Posts
Charlie Miller won't hand over 20 flaws he found by fuzzing Mac OS, Office, Adobe Reader
By Gregg Keizer, Computerworld, March 25, 2010
The only researcher to "three-peat" at the Pwn2Own hacking contest said today that security is such a "broken record" that he won't hand over 20 vulnerabilities he's found in Apple's, Adobe's and Microsoft's software.
Instead Charlie Miller will show the vendors how to find the bugs themselves.
Miller, who yesterday exploited Safari on a MacBook Pro notebook running Snow Leopard to win $10,000 in the hacking challenge, said he's tired of the lack of progress in security. "We find a bug, they patch it," said Miller. "We find another bug, they patch it. That doesn't improve the security of the product. True, [the software] gets incrementally better, but they actually need to make big improvements. But I can't make them do that."
Using just a few lines of code, Miller crafted what he called a "dumb fuzzer," a tool that automatically searches for flaws in software by inserting data to see where the program fails. Fuzzing is a common technique used not only by outside researchers, but by developers to spot bugs before they release the software. Microsoft, for example, has long touted, and used, fuzzing as part of its Security Development Lifecycle (SDL), the term for its in-house process of baking security into products as they're created.
Miller's fuzzer quickly uncovered 20 vulnerabilities across a range of applications as well vulnerabilities in Apple's Mac OS X 10.6, aka Snow Leopard, and its Safari browser. He also found the flaws in Microsoft's PowerPoint presentation maker; in Adobe's popular PDF viewer, Reader; and in OpenOffice.org, the open-source productivity suite.
Today, Miller was to take the floor at CanSecWest, the Vancouver, British Columbia-based security conference that also hosts Pwn2Own, to demonstrate how he found the vulnerabilities. He hoped Apple, Microsoft and other vendors would listen to what he has to say.
"People will criticize me and say I'm a bad guy for not handing over [the vulnerabilities], but it actually makes more sense to me to not tell them," Miller said. "What I can do is tell them how to find these bugs, and do what I did. That might get them to do more fuzzing." That, Miller maintained, would mean more secure software.
What really disappointed Miller was how easy it was to find these bugs. "Maybe some will say I'm bragging about finding the bugs, that I can kick ass, but I wasn't that smart. I did the trivial work and I still found bugs."
He went into the project figuring that he wouldn't find any vulnerabilities with the dumb fuzzer. "But I found bugs, lots of bugs. That was both surprising and disappointing." And it also made him ask why vendors like Microsoft, Apple and Adobe, which have teams of security engineers and scores of machines running fuzzers looking for flaws, hadn't found these bugs long ago.
One researcher with three computers shouldn't be able to do beat the efforts of entire teams, Miller argued. "It doesn't mean that they don't do [fuzzing], but that they don't do it very well."
By refusing to hand over technical information about the vulnerabilities he uncovered, Miller is betting that Microsoft, Apple and others will duplicate his work, and maybe, just maybe, be motivated to do better. "I think they'll feel some pressure to find these bugs," he said.
Miller used one of the flaws he found by dumb fuzzing yesterday to exploit Safari on a MacBook Pro, walking off with the notebook, $10,000 and a free trip to Las Vegas this summer to the DefCon hacking conference.
Miller also won cash prizes at Pwn2Own in 2008 and 2009, each time by exploiting a Safari vulnerability on the Mac.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at Twitter @gkeizer or subscribe to Gregg's RSS feed. His e-mail address is gkeizer@ix.netcom.com.
Read more about security in Computerworld's Security Knowledge Center.
Friday, March 26, 2010
Pwn2Own winner tells Apple, Microsoft to find their own bugs
News Corp to charge for UK Times online from June
Reuters, March 26, 2010
LONDON - News Corp (NWSA.O) will charge readers for online versions of its UK Times and Sunday Times newspapers from June, becoming the first media firm to test consumers' appetite to pay for mass-market news online.
Access to two new websites for the two titles will cost 1 pound ($1.49) per day or 2 pounds for a week. Subscribers to the print versions will get free access, News Corp said on Friday.
"This is just the start," said Rebekah Brooks, chief executive of News Corp's British newspaper unit News International which also publishes the Sun daily tabloid and sister paper The News of the World on Sundays.
"At a defining moment for journalism, this is a crucial step towards making the business of news an economically exciting proposition," she said in a statement.
