A Gulf War veteran and his wife say they’ve been unfairly placed on a federal list that limits their commercial flight access and threatens his job as a commercial pilot. To fight back, the couple, who are Muslim, filed a lawsuit today against a host of U.S. government agencies. “We don’t know why they’re on the list. They don’t know why they’re on the list. The government won’t tell us why they’re on the list,” said Amy Foerster, an attorney with Saul Ewing, who is providing pro bono counsel and working with the American Civil Liberties Union of Pennsylvania and the Schuylkill County couple on the case, which was filed in U.S. district court…James Robinson is a retired Air National Guard brigadier general and a commercial pilot for a major airline who flies passenger planes around the country. James Robinson is a retired brigadier general and a commercial pilot. His name is on the terrorist “watch list.”

He has even been certified by the Transportation Security Administration to carry a weapon into the cockpit as part of the government’s defense program should a terrorist try to commandeer a plane.

But there’s one problem: James Robinson, the pilot, has difficulty even getting to his plane because his name is on the government’s terrorist “watch list.”

Robinson is one of many James Robinsons on the list, including a 5-year-old. Good news, though — all you need to do to avoid the secondary screening is fly under your initials, rather than name. Better hope the terrorists never figure that out. Ho ho ho TSA.

Source

Source

19.5V 65W AC Adapter PA-12 For DELL Inspiron Laptop NEW US $16.96 End Date: Wednesday Aug-20-2008 8:32:00 PDT Buy it now | Add to watch list

IBM ThinkPad T40 1.5GHz 1GB 40GB DVD LAPTOP OFFICE US $310.00 (37 Bids) End Date: Wednesday Aug-20-2008 8:32:00 PDT Bid now | Add to watch list

APPLE MAC POWERBOOK G3 LAPTOP NOTEBOOK COMPUTER NR US $132.41 (10 Bids) End Date: Wednesday Aug-20-2008 8:32:00 PDT Bid now | Add to watch list

14.1" 14 Sleeve Case/Bag IBM HP Dell HP Laptop/Notebook US $1.00 End Date: Wednesday Aug-20-2008 8:32:01 PDT Buy it now | Add to watch list

7 Pin S-Video To 3 RCA Cable Adapter HDTV for PC/Laptop US $4.99 End Date: Wednesday Aug-20-2008 8:32:12 PDT Buy it now | Add to watch list

Authorities late last week acknowledged that a ring of cyber-thieves has stolen tens of thousands of credit card numbers from Louisiana and Mississippi restaurants this year. One bank alone says it has lost more than $1 million as a result of the attacks, according to news reports about the identity thefts.

And across the pond in Ireland, data thieves masquerading as bank technicians have fooled store owners into giving them access to credit card terminals and managed to download the details of over 20,000 credit and debit cards, according to an Irish news outlet.

The attacks come on the heels of a huge arrest and indictment made two weeks ago, when 11 perpetrators allegedly involved in the hacking of nine major U.S. retailers, and the theft and sale of more than 40 million credit and debit card numbers were charged with engineering the largest hacking and identity theft conspiracy ever prosecuted in the U.S.

That case linked several high-profile data breaches of the last two years — including TJX Companies, BJ’s Wholesale Club, Barnes & Noble, and Dave & Buster’s — to a single group of conspirators. But apparently, it didn’t break all of the rings of thieves who might use vulnerabilities in local retail wireless systems to crack credit card information.

The U.S. restaurants began reporting the thefts beginning in March in Baton Rouge, La. followed by similar cases in Flowood, Lafayette, Lake Charles, and West Monroe, Miss. The hackers stole credit and debit card numbers from 16 restaurants’ computer systems, then sought to sell them for anywhere between $1 and $100 each, according to special agent Sean Connor of the U.S. Secret Service.

Law enforcement agencies in Louisiana and Mississippi did not give details on the methods used by the criminals, but they did say they believe that the thefts are connected and multiple thieves are likely working together. Experts speculate that the attackers are using a technique similar to the one used at TJX, in which criminals “eavesdrop” on in-store wireless systems and gain access to the database of customer and credit card data.

In Ireland, attackers are taking advantage of weaknesses in in-store security as well, but using a more brazen attack. The Irish Payment Services Organisation has warned that individuals pretending to be from Irish banks convinced shop owners that they were carrying out maintenance on point-of-sale systems on behalf of the banks. This enabled them to plug in wireless devices that pushed the data to the Internet, where the card numbers could be used overseas.

