Slashdot

Xcott Craver writes "The next Underhanded C Contest has begun, with a deadline of March 1st. The object of the contest is to write short, readable, clear and innocent C code that somehow commits an evil act. This year's challenge: write a luggage routing program that mysteriously misroutes a customer's bag if a check-in clerk places just the right kind of text in a comment field. The prize is a gift certificate to ThinkGeek.com."

miffo.swe writes "I'm trying to find the normal ratio of technicians/support tech per user or computer in your average IT-shop. When searching around, I can't find that many examples or any statistics. We manage around 900 computers (mostly Windows XP) and 25+ servers (mostly Linux). There are around 2600 users of varying knowledge, mostly pretty low. I can't find any statistics on this, so real-world examples are very welcome since we do this with one sysadmin (me) and two sneaker techs. Are we seriously understaffed, or is this normal?"

An anonymous reader writes "I am an IT worker in a mid sized company with approximately 500 employees. There are 30 people on the IT staff, 6 of whom are on the help desk. Our help desk does have significant visibility in the company, and most people know us by face (some by name). Recently the idea has been floated up the management chain to have these help desk workers wear IT department branded shirts. The idea is to promote visibility and unity. Wearing of these shirts would be mandatory Monday through Thursday. The shirts would not be identical (there would be several styles offered). We would be the only department with specific garments outside of the normal business casual dress code. Is management out of line with the industry in promoting this sort of policy change? Is the singling out of 6 employees as 'the IT guys' a step in the right direction, or does it detract from the professionalism that we are trying to display as a department?"

An anonymous reader writes "Adobe Systems' Flash and Acrobat Reader products will become the preferred targets for criminal hackers (PDF) in 2010, surpassing Microsoft Office applications, a security vendor predicted this week. 'Cybercriminals have long picked on Microsoft products due to their popularity. In 2010, we anticipate Adobe software, especially Acrobat Reader and Flash, will take the top spot,' security vendor McAfee said in its '2010 Threat Predictions' report. 'We have absolutely seen an increase in the number of attacks, around Reader in particular and also Flash Player to some extent,' CTO Kevin Lynch told reporters at the Adobe Max conference in October. 'We're working to decrease the amount of time between when we know about a problem and when we release a fix. That used to be a couple of months; now it's within two weeks for critical issues.'"

Hugh Pickens writes "The NY Times reports that German encryption expert Karsten Nohl says that he has deciphered and published the 21-year-old GSM algorithm, the secret code used to encrypt most of the world's digital mobile phone calls, in what he called an attempt to expose weaknesses in the security system used by about 3.5 billion of the 4.3 billion wireless connections across the globe. Others have cracked the A5/1 encryption technology used in GSM before, but their results have remained secret. 'This shows that existing GSM security is inadequate,' Nohl told about 600 people attending the Chaos Communication Congress. 'We are trying to push operators to adopt better security measures for mobile phone calls.' The GSM Association, the industry group based in London that devised the algorithm and represents wireless operators, called Mr. Nohl's efforts illegal and said they overstated the security threat to wireless calls. 'This is theoretically possible but practically unlikely,' says Claire Cranton, a GSM spokeswoman, noting that no one else had broken the code since its adoption. 'What he is doing would be illegal in Britain and the United States. To do this while supposedly being concerned about privacy is beyond me.' Simon Bransfield-Garth, the chief executive of Cellcrypt, says Nohl's efforts could put sophisticated mobile interception technology — limited to governments and intelligence agencies — within the reach of any reasonable well-funded criminal organization. 'This will reduce the time to break a GSM call from weeks to hours,' Bransfield-Garth says. 'We expect as this further develops it will be reduced to minutes.'"

nandemoari writes "When security officials decide to 'go after' computer malware, most conduct their actions from a defensive standpoint. For most of us, finding a way to rid a computer of the malware suffices — but for one computer researcher, however, the change from a defensive to an offensive mentality is what ended the two year chase of a sinister botnet once and for all. For two years, Atif Mushtaq had been keeping the notorious Mega-D bot malware from infecting computer networks. As of this past November, he suddenly switched from defense to offense. Mega-D had forced more than 250,000 PCs to do its bidding via botnet control."

blognoggle writes "Roger Sessions, a noted author and expert on complexity, developed a model for calculating the total global cost of IT failure. Roger describes his approach in a white paper titled The IT Complexity Crisis: Danger and Opportunity. He concludes that IT failure costs the global economy a staggering $6.2 trillion per year."