Newspapers in Western Europe and the United States have been battered by the recession while fighting a structural shift in their business from paid-for newspapers to largely free news on the Web.
Two business newspapers -- the Financial Times (PSON.L) and News Corp's Wall Street Journal -- charge readers for online access but consumer publications have so far not followed, fearing a massive loss of readers.
News Corp chief executive Rupert Murdoch has become a kind of champion of paid-for online news, saying Internet giant Google (GOOG.O) has deprived the industry of revenue by making news articles searchable for free.
In January, The New York Times (NYT.N) said it would start charging readers for access to online articles from next year, acknowledging that advertising revenues were unlikely to be able to fund its journalism in the future.
The editors of the Times and Sunday Times promised interactive features to get readers more involved, personalised news feeds, and coming versions for phones, e-readers, tablet computers and other mobile devices.
The Times and the Sunday Times will launch new, separate websites in early May, which will be free to registered customers for a trial period.
The print version of the Times costs 1 pound on weekdays and 1.50 pounds on Saturdays, and the Sunday Times costs 2 pounds. (Reporting by Georgina Prodhan) ($1 = 0.6702 pound)
Microsoft Integrates Foursquare Into Bing Maps; Turns Attention To Signals
By Laurie Sullivan, MediaPost Publications, March 26, 2010
Microsoft plans to deliver new tools in Bing Maps powered by mobile location service Foursquare. The Redmond, Wash. company's Silverlight technology will pull in the data.
Bing has begun to pay more attention to real-time, social and location-based data signals that can provide depth to search queries that serve up tips, comments and other information.
Enhanced location-based services and a variety of other features will become available during the next few months, as Microsoft continues to invest more in its mapping platform. Not just information from "maps" that show location, but a "canvas where you can visualize search data," Adam Sohn, Bing director for the Online Services Division, told MediaPost Thursday. "The concept is related to the notion that there's real data and information behind each search that often gets disaggregated from its physical context."
People searching for information on Bing will finally begin to see the fruits of labor from separate deals inked with Facebook and Twitter last year to deliver real-time data.
The ability to deliver real-time information based on a variety of signals means giving people who search for a particular news source, such as The New York Times, access to connect not only to the main site but to links of the most popular trending stories based on information shared across the Web. Sohn says it's a new way to generate traffic from the search engine to the publisher's site.
Microsoft also plans to enhance Quick Tabs on Bing, moving the tabs from the left rail to the top of the page. The feature aims to deliver results based on what the search engine believes represents the intent of the person searching on the query. The change also represents a new look for the user interface and hopefully a more intuitive way to search.
Bing's focus on "curating content," rather than "cataloging Web sites," supports Forrester Research Principal Analyst Shar VanBoskirk's vision for the future of search. "Think about a search engine as a concierge pointing you to answers you need, instead of presenting lists of sites that have content that matches your query," she says.
VanBoskirk points to the side and the top navigation capabilities. The features allow users to drill into categories of content related to their search without having to do a subsequent search, or click through to pages to see if the content matches their needs.
"I think the other enhancement that really illustrates this shift is the creation of comparison answers and domain task pages," VanBoskirk says. "These are literally aggregations of content, links, images, video specifically to answer the most commonly search goals associated with different topics. Instead of having to scout through multiple pages, content sources, using multiple queries, Bing curates all of what they think the searcher is after into one page."
Thursday marked the beginning of Bing's spring release. Microsoft will experiment, test and roll out these features during the next several months.
Saturday, October 24, 2009
McCain introduces bill to block Net neutrality
Republican strategy is to paint Net neutrality as government 'control' of Internet
By Daniel Tencer, Raw Story, Oct. 22, 2009
Sen. John McCain (R-AZ) introduced a bill in the Senate on Thursday that would effectively allow Internet service providers to slow down or block Internet content or applications of their choosing.
The move came the same day as the federal government decided to move forward on an official Net neutrality policy that would prevent ISPs from making those types of decisions.
The FCC's new rules would prevent ISPs, for example, from blocking or slowing bandwidth-hogging Web traffic such as streaming video or other applications that put a strain on their networks or from charging different rates to users.
McCain's bill, the Internet Freedom Act, would block the Federal Communications Commission from making Net neutrality the law of the land. The rule preventing ISPs from slowing down certain types of content would create "onerous federal regulation," McCain argued in a written statement.
