexander, an Army officer who leads the military’s new Cyber Command, did not explain just where the fence should be built between the conventional Internet and his proposed secure zone, or how the gates would be opened to allow appropriate access to information they need every day. General Alexander said the White House hopes to complete a policy review on cyber issues in time for Congress to debate updated or new legislation when it convenes in January.

General Alexander’s new command is responsible for defending Defense Department computer networks and, if directed by the president, carrying out computer-network attacks overseas.

But the military is broadly prohibited from engaging in law enforcement operations on American soil without a presidential order, so the command’s potential role in assisting the Department of Homeland Security, the Federal Bureau of Investigation or the Department of Energy in the event of a major attack inside the United States has not been set down in law or policy.

“There is a real probability that in the future, this country will get hit with a destructive attack, and we need to be ready for it,” General Alexander said in a roundtable with reporters at the National Cryptologic Museum here at Fort Meade in advance of his Congressional testimony on Thursday morning.

“I believe this is one of the most critical problems our country faces,” he said. “We need to get that right. I think we have to have a discussion about roles and responsibilities: What’s the role of Cyber Command? What’s the role of the ‘intel’ community? What’s the role of the rest of the Defense Department? What’s the role of D.H.S.? And how do you make that team work? That’s going to take time.”

Some critics have questioned whether the Defense Department can step up protection of vital computer networks without crashing against the public’s ability to live and work with confidence on the Internet. General Alexander said, “We can protect civil liberties and privacy and still do our mission. We’ve got to do that.”

Speaking of the civilian networks that are at risk, he said: “If one of those destructive attacks comes right now, I’m focused on the Defense Department. What are the responsibilities — and I think this is part of the discussion — for the power grid, for financial networks, for other critical infrastructure? How do you protect the country when it comes to that kind of attack, and who is responsible for it?”

As General Alexander prepared for his testimony before the House Armed Services Committee, the ranking Republican on the panel, Howard P. McKeon of California, noted the Pentagon’s progress in expanding its cyber capabilities.

But he said that “many questions remain as to how Cyber Command will meet such a broad mandate” given the clear “vulnerabilities in cyberspace.”

The committee chairman, Rep. Ike Skelton, Democrat of Missouri, said that “cyberspace is an environment where distinctions and divisions between public and private, government and commercial, military and nonmilitary are blurred.” He said that it is important “that we engage in this discussion in a very direct way and include the public.”

Wednesday, September 22, 2010

UBUNTU - New App Review Process

"The Ubuntu application review process" by Corbet, LWN.net 9/22/2010

Canonical has announced a mechanism by which applications will be reviewed for possible acceptance into the Ubuntu Software Center. "Recently we formed a community-driven Application Review Board that is committed to providing high quality reviews of applications submitted by application authors to ensure they are safe and work well. Importantly, only new applications that are not present in an existing official Ubuntu repository (such as main/universe) are eligible in this process (e.g a new version of an application in an existing official repository is not eligible). Also no other software can depend on the application being submitted (e.g. development libraries are not eligible), only executable applications (and content that is part of them) are eligible, and not stand-alone content, documentation or media, and applications must be Open Source and available under an OSI approved license."

Monday, September 20, 2010

SECURITY - The Bad Idea From Intel

"Intel's walled garden plan to put A/V vendors out of business" by Jon Stokes, Ars Technica 9/14/2010

In describing the motivation behind Intel's recent purchase of McAfee for a packed-out audience at the Intel Developer Forum, Intel's Paul Otellini framed it as an effort to move the way the company approaches security "from a known-bad model to a known-good model." Otellini went on to briefly describe the shift in a way that sounded innocuous enough--current A/V efforts focus on building up a library of known threats against which they protect a user, but Intel would love to move to a world where only code from known and trusted parties runs on x86 systems. It sounds sensible enough, so what could be objectionable about that?

Depending how enamored you are of Apple's App Store model, where only Apple-approved code gets to run on your iPhone, you may or may not be happy in Intel's planned utopia. Because, in a nutshell, the App Store model is more or less what Intel is describing. Regardless of what you think of the idea, its success would have at least two unmitigated upsides: 1) everyone will get vPro by default (i.e., it seems hard to imagine that Intel will still charge for security as an added feature), and 2) it would put every security company (except McAfee, of course), out of business. (The second one is of course a downside for security vendors, but it's an upside for users who despise intrusive A/V software.)

