I read at news.com.com (.com.com.com.com...) that Microsoft recently announced that many of its Internet Explorer (IE) security upgrades included in Windows XP Service Pack 2 will not be offered for IE on older versions of Windows (2000, ME, etc.). This, IMHO, appears to be a deliberate move by Microsoft to boost sales of its now three year old operating system (XP). Microsoft is effectively holding hostage the security of millions of peoples' computers. The ransom has been set at $99US (the cost of an upgrade to XP).



It's interesting that when Microsoft finally answers some of the concerns much of the security community has had with IE, the "upgrades" are not available for all of their versions of Windows.



This could drive more users into the arms of the Firefox project, but somehow, I think most average users will care little.

Full story at: http://tinyurl.com/4lsda

I received this article via the InfoSec News mailing list (excellent mailing list BTW). It takes a unique look at why open source software (i.e. Linux) is inherently more secure. It's not the same old tired argument of many eyes freely looking at and modify open source code versus the fewer eyes of proprietary code. It covers several more, IMHO, valid arguments, including the modular nature of Unixish OSes, the nearly ritualistic habit of not using root for non-administrative tasks, and the transparency of the Unixish open source OSes.

It's a good, short read.

http://theregister.co.uk/content/55/36033.html

Yeah. I looked for it. It's not hard to find. Three letters should get you to a download in 5 - 10 minutes: I R C.

So far this appears to be getting downplayed by the mainstream press. This is a BIG DEAL. "A leak of any portion 'could dramatically increase the probability that new zero-day vulnerabilities will be found,' said Alan Paller, director of research at the SANS Institute, a security training group based in Bethesda." (The Washington Post - Friday, February 13, 2004)

Think about it for a second. 660 MEGABYTES of source code -- That is a lot! The reported size of the complete Windoze 2000 source code is around 40GB, but 660MB is still a CD full of code. So many exploits were found without access to ANY code. Now, a CD worth is floating around out there for anyone to download. Ouch!?

Of course, the open source community will never ever have this problem. Leaked source code... humph!

UPDATE (17 Feb 2004):

It appears an exploit for Internet Explorer 5 (and Outlook Express) based on the leaked Win2K source code has been released. That didn't take long. Luckily, it's for IE5, which, as the Google Zeitgist says, is one of the least uses browsers on the net.



Read on for the Washington Post article.

Slashdot has a nice discussion about this here.

[read more...]

I just had to share this. I'm actually quite amazed Bill Gates had the balls to say this. It may initially make sense to some, but it's really just spin. If you think back, it was Microsoft who first offered a bounty for the head of a virus writer, yet... they're good? I guess he feels he can pass anything off on the unwashed masses (and... I'm afraid he may be right.). Read on for the article.

[read more...]

An article in the Taipei Times says the Government of Taiwan is under some type of trojan horse based, Windoze targeted cyberattack. According to Taiwan government officials, hackers based in China's Hubei and Fujian provinces have successfully spread 23 different trojan horse programs to at least 10 private technology companies.

Whether this cyberattack is sponsored or sanctioned by the PRC (Peoples Republic of China) governement, the article does not say. But, with so much malicious activity originating from China, I think Lee Hsiang-chen's (captain of the National Police Administration's Criminal Investigation Bureau) advice may be worth remembering: "If there's any lesson from this experience, it is not to use software developed in China or hire Chinese computer programmers, because you're running the risk of having the software you use implanted with [a] Trojan-horse program."

Hacking with a browser - something I've done quite a few times (all with good intentions of course, just ask www.cugy.net), but never really thought of it as hacking. This short little article [http://www.eweek.com/article2/0,3959,741368,00.asp] gives a little insight into how it's done. Not a lot of info, but interesting none the less.

Telecom Asia has a short report about the possibility of the Japanese government replacing Windoze with an open source operating system (read: Linux). It would be very exciting to see Japan, one of the leading technology producing contries in the world, switch to Linux. I find it amazing that my favorite OS has come so far in such a short time.

The article can be found at http://www.telecomasia.net/telecomasia/article/articleDetail.jsp?id=38508.

This WIRED article covers a report by Brit firm mi2g. The report insinuates that cyber-terrorism is bogus (which I happen to agree with) and cites a decrease in intrusions of government systems as proof. Noah Shachtman (the article's author) uses quotes from a couple of big cheeses in the security community to back up the reports questionable outcome. Not really an important story, but it does link in nicely with my previous blurb!