According to a report at NetworkWorld, McCain "called the proposed Net neutrality rules a 'government takeover' of the Internet that will stifle innovation and depress an 'already anemic' job market in the US."
But supporters of Net neutrality argue that the rule is needed to ensure that Internet providers don't censor content, or slow down traffic to Web sites that are in competition with their business allies.
FCC chairman Julius Genachowski argued that "reasonable and enforceable rules of the road" were needed "to preserve a free and open Internet."
"The Internet's openness has allowed entrepreneurs and innovators, small and large, to create countless applications and services without having to seek permission from anyone," he said.
But, the FCC chairman said, there have been "some significant situations where broadband providers have degraded the data streams of popular lawful services and blocked consumer access to lawful applications."
Two Republicans on the FCC also voted on Thursday to go ahead with the rule-making process, which will be open for public comment until January 14, but voiced misgivings about the plan.
NET NEUTRALITY A 'MARXIST PLOT'?
As the NetworkWorld article notes, McCain was on the opposite side of the Net neutrality debate from President Barack Obama during last year's presidential campaign. During his White House campaign, President Barack Obama came out strongly in favor of Net neutrality, which is backed by companies such as Google, Amazon, Yahoo!, eBay and consumer advocacy groups, but opposed by telecommunications, wireless and cable companies.
Republicans appear to be shifting against Net neutrality and aligning themselves with the telecoms and cable companies.
This week, media watchdog Media Matters criticized conservative news host Glenn Beck for what it said was Beck's allegation that Net neutrality is a "Marxist plot," and that the point of Net neutrality is to "control content," a perspective that prompted MediaMatters and other observers to question whether Beck understands the principle of Net neutrality.
In his announcement today, McCain appeared to agree with the notion that Net neutrality represents regulation and control, rather than a lack thereof.
His bill "will keep the Internet free from government control and regulation," McCain said, as quoted by Phil Goldstein at Fierce Wireless. "It will allow for continued innovation that will in turn create more high-paying jobs for the millions of Americans who are out of work or seeking new employment. Keeping businesses free from oppressive regulations is the best stimulus for the current economy."
-- With Agence France-Presse
*****************
Also see:
Net Neutrality on Google Public Policy Blog
Thursday, August 20, 2009
Computer scientists take over electronic voting machine with new programming technique
University of California - San Diego, Eureka! Science News, Aug. 10, 2009
Computer scientists demonstrated that criminals could hack an electronic voting machine and steal votes using a malicious programming approach that had not been invented when the voting machine was designed. The team of scientists from University of California, San Diego, the University of Michigan, and Princeton University employed “return-oriented programming” to force a Sequoia AVC Advantage electronic voting machine to turn against itself and steal votes. “Voting machines must remain secure throughout their entire service lifetime, and this study demonstrates how a relatively new programming technique can be used to take control of a voting machine that was designed to resist takeover, but that did not anticipate this new kind of malicious programming,” said Hovav Shacham, a professor of computer science at UC San Diego’s Jacobs School of Engineering and an author on the new study presented on August 10, 2009 at the 2009 Electronic Voting Technology Workshop / Workshop on Trustworthy Elections (EVT/WOTE 2009), the premier academic forum for voting security research.
In 2007, Shacham first described return-oriented programming, which is a powerful systems security exploit that generates malicious behavior by combining short snippets of benign code already present in the system.
The new study demonstrates that return-oriented programming can be used to execute vote-stealing computations by taking control of a voting machine designed to prevent code injection. Shacham and UC San Diego computer science Ph.D. student Stephen Checkoway collaborated with researchers from Princeton University and the University of Michigan on this project.
“With this work, we hope to encourage further public dialog regarding what voting technologies can best ensure secure elections and what stop gap measures should be adopted if less than optimal systems are still in use,” said J. Alex Halderman, an electrical engineering and computer science professor at the University of Michigan.
The computer scientists had no access to the machine’s source code—or any other proprietary information—when designing the demonstration attack. By using just the information that would be available to anyone who bought or stole a voting machine, the researchers addressed a common criticism made against voting security researchers: that they enjoy unrealistic access to the systems they study.
“Based on our understanding of security and computer technology, it looks like paper-based elections are the way to go. Probably the best approach would involve fast optical scanners reading paper ballots. These kinds of paper-based systems are amenable to statistical audits, which is something the election security research community is shifting to,” said Shacham.