theodp writes "Technology Review's David Talbot says IT's next grand challenge will be to secure the cloud — and prove we can trust it. 'The focus of IT innovation has shifted from hardware to software applications,' says Harvard economist Dale Jorgenson. 'Many of these applications are going on at a blistering pace, and cloud computing is going to be a great facilitative technology for a lot of these people.' But there's one little catch. 'None of this can happen unless cloud services are kept secure,' notes Talbot. 'And they are not.' Fully ensuring the security of cloud computing, says Talbot, will inevitably fall to emerging encryption technologies."

hacker writes "I have a heavily-hit public server (web, mail, cvs/svn/git, dns, etc.) that runs a few dozen OSS project websites, as well as my own personal sites (gallery, blog, etc.). From time to time, the server has 'unexpected' outages, which I've determined to be the result of hardware, network and other issues on behalf of the provider. I run a lot of monitoring and logging on the server-side, so I see and graph every single bit and byte in and out of the server and applications, so I know it's not the OS itself. When I file 'WTF?'-style support tickets to the provider through their web-based ticketing system, I often get the response of: 'Please provide us with the root password to your server so we can analyze your logs for the cause of the outage.' Moments ago, there were three simultaneous outages while I was logged into the server working on some projects. Server-side, everything was fine. They asked me for the root password, which I flatly denied (as I always do), and then they rooted the server anyway, bringing it down and poking around through my logs. This is at least the third time they've done this without my approval or consent. Is it possible to create a minimal Linux boot that will allow me to reboot the server remotely, come back up with basic networking and ssh, and then from there, allow me to log in and mount the other application and data partitions under dm-crypt/loop-aes and friends?" Read on for a few more details of hacker's situation.

iago-vL writes "Security researchers at SkullSecurity have demonstrated how the NetBIOS protocol allows trivial hijacking due to its design, through the use of a tool called 'nbpoison' (in the package 'nbtool'). If a DNS lookup fails on Windows, the operating system will broadcast a NetBIOS lookup request that anybody can respond to. One vector of attack is against business workstations on an untrusted network, like a hotel; all DNS requests for internal resources can be redirected (Exchange, proxy, WPAD, etc). Other attack vectors are discussed in a related blog post. Although similar attacks exist against DHCP, ARP and many other LAN-based protocols, we all know that untrusted systems on a LAN means game over. NetBIOS poisoning is much quieter and less likely to break other things."

ARos writes "A holiday DDoS attack targeted a west-coast DNS provider, which is known for serving large-scale E-Commerce sites (including amazon.com and walmart.com). 'Neustar, which provides DNS services to high profile website addresses under the UltraDNS brand, said the flood of malicious traffic, just two days before Christmas, was directed at the company's facilities in San Jose and Palo Alto, and that the effects were mostly limited to California users.' CNet adds: 'In addition to the high-profile sites, dozens of smaller sites that rely upon Amazon for Web-hosting services were also taken down by the attack. Amazon's S3 and EC2 services were affected by the problems, according to Jeff Barr, Amazon's lead Web Evangelist, who retweeted a report to that effect without clarification and confirmed it in later tweets.'"

st1d writes to tell us that Wikileaks has put out a call for help. However, instead of just asking for money, they have also suggested technical and legal avenues for support. In the site's short life, Wikileaks has been at the center of many breaking scandals and investigations. "Wikileaks is currently overloaded by readers. This is a regular difficulty that can only be resolved by deploying additional resources. If you support our mission, you can help us by integrating new hardware into our project infrastructure or developing software for the project. Become patron of a WikiLeaks server or other parts of our technology, adding more pillars to the stability and balance of the WikiLeaks platform. Servers come trouble-free and legally fortified, software is uniquely challenging. If you can provide rackspace, power and an uplink, or a dedicated server or storage space, for at least 12 months, or software development work for WikiLeaks, please write to wl-supporters@sunshinepress.org."

An anonymous reader writes "Following Sun Microsystems' decision to release a raft of open source applications to support its secure cloud computing strategy, companies may be wondering if they should conduct security tests of their customized open source software before deployment. While the use of encryption and VPNs to extend a secure bridge between a company IT resource and a private cloud facility is very positive — especially now that Amazon is beta testing its pay-as-you-go private cloud facility — it's important that the underlying application code is also secure. What do you think?"