The scam has forced Irish banks to restrict cash withdrawals to about $200 a day for cardholders traveling outside the country. Law enforcement officials say they have retrieved closed-circuit TV footage of the gang in action.

The new attacks show that despite the blockbuster arrest, retail establishments are still being raided for large volumes of personal data. The PCI Standards Security Council issued further revisions to retail standards for handling credit card data earlier today.

Source

The situation is detailed by Fred von Lohman of the Electronic Frontier Foundation. von Lohman has tracked how data is provided by two different streaming services, and found that both of them ship raw, unencrypted MP3 data direct to the user’s machine.

One of the sites, imeem, is an ad-supported social media site that, along with hosting blogs and video, streams songs to their registered users. Those songs, which are packaged up in Adobe Flash format, apparently get saved in the operating system’s temporary items folder. These files get purged quickly or overwritten by the next song downloaded, but interested users can quickly copy them out before this happens. Extracting the sound portion of a Flash file is not technically challenging, either.

The other site mentioned, Lala, offers a variety of music services, including basic purchases of DRM-free music. But it also offers browser-based streaming of songs for a low fee of $.10—simply pay once, and you can load it up in the bowser whenever you want. Or not. A quick check of network activity shows that it’s simply sending raw MP3 data along with some wrappers that compel the browser not to cache it. Getting access to that is probably a bit harder than cracking open a Flash file, but still not exactly rocket science.

These companies have not always gotten along well with the labels, but currently have licenses for everything they stream. This doesn’t mean that the record companies necessarily condone this DRM-through-obscurity approach—although von Lohman concludes that they do, and reads this as a sign that streaming DRM is dead. At the least, it suggests that the labels don’t care enough to check whether the companies are implementing a significant barrier to piracy.

In either case, it’s clear that the labels aren’t viewing these relatively low-profile streaming companies as either a major contributor to piracy, or a major strategic threat, so they apparently don’t care enough to make sure that DRM is actually being enforced. Which, as we noted at the outset, is another indication that DRM is no longer about piracy, but all about a marketing strategy.

Source

In a survey of more than 3,000 computers, performance testing software developer Devil Mountain Software estimated that more than one in three new machines had either been downgraded by vendors such as Dell, or by customers once they bought the PC.

The results were garnered by the research firm’s CTO Craig Barth in collaboration with InfoWorld. He based the numbers on Devil Mountain’s Exo.performance.network by collating the vendor and system model number with computer vendors’ catalogues.

Barth used that data to identify PCs that had probably been shipped within the past six months – a period of time when it was highly likely that most new machines came pre-installed with Vista.

That’s a damning verdict on an OS that Microsoft still wants frustrated customers to love.

But even in Redmond the mood has undergone a somewhat dramatic shift in recent days. Microsoft wonks are now doing their best to stoke up interest about Windows 7, the successor to Vista. The company’s Windows’ boss Steven Sinofsky has even started up a new blog (“honestly, I penned it,” he proclaims) about the next operating system to ram home the message that Microsoft can do “disclosure” and deliver on time.

The software beast has already admitted it made some pretty big mistakes with Vista. Now, after trying some heavy duty marketing, Microsoft has finally conceded it’s high time to move on by explaining how MS will engineer Windows 7.

Cue Sinofsky comparing his Windows team to a Mozart opera… and also Goldilocks.

“I’m reminded of a scene from Amadeus,” he chimed, “where the Emperor suggests that the Marriage of Figaro contains ‘too many notes’ to which Mozart proclaims ‘there are just as many notes, Majesty, as are required, neither more nor less.’ Upon the Emperor suggesting that Mozart remove a few notes, Mozart simply asks ‘which few did you have in mind?’.

“Of course the people on the team represent the way we get feature requests implemented and develop end to end scenarios, so the challenge is to have the right team and the right structure to maximise the ability to get those done – neither too many nor too few.”

Whether the three bears – Apple, Linux and EU/US regulators – will wade in to spoil the party remains to be seen. But Microsoft really does need to dish up an operating system that is “just right” this time.

Source

7 To ensure that only the companies that pay millions of dollars to be official Olympic sponsors enjoy the benefits of exposure in Olympic venues, organizers have covered the trademarks of nonsponsors with thousands of little swatches of tape.In media centers, dormitories and arena bathrooms, pieces of tape cover logos of fire extinguishers, light switches, thermostats, bedroom night tables, soap dispensers and urinals. The Taiden Industrial translation headsets in a large conference room have had their logos covered, as have the American Standard faucets in the bathrooms nearby, and the ThyssenKrupp escalators down the hall.