“You can actually run a modern and efficient election on paper that does not look like the Florida 2000 Presidential election,” said Shacham. “If you are using electronic voting machines, you need to have a separate paper record at the very least.”
Last year, Shacham, Halderman and others authored a paper entitled “You Go to Elections with the Voting System You have: Stop-Gap Mitigations for Deployed Voting Systems” that was presented at the 2008 Electronic Voting Technology Workshop.” http://cseweb.ucsd.edu/~hovav/papers/hrsw08.html
“This research shows that voting machines must be secure even against attacks that were not yet invented when the machines were designed and sold. Preventing not-yet-discovered attacks requires an extraordinary level of security engineering, or the use of safeguards such as voter-verified paper ballots,” said Edward Felten, an author on the new study; Director of the Center for Information Technology Policy; and Professor of Computer Science and Public Affairs at Princeton University.
Return-Oriented Programming Demonstrates Voting Machine Vulnerabilities
To take over the voting machine, the computer scientists found a flaw in its software that could be exploited with return-oriented programming. But before they could find a flaw in the software, they had to reverse engineer the machine’s software and its hardware—without the benefit of source code.
Princeton University computer scientists affiliated with the Center for Information Technology Policy began by reverse engineering the hardware of a decommissioned Sequoia AVC Advantage electronic voting machine, purchased legally through a government auction. J. Alex Halderman—an electrical engineering and computer science professor at the University of Michigan (who recently finished his Ph.D. in computer science at Princeton) and Ariel Feldman—a Princeton University computer science Ph.D. student, reverse-engineered the hardware and documented its behavior.
It soon became clear to the researchers that the voting machine had been designed to reject any injected code that might be used to take over the machine. When they learned of Shacham’s return-oriented programming approach, the UC San Diego computer scientists were invited to take over the project. Stephen Checkoway, the computer science Ph.D. student at UC San Diego, did the bulk of the reverse engineering of the voting machine’s software. He deciphered the software by reading the machine’s read-only memory.
Simultaneously, Checkoway extended return-oriented programming to the voting machine’s processor architecture, the Z80. Once Checkoway and Shacham found the flaw in the voting machine’s software—a search which took some time—they were ready to use return-oriented programming to expose the machine’s vulnerabilities and steal votes.
The computer scientists crafted a demonstration attack using return-oriented programming that successfully took control of the reverse engineered software and hardware and changed vote totals. Next, Shacham and Checkoway flew to Princeton and proved that their demonstration attack worked on the actual voting machine, and not just the simulated version that the computer scientists built.
The computer scientists showed that an attacker would need just a few minutes of access to the machine the night before the election in order to take it over and steal votes the following day. The attacker introduces the demonstration attack into the machine through a cartridge with maliciously constructed contents that is inserted into an unused port in the machine. The attacker navigates the machine’s menus to trigger the vulnerability the researchers found. Now, the malicious software controls the machine. The attacker can, at this point, remove the cartridge, turn the machine’s power switch to the “off” position, and leave. Everything appears normal, but the attacker’s software is silently at work.
When poll workers enter in the morning, they normally turn this type of voting machine on. At this point, the exploit would make the machine appear to turn back on, even though it was never actually turned off.
“We overwrote the computer’s memory and state so it does what we want it to do, but if you shut off the machine and reboot from ROM, the exploit is gone and the machine returns to its original behavior,” explained Checkoway.
The computer scientists tested a machine that is very similar to machines that are used today in New Jersey and Louisiana. These New Jersey and Louisiana machines may have corrected the specific vulnerabilities the computer scientists exploited, but they have the same architectural limitations. The researchers highlight the possibility that current voting machines will be vulnerable to return-oriented programming attacks similar to the attack demonstrated in this study.
“This work shows how difficult it is to design voting machines that will remain secure over time. It’s impossible to anticipate what new kinds of attacks will be discovered in the future,” said Halderman.
Sunday, August 9, 2009
AT&T Internet to compete with Charter Cable in most of Anderson County
By Mike Ellis, Anderson Independent-Mail, Aug. 9, 2009
ANDERSON COUNTY — Monday is the first day that AT&T will offer high-speed Internet access in Anderson County that will compete with Charter Cable and satellite companies.
The platform is called U-verse and offers more than 100 channels of television programming, along with optional telephone service, high-speed Internet access and cell phone service.
“All on one bill,” said Amy Bristle, AT&T spokeswoman.
The program runs through telephone lines, not cable lines.