An anonymous reader writes "The Register reports that the proprietary document format used by the Amazon online store and Amazon's Kindle has been successfully reverse engineered, allowing these DRM-protected documents to be converted into the open MOBI format. Users of alternative e-book readers rejoice." Here are the hacker's notes on the program he is calling "Unswindle," and here is the (translated) forum where the Kindle challenge was posed and answered.

An anonymous reader writes "Joanna Rutkowska's company Invisible Things Lab has issued the results of their research into flaws in Intel's Trusted Execution Technology (TXT), whose function is to provide a mechanism for safe loading of system software and to protect sensitive files. ITL describes how flaws in TXT can be used to compromise the integrity of a software loaded via an Intel TXT-based loader in a generic way, fully circumventing any protection TXT is supposed to provide. The attack exploits an implementation error in the so-called SINIT Authenticated Code modules and that could potentially allow a malicious attacker to elevate their privileges. Intel has released a patch for the affected chipsets, which include the Q35, GM45, PM45 Express, Q45, and Q43 Express." Here are ITL's press release (PDF) and Intel's advisory.

alphadogg writes "US authorities are investigating the theft of an estimated tens of millions of dollars from Citibank by criminals using Russian software tailored for the attack, according to the Wall Street Journal (subscription required to access that link — CNET's coverage here). The security breach at the major US bank was detected mid-year based on traffic from Internet addresses formerly used by the Russian Business Network gang, the WSJ reported today, citing unnamed government sources. The Russian Business Network is a well-known group linked to malicious software, hacking, child pornography, and spam. The FBI is probing the case, the report said. It was not known whether the money had been recovered and a Citibank representative said the company denied any system breach or losses, according to the report."

Esther Schindler writes "According to this article at IT Expert Voice, Windows 7 and IPv6: Useful at Last?, we've had so many predictions that this will be 'the year of IPv6' that most of us have stopped listening. But the network protocol may have new life breathed into it because IPv6 is a requirement for DirectAccess. DirectAccess, a feature in Windows 7, makes remote access a lot easier — and it doesn't require a VPN. (Lisa Vaas interviews security experts and network admins to find out what they think of that idea.) The two articles examine the advantages and disadvantages of DirectAccess, with particular attention to the possibility that Microsoft's sponsorship may give IPv6 the deployment push it has lacked."

itwbennett writes "Hundreds of Operating Systems were released during the past decade, finding their way into microdevices, watches, refrigerators, mobile phones, cars, motorcycles, jets, even the International Space Station. Some worked; some even worked well. Others, sadly, didn't. And some were just ahead of their time. Blogger Tom Henderson takes a look back at the best and worst OSes of the decade. Among the worst? Vista, as you'd suspect, along with WinME. But what about GNU Hurd? And some of the best? Solaris/OpenSolaris 10, Mac OS X, and newcomer Google Android."

Barence writes "Security firm Trend Micro has accused Microsoft of giving malware writers a helping hand by advising users not to scan certain files on their PC because 'they are not at risk of infection.' Trend Micro warns that by making such information available, Microsoft is effectively creating a hit list for malware writers. 'Following the recommendations does not pose a significant threat as of now, but it has a very big potential of being one,' the company's researcher, David Sancho, writes on theTrend Micro blog."

The Washington Post and everybody else is reporting that on Tuesday President Obama will name Howard A. Schmidt as cyber-security czar. Schmidt was an advisor to President Bush on cyber-security matters. The Post rehearses the reasons why the Obama administration has had difficulty in finding someone for the post, and notes that the turf battles did not start in this administration: "Schmidt was chosen after a long process in which dozens of people were sounded out. Many declined the post, largely out of concern that the job conferred much responsibility with little true authority, some of them said. Meanwhile, the cybersecurity chief at the National Security Council, Christopher Painter, has served as the de facto coordinator, trying to push ahead the 60-day cyberspace policy review plan unveiled by Obama in May. That plan's formulation was led by Melissa Hathaway, who resigned in frustration in August after delays in naming a cyber-coordinator. She had been a contender for the position... Schmidt served as special adviser for cyberspace security from 2001 to 2003 and shepherded the National Strategy to Secure Cyberspace, a plan that then was largely ignored. He left that job also frustrated, colleagues said."