At the Athens games, people wearing logoed t-shirts were asked to remove them or turn them inside-out before entering the stadia. Nothing says “incorruptible international competition” like a bunch of bullshit rules about what your t-shirt is allowed to say and whether an elevator can display its manufacturer’s mark.

Source

Instead, such an assault may be carried out in cyberspace by shadowy hackers half a world away. And Internet security experts believe that it could be just as devastating to the U.S.’s economy and infrastructure as a deadly bombing.

Experts say last week’s attack on the former Soviet republic of Georgia, in which a Russian military offensive was preceded by an Internet assault that overwhelmed Georgian government Web sites, signals a new kind of cyberwar, one for which the United States is not fully prepared.

“Nobody’s come up with a way to prevent this from happening, even here in the U.S.,” said Tom Burling, acting chief executive of Tulip Systems, an Atlanta, Georgia, Web-hosting firm that volunteered its Internet servers to protect the nation of Georgia’s Web sites from malicious traffic.

“The U.S. is probably more Internet-dependent than any place in the world. So to that extent, we’re more vulnerable than any place in the world to this kind of attack,” Burling added. “So much of what we’re doing [in the United States] is out there on the Internet, and all of that can be taken down at once.”

“This is such a crucial issue. At every level, our security now is dependent on computers,” said Scott Borg, director of the United States Cyber Consequences Unit, a nonprofit research institute. “It’s a whole new era. Political and military conflicts now will almost always have a cyber component. The chief targets will be critical infrastructure, and the attacks will emerge from within our own computer systems.”

Hackers mounted coordinated assaults on Georgian government, media, banking and transportation sites in the weeks before Russian troops invaded. Known as distributed denial of service, the attacks employ multiple computers to flood networks with millions of simultaneous requests, overwhelming servers and crippling Web sites.

Hackers shut down the Web site of the Georgian president, Mikheil Saakashvili, for 24 hours and defaced the Georgian parliament site with images of Adolf Hitler. Saakashvili blamed Russia for the attacks, although the Russian government said it was not involved.

Web sites and computer networks have been targeted by hackers for decades, although large-scale, coordinated cyberattacks are still a relatively new phenomenon. Some Internet-security experts believe that the Georgia conflict marks the first time a known cyberattack has coincided with a ground war, but others said that similar computer attacks have accompanied military operations in the Middle East and elsewhere.

The challenge to U.S. security experts is that such attacks can be mounted anonymously, and relatively cheaply, from anywhere in the world. Georgia’s attackers employed “botnets,” or malicious automated programs that take root undetected in far-flung computers and barrage their targets with useless data. By last Friday, some of those botnets were originating from Comcast Internet addresses in the United States, Burling said.

“It only takes a couple of experts; it doesn’t take a whole cyber infantry division to pull something like this off,” said Don Jackson, director of threat intelligence for SecureWorks, an Atlanta-based computer security firm. “For a very small investment in resources, you can have a huge impact.”

In the United States, government computer networks parry millions of attempted intrusions every day, Internet-security experts say. The U.S. Department of Homeland Security created a National Cybersecurity Center this year to coordinate federal cyberdefense efforts and quicken responsiveness. However, a recent Homeland Security Department intelligence report, obtained by The Associated Press, concluded that there are no effective means to prevent a coordinated attack on U.S. Web sites.

“When it comes to our government IT security, we’re pretty strong in protecting against [attacks],” Homeland Security spokesman William R. Knocke told CNN. “But I wouldn’t say … we’re 100 percent impenetrable.”

So what would a cyberattack on the United States look like? And where is the U.S. most vulnerable? It depends on who you talk to.

Borg does not believe that the U.S. is susceptible to the kind of attacks launched at Georgia.

“We can command so much bandwidth that it’s hard to overwhelm our servers,” he said. “We are vulnerable to more sophisticated attacks, but right now most of the people who want to do us harm don’t have those capabilities.”

The Web sites of key government security agencies, such as the Pentagon and the Central Intelligence Agency, are difficult to bring down, experts said. So are the computer networks of large American banks. But experts say a successful, large-scale attack on U.S. computer systems could hobble electric-power grids, transportation networks and industrial-supply chains.