Click here to read the full article
After cyber attacks, White House must strengthen nation's computer security
By The Kansas City Star Editorial Board, Midwest Voices, Aug. 9, 2009
Last month, a surge of cyber attacks temporarily crashed more than two dozen government and commercial Web sites in the United States and South Korea.
Experts described the attacks as minor, but they emphasized a growing threat and offered a reminder for the Obama administration that it should move more quickly on this front.
With so much of our lives, histories and finances all online, this is a huge problem.
So far, the White House has made little progress in boosting the nation’s cyber security.
In May, President Barack Obama announced creation of a new effort to “deter, prevent, detect and defend” attacks by computer. A 38-page plan was made public, but it offered few details about how those goals would be met.
Click here to read the full article
Analyst predicts Apple mini-computer in ’10
Tablet will look like an iPod Touch, but a bit larger, may cost $500 to $700
AP, msnbc.com, Aug. 7, 2009
NEW YORK — A prominent technology analyst predicted that Apple Inc. would release a "tablet" or mini-computer for sale early next year, and that it could boost the consumer electronics company's revenue by 3 percent in 2010.
Speculation of a tablet from Apple has been swirling among analysts and technology blogs for a couple years as other PC makers post big sales of netbooks.
The tablet from Apple will look like an iPod Touch, but a bit larger, said Gene Munster, a Piper Jaffray analyst, in a research note Friday. He said he spoke with an Asian component supplier that had received orders from Apple for a touch-screen device that would need to be filled by late this year.
Munster estimated the tablet would be priced between $500 and $700 and would compete with netbooks, the tiny, low-cost, low-power laptops made by Dell, Acer, Hewlett-Packard, Toshiba and other computer manufacturers. Sony, the Japanese electronics and media giant, recently announced it would start selling a netbook in Japan in August, with global rollouts following.
Click here to read the full article
Ford Pickup Trucks Feature In-Dash Computers
By Bill Howard, PCMag.com, Aug. 7, 2009
Say you manage a construction site and need a rugged laptop computer. Rather than spend $3,000-$5,000 for a ruggedized laptop computer and locking pedestal stand for your pickup truck, Ford offers an in-dash computer with Internet access and wireless keyboard for $1,195.
"I bet it's the first time you've ever seen Google running on the dashboard of a vehicle," says Bill Frykman, Ford Work Solutions business development manager.
The package also includes remote access, Bluetooth, and Garmin-developed navigation - in other words, a Happy Meal of Technology for less than the cost of integrated in-dash navigation alone.
This Ford Work Solutions system is available on Ford F-Series pickups, E-Series (Econoline) vans, and the Ford Transit Connect mini delivery van. The only downsides are that you can't have Ford Sync, the industry-leading music and Bluetooth system, and the screen seems small for doing serious work. Ford says the center-dash location precludes a bigger screen, at least for now.
Click here to read the full article
Hackers Expose Weakness in Visiting Trusted Sites
There are major problems in the way browsers interact with Secure Sockets Layer (SSL) certificates, which is a common technology used on banking, e-commerce and other sites handling sensitive data. Browser makers and the companies that sell SSL certificates are working on a fix. VeriSign maintains that its certificates aren't vulnerable.
By Jordan Robertson, Top Tech News, Aug. 6, 2009
A powerful new type of Internet attack works like a telephone tap, except operates between computers and Web sites they trust.
Hackers at the Black Hat and DefCon security Relevant Products/Services conferences have revealed a serious flaw in the way Web browsers weed out untrustworthy sites and block anybody from seeing them. If a criminal infiltrates a network, he can set up a secret eavesdropping post and capture credit card numbers, passwords and other sensitive data Relevant Products/Services flowing between computers on that network and sites their browsers have deemed safe.
In an even more nefarious plot, an attacker could hijack the auto-update feature on a victim's computer, and trick it into automatically installing malware pulled in from a hacker's Web site. The computer would think it's an update coming from the software manufacturer.
The attack was demonstrated by three hackers. Independent security researcher Moxie Marlinspike presented alone, while Dan Kaminsky, with Seattle-based security consultancy IOActive Inc., and security and privacy researcher Len Sassaman presented together.
Click here to read the full article here
Monday, August 3, 2009
U.S. and Russia Differ on a Treaty for Cyberspace
By JOHN MARKOFF and ANDREW E. KRAMER, NYTimes.com, June 27, 2009
The United States and Russia are locked in a fundamental dispute over how to counter the growing threat of cyberwar attacks that could wreak havoc on computer systems and the Internet.