From a jungle to an ecosystem of walled gardens

For a company that made its fortune on the back of the x86 ISA, the shift that Intel envisions is nothing less than tectonic. x86 became the world's most popular ISA in part because anything and everything could (and eventually would) run on it. And don't forget Microsoft's role in all of this—remember the "Wintel" duopoly of years gone by? Like x86, Windows ended up being the default OS for the desktop software market, and everything else was niche. And, like x86, Windows spread because everyone who wanted it could get it and run anything they wanted on it.

The fact that x86 was so popular and open gave rise to today's A/V industry, where security companies spend 100 percent of their effort trying to identify and thwart every conceivable form of bad behavior. This approach is extremely labor-intensive and failure-prone, which the security companies love because it keeps them in business.

What Intel is proposing is that the entire x86 ecosystem move to the opposite approach, and run only the code that has been blessed as safe by some trusted authority.

Now, there are a few ways that this is likely to play out, and none of these options are mutually exclusive.

One way should be clear from Intel's purchase of McAfee: the company plans to have two roles as a security provider: a component provider role, and an end-to-end platform/software/services provider role. First, there's the company's traditional platform role, where Intel provides OEMs the basic tools for building their own walled gardens. Intel has been pushing this for some time, mainly in its ultramobile products. If anyone is using Intel's ingredients (an app store plus hardware with support for running only signed code) to build their own little version of the App Store ecosystem, it's probably one of the European or Asian carriers that sells rebadged Intel mobile internet devices (MIDs). It's clear that no one is really doing this on the desktop with vPro, though.

Then there's the McAfee purchase, which shows that Intel plans to offer end-to-end security solutions, in addition to providing the pieces out of which another vendor can build their own. So with McAfee, Intel probably plans to offer a default walled garden option, of sorts. At the very least, it's conceivable that Intel could build its own secure app store ecosystem, where developers send code to McAfee for approval and distribution. In this model, McAfee would essentially act as the "Apple" for everyone making, say, MeeGo apps.

In the world described above, the x86 ecosystem slowly transitions from being a jungle to network of walled gardens, with Intel tending one of the largest gardens. If you're using an x86-based GoogleTV, you might participate in Google's walled garden, but not be able to run any other x86 code. Or, if you have an Intel phone from Nokia, you might be stuck in the MeeGo walled garden.

A page from the Web

None of the walled garden approaches described above sound very attractive for the desktop, and they'll probably be rejected outright by many Linux and open-source users. But there is another approach, one which Intel might decide to pursue on the desktop. The company could set up a number of trusted signing authorities for x86 code, and developers could approach any one of them to get their code signed for distribution. This is, of course, the same model used on the Web, where e-commerce sites submit an application for an https certificate.

This distributed approach seems to work well enough online, and I would personally be quite happy to use it on all my PCs. I would also love to hear from users who object to this approach—please jump into the comments below and sound off.

Pick any two

Obviously, security has always been a serious problem in the wild and woolly world of x86 and Windows. This is true mainly because Wintel is the biggest animal in the ecosystem, so bad actors get the most bang for their buck by targeting it. So why has Intel suddenly gotten so serious about it that the company is making this enormous change to the very nature of its core platform?

The answer is fairly straightforward: Intel wants to push x86 into niches that it doesn't currently occupy (phones, appliances, embedded), but it can't afford to take the bad parts along for the ride. Seriously, if you were worried about a particular phone or TV being compromised, you just wouldn't buy it. Contrast this to the Windows desktop, which many users may be forced to use for various reasons.

So Intel's dilemma looks like this: open, secure, ubiquitous—pick any two, but given the economics of the semiconductor industry, "ubiquitous" has to be one of them. Open and ubiquitous have gotten Intel where it is today, and the company is betting that secure and ubiquitous can take it the rest of the way.

Of course, my post title is my own opinion of this idea (note my bold-blue highlight above).