“You’d see some disruption of essential services, like electricity. You’d definitely see espionage,” said James A. Lewis, a senior fellow at the Center for Strategic and International Studies in Washington. “Would it be decisive? No. Nobody’s going to win a conflict with the United States in cyberspace. But would it be disruptive and irritating? Yes.”

Federal researchers who launched an experimental cyberattack last year in Idaho caused a generator to self-destruct, prompting fears about the effect of a real attack on the nation’s electrical supply.

And a May report by the Government Accountability Office found that the Tennessee Valley Authority, which supplies power to almost 9 million people in the southeastern U.S., had not installed sufficient cybersecurity measures. Spokesman Jim Allen said the TVA, the nation’s largest publicly owned utility company, is “on track” to correct the problems.

What frustrates computer-security experts is that the features that make the Internet such an invaluable resource — its openness and interconnectedness — also make it easier for hackers to do harm. As a staple of 21st-century warfare, cyberattacks will become increasingly sophisticated, forcing governments and private industry to build ever-stronger firewalls and other defenses, experts said.
advertisement

Also, vague international laws and a lack of accountability will continue to make tracking down and prosecuting cyberattackers difficult.

“We don’t know quite what the rules are for this kind of conflict. If it’s spying, it’s illegal. But is it an act of war? And who do you arrest?” Lewis asked. “We’re much safer [in the U.S.] than we were a year ago. But we still have a long way to go.”

Source

Cheers to the persons using /.+@.+/ as their email validation regex… I like to try “root@localhost” to see if it’ll take it.

Realizing this, some people suggest we stop validating email addresses by computation of any sort. Instead, they say we should just send a validation email to the address. If it doesn’t bounce, and if the user clicks the validation link or replies the validation email, then the address is valid.

Of course, almost all big websites do this, and I find it the most obnoxious part of website registration.

New Racing Steering Wheel w/ Stand for Nintendo Wii US $12.48 End Date: Wednesday Aug-20-2008 8:32:00 PDT Buy it now | Add to watch list

NEW BLUE LED COOLER CHARGING STAND FOR WII NINTENDO US $13.04 End Date: Wednesday Aug-20-2008 8:32:00 PDT Buy it now | Add to watch list

8 in 1 Sports Pack for Nintendo Wii Remote Controller US $18.49 (0 Bid) End Date: Wednesday Aug-20-2008 8:32:06 PDT Bid now | Buy it now | Add to watch list

Used Nintendo Wii Japanese( you can play download game) US $300.00 (1 Bid) End Date: Wednesday Aug-20-2008 8:32:14 PDT Bid now | Add to watch list

NEW NINTENDO Wii SYSTEM + Wii PLAY +4 REMOTES +14 GAMES US $365.00 (20 Bids) End Date: Wednesday Aug-20-2008 8:32:20 PDT Bid now | Add to watch list

The whole thing baffles me… What’s the benefit of electronic voting machines? It’s convenience, and speed of tabulation. We (at least our media) are obsessed with having results the night of the election and having it over with. All so that the news networks can donate an entire day to watching the results come in and announce it that night American Idol style. But what’s the point? You have months before someone has to be sworn in. We should focus on security and reliability, instead of speed. Paper does fine.

Of course now I’m talking as if Diebold wants an honest election.

So, how long will a billion quench our thirst for addresses? Geoff Huston at the Asia Pacific Network Information Centre has written a script that downloads the relevant information and creates daily predictions. The current ones target 10 February 2011 as the moment that IANA will give out the last of its blocks to one of the regional registries, and 17 December 2011 as the day that the last RIR will hand out the last IPv4 address to an ISP (or end-user).

Personally, I’ve always thought that Geoff’s model is a bit pessimistic; in order to run out of addresses in a little over three years, we’d have to increase the rate at which addresses are handed out by 30 percent each year. In 2007, the increase over 2006 was 19 percent. The year before that there was no increase to speak of.

However, we’re now so close to running out that the exact figures don’t really matter anymore. Regardless of whether we see our yearly IPv4 use stay flat or increase by 70 percent, the results all point in the same direction:

In other words, unless something unexpected happens, we’ll be out of IPv4 addresses at some point in the neighborhood of 2012. So when the next Olympics come around, it’s very possible that some of us will have to watch them online over IPv6. (Actually the official website of the 2008 Olympics is already available over IPv6.)