Both nations agree that cyberspace is an emerging battleground. The two sides are expected to address the subject when President Obama visits Russia next week and at the General Assembly of the United Nations in November, according to a senior State Department official.
But there the agreement ends.
Russia favors an international treaty along the lines of those negotiated for chemical weapons and has pushed for that approach at a series of meetings this year and in public statements by a high-ranking official.
The United States argues that a treaty is unnecessary. It instead advocates improved cooperation among international law enforcement groups. If these groups cooperate to make cyberspace more secure against criminal intrusions, their work will also make cyberspace more secure against military campaigns, American officials say.
“We really believe it’s defense, defense, defense,” said the State Department official, who asked not to be identified because authorization had not been given to speak on the record. “They want to constrain offense. We needed to be able to criminalize these horrible 50,000 attacks we were getting a day.”
Any agreement on cyberspace presents special difficulties because the matter touches on issues like censorship of the Internet, sovereignty and rogue actors who might not be subject to a treaty.
United States officials say the disagreement over approach has hindered international law enforcement cooperation, particularly given that a significant proportion of the attacks against American government targets are coming from China and Russia.
And from the Russian perspective, the absence of a treaty is permitting a kind of arms race with potentially dangerous consequences.
Officials around the world recognize the need to deal with the growing threat of cyberwar. Many countries, including the United States, are developing weapons for it, like “logic bombs” that can be hidden in computers to halt them at crucial times or damage circuitry; “botnets” that can disable or spy on Web sites and networks; or microwave radiation devices that can burn out computer circuits miles away.
The Pentagon is planning to create a military command to prepare for both defense and offensive computer warfare. And last month, President Obama released his cybersecurity strategy and said he would appoint a “cybersecurity coordinator” to lead efforts to protect government computers, the air traffic control system and other essential systems. The administration also emphasizes the benefits of building international cooperation.
The Russian and American approaches — a treaty and a law enforcement agreement — are not necessarily incompatible. But they represent different philosophical approaches.
In a speech on March 18, Vladislav P. Sherstyuk, a deputy secretary of the Russian Security Council, a powerful body advising the president on national security, laid out what he described as Russia’s bedrock positions on disarmament in cyberspace. Russia’s proposed treaty would ban a country from secretly embedding malicious codes or circuitry that could be later activated from afar in the event of war.
Other Russian proposals include the application of humanitarian laws banning attacks on noncombatants and a ban on deception in operations in cyberspace — an attempt to deal with the challenge of anonymous attacks. The Russians have also called for broader international government oversight of the Internet.
But American officials are particularly resistant to agreements that would allow governments to censor the Internet, saying they would provide cover for totalitarian regimes. These officials also worry that a treaty would be ineffective because it can be almost impossible to determine if an Internet attack originated from a government, a hacker loyal to that government, or a rogue acting independently.
The unique challenge of cyberspace is that governments can carry out deceptive attacks to which they cannot be linked, said Herbert Lin, director of a study by the National Research Council, a private, nonprofit organization, on the development of cyberweapons.
This challenge became apparent in 2001, after a Navy P-3 surveillance plane collided with a Chinese fighter plane, said Linton Wells II, a former high-ranking Pentagon official who now teaches at the National Defense University. The collision was followed by a huge increase in attacks on United States government computer targets from sources that could not be identified, he said.
Similarly, after computer attacks in Estonia in April 2007 and in the nation of Georgia last August, the Russian government denied involvement and independent observers said the attacks could have been carried out by nationalist sympathizers or by criminal gangs.
The United States is trying to improve cybersecurity by building relationships among international law enforcement agencies. State Department officials hold out as a model the Council of Europe Convention on Cybercrime, which took effect in 2004 and has been signed by 22 nations, including the United States but not Russia or China.
But Russia objects that the European convention on cybercrime allows the police to open an investigation of suspected online crime originating in another country without first informing local authorities, infringing on traditional ideas of sovereignty. Vladimir V. Sokolov, deputy director of the Institute for Information Security Issues, a policy organization, noted that Russian authorities routinely cooperated with foreign police organizations when they were approached.
This is not the first time the issue of arms control for cyberspace has been raised.