Thursday, September 16, 2010

INTERNET - Internet Explorer 9

"Review: IE9 May Be Best Version Yet" by Jim Rapoza, InformationWeek 9/16/2010

Excerpt

That's because, while IE 9 is much improved over previous versions of IE, very few of the new features in IE 9 are new to the current browser market. In fact, most of the new features in this beta release are simply a matter of IE catching up to Chrome, Firefox, Safari and Opera.

Humm..... Didn't Microsoft claim the same for Vista?

Lets see how much WANTED old features they made hard to enable. Not all of us want the fantasist thing on the block. AND will it work well with WinXP?

Wednesday, September 1, 2010

INTERNET - NNTP Usenet Newsgroup System

This article is about the Usenet and their Newsgroups that use NNTP.

This system is the outgrowth of the old Bulletinboard system of the DOS days. Think of it as the electronic version of the old office or school cork-board bulletin boards where ANYONE can post notices and the like.

NNTP

The Network News Transfer Protocol (NNTP) is an Internet application protocol used for transporting Usenet news articles (netnews) between news servers and for reading and posting articles by end user client applications. Brian Kantor of the University of California, San Diego and Phil Lapsley of the University of California, Berkeley authored RFC 977, the specification for the Network News Transfer Protocol, in March 1986.

As you can see, this is only a specification that can be use by ANY provider via a NNTP Server.

Usenet (aka Newsnet)

Usenet is a worldwide distributed Internet discussion system. It developed from the general purpose UUCP architecture of the same name.

Duke University graduate students Tom Truscott and Jim Ellis conceived the idea in 1979 and it was established in 1980.[1] Users read and post messages (called articles or posts, and collectively termed news) to one or more categories, known as newsgroups. Usenet resembles a bulletin board system (BBS) in many respects, and is the precursor to the various Internet forums that are widely used today; and can be superficially regarded as a hybrid between email and web forums. Discussions are threaded, with modern news reader software, as with web forums and BBSes, though posts are stored on the server sequentially.

This is the distribution system. Note that NO one entity owns this system. It's public.

ISPs usually have their own NNTP Servers and included access as part of their service. But NNTP Servers are very resource intensive. Both in storage space needed and maintenance, including the cost evolved. This is why many ISPs have dropped their NNTP service.

The industry is shifting to specialized NNTP (Usenet) Providers. They do not provide connection the the Internet, just the Usenet service. Many have a subscription fee, which is how the make their money. Example, I use Forte's APN which charges me a monthly fee.

Newsgroups

A Usenet newsgroup is a repository usually within the Usenet system, for messages posted from many users in different locations. The term may be confusing to some, because it is usually a discussion group. Newsgroups are technically distinct from, but functionally similar to, discussion forums on the World Wide Web. Newsreader software is used to read newsgroups.

Despite the advent of file-sharing technologies such as BitTorrent, as well as the increased use of blogs, formal discussion forums, and social networking sites, coupled with a growing number of service providers blocking access to Usenet (see main article) newsgroups continue to be widely used.

Bold emphasis mine

Examples of Newsgroups:
  • microsoft.public.windows.vista.general

  • alt.politics.usa

  • sci.space.station

  • comp.sys.ibm.pc.games.rpg


The main reason I am posting this article is there is a misleading notice being propagated in blogs and Usenet posts that the Microsoft Newsgroups are going away. NOT true.

Microsoft does not own nor control the Usenet system. So Newsgroups in the microsoft.public. series are NOT going to go away. The ONLY way this would happen is that EVERY Usenet Provider worldwide dropped these groups from their servers.

What is happening is Microsoft is dropping the microsoft.public. series form THEIR Usenet servers. They have switched to their Live Forums.

To read Newsgroup posts, you do have to use a Usenet capable client.

Outlook Express includes this feature. There's also clients like Thunderbird (freeware, eMail + Usenet), and Agent (eMail + Usenet) that I use at home.

Note that the examples above are both eMail and Usenet clients. This is because Newsgroup posts are very close to eMails. In fact in Newsgroup posts format the only difference is the "headers." Example: eMails have a To: email-address/name while Newsgroup posts are to a group like alt.politics.usa.