In 1996, at the dawn of commercial cyberspace, American and Russian military delegations met secretly in Moscow to discuss the subject. The American delegation was led by an academic military strategist, and the Russian delegation by a four-star admiral. No agreement emerged from the meeting, which has not previously been reported.
Later, the Russian government repeatedly introduced resolutions calling for cyberspace disarmament treaties before the United Nations. The United States consistently opposed the idea.
In late April, Russian military representatives indicated an interest in renewed negotiations at a Russian-sponsored meeting on computer security in Garmisch, Germany.
John Arquilla, an expert in military strategy at the Naval Postgraduate School in Monterey, Calif., who led the American delegation at the 1996 talks, said he had received almost no interest from within the American military after those initial meetings. “It was a great opportunity lost,” he said.
Unlike American officials who favor tightening law enforcement relationships, Mr. Arquilla continues to believe in cyberspace weapons negotiations, he said. He noted that the treaties on chemical weapons had persuaded many nations not to make or stockpile such weapons.
The United States and China have not held high-level talks on cyberwar issues, specialists say. But there is some evidence that the Chinese are being courted by Russia for support of an arms control treaty for cyberspace.
“China has consistently attached extreme importance to matters of information security, and has always actively supported and participated in efforts by the international community dedicated to maintaining Internet safety and cracking down on criminal cyber-activity,” Qin Gang, spokesman for the Foreign Ministry, said in a statement.
Whether the American or Russian approach prevails, arms control experts said, major governments are reaching a point of no return in heading off a cyberwar arms race.
John Markoff reported from New York, and Andrew E. Kramer from Moscow. Edward Wong and Xiyun Yang contributed reporting from Beijing.
Wednesday, July 8, 2009
Introducing the Google Chrome OS
Official Google Blog, July 7, 2009
It's been an exciting nine months since we launched the Google Chrome browser. Already, over 30 million people use it regularly. We designed Google Chrome for people who live on the web — searching for information, checking email, catching up on the news, shopping or just staying in touch with friends. However, the operating systems that browsers run on were designed in an era where there was no web. So today, we're announcing a new project that's a natural extension of Google Chrome — the Google Chrome Operating System. It's our attempt to re-think what operating systems should be.
Google Chrome OS is an open source, lightweight operating system that will initially be targeted at netbooks. Later this year we will open-source its code, and netbooks running Google Chrome OS will be available for consumers in the second half of 2010. Because we're already talking to partners about the project, and we'll soon be working with the open source community, we wanted to share our vision now so everyone understands what we are trying to achieve.
Speed, simplicity and security are the key aspects of Google Chrome OS. We're designing the OS to be fast and lightweight, to start up and get you onto the web in a few seconds. The user interface is minimal to stay out of your way, and most of the user experience takes place on the web. And as we did for the Google Chrome browser, we are going back to the basics and completely redesigning the underlying security architecture of the OS so that users don't have to deal with viruses, malware and security updates. It should just work.
click here to read the full article
Tuesday, July 7, 2009
Internet radio sites, music industry reach agreement over royalties
Deal with SoundExchange allows large webcasters such as Pandora to pay lower per-song royalties or a 25% of their total revenue.
By Jim Puzzanghera, Los Angeles Times, July 8, 2009
Reporting from Washington -- The music won't stop for Internet radio after a group of webcasters struck an agreement with SoundExchange, the organization that collects royalties for musicians and record companies, over payments for playing music online.
The settlement ends a 2 1/2 -year dispute that had threatened to silence the nascent Internet radio business and had forced some people who started online stations as a hobby to quit for fear of accruing expensive royalty bills.
The deal joins a series of agreements made this year that cover various sectors of the industry, including small webcasters and conventional radio stations that simulcast their broadcasts online, and have resolved much of the controversy.
Tuesday's settlement allows websites that stream music to avoid per-song royalty payments that were set in 2007 by a special federal court and that many Internet radio sites said would force them out of business. Instead, Pandora Media Inc. and other large webcasters can choose an alternative rate structure that allows them to pay lower per-song royalties or 25% of their revenue -- a major break, given that many webcasters don't make much money yet.
click here to read the full article
New Security Vulnerability in Internet Explorer Affects Windows XP & Microsoft Server 2003 Users
There is a new security vulnerabilty in Internet Explorer affecting users of Windows XP or Microsoft Server 2003. It allows hackers to take control of a PC remotely.
Microsoft has issued a workaround to fix the problem.
Click here to go to the Microsoft Security Advisory & get the workaround.