If all of this inspires you to try out IPv6 on your own system, have a look at SixXS.net. The people at SixXS run a “tunnel broker” and have developed an Automatic IPv6 Connectivity Client Utility (AICCU) that make it possible to get an IPv6 address and tunneled connectivity that works through Network Address Translators and most firewalls. Unfortunately, the AICCU utility isn’t particularly easy to install and configure, so only give this a try if you’re comfortable debugging network connectivity issues and running programs from the command line.

¹ IPv4 addresses are 32 bits long, which allows for 4,294.97 million unique combinations. However, the addresses starting with 0 and 127 (33.55 million in total) can’t be used because those address ranges are shortcuts for the default route and localhost address. Addresses starting with 224 - 239 are multicast addresses (268.44 million) and those starting with 240 - 255 are “class E” addresses (another 268.44 million), which are reserved for future use. Unfortunately, almost all operating systems and routers block these addresses in some way, so in practice they’re unusable. The three ranges of private addresses (10.x.x.x, 172.16.x.x - 172.31.x.x, and 192.168.x.x) add up to 17.89 million addresses, making for a total of 588.32 million unusable addresses.

Source

Generally I would receive agency-specific CVs, where they had reformatted the candidate’s CV, and in places tweaked the content. Over time it became clear that some agencies certainly did a lot more than reformatting, adding things they thought I wanted to see. This was really annoying, as the fabrication would reveal itself at some point in the process, sometimes after wasting time on a candidate.

We needed a software tester, and while writing the task description I decided to see how far the agencies would go. The descriptions all had a section listing required skills and experience, and another listing desirables. In the required section I listed “Pink box testing experience”. There’s no such thing as Pink box testing (see below) - I made it up to see if I received any CVs with pink box testing listed.

Sure enough, a week or so after putting out the description, I received a CV for a software tester. He clearly had a lot of relevant experience, but the agency had added pink box testing as one of his strengths (it was an agency modification, not a claim of the candidate). It was fun ringing up the agent and explaining that he’d been caught in my trap, and listening to him trying to weasel his way out.

No such thing as Pink Box testing?
I can’t remember exactly when this was, but from my memory is was most likely 1999 or early 2000. At the time I did a quick web search to see if there was any such thing as pink box testing, and a quick skim of my testing books. Certainly didn’t seem to be at that time. As several commenters have pointed out, there are (now) several valid definitions of pink box testing, not all of them appropriate for polite conversation.

The term “pink box” was clearly relevant to phone phreakers at that time, so the term “pink box testing” made sense in at least that context, but in the context of software testing it didn’t.

The TSA began storing the information in late June, tracking many people who said they had forgotten their driver’s license or passport at home. The database has 16,500 records of such people and is open to law enforcement agencies, according to the TSA.Asked about the program, TSA chief Kip Hawley told USA TODAY in an interview Tuesday that the information helps track potential terrorists who may be “probing the system” by trying to get though checkpoints at various airports.

Later Tuesday, Hawley called the newspaper to say the agency is changing its policy effective today and will stop keeping records of people who don’t have ID if a screener can determine their identity. Hawley said he had been considering the change for a month. The names of people who did not have identification will soon be expunged, he said.

Source

“A federal judge in Boston today refused to lift a temporary restraining order preventing three MIT students from publicly discussing details of several security vulnerabilities that they found in the electronic ticketing system used by the city’s mass transit authority.

The decision means that the gag order imposed on the students last Saturday will remain unchanged at least until Aug. 19, when U.S. District Judge George O’Toole is scheduled to hold another hearing in the case. The restraining order, which was issued in response to a lawsuit filed by the Massachusetts Bay Transportation Authority (MBTA), will expire that same day unless it’s extended or turned into a permanent injunction.

At today’s hearing, O’Toole also asked the MIT students to submit a copy of a class paper in which they detailed the vulnerabilities that they had found, according to the Electronic Frontier Foundation (EFF), a high-tech civil rights group that is representing the students in the case. The MBTA requested a copy of the paper in a motion that it filed, the EFF said.

In addition, O’Toole asked the three undergrads — Zack Anderson, Russell “RJ” Ryan and Alessandro Chiesa — to provide copies of programming code that they included in a planned presentation to show how the MBTA’s e-ticketing system could be hacked.

The San Francisco-based EFF had filed a motion in court this week asking O’Toole to lift the restraining order (download PDF). A spokeswoman for the group expressed disappointment at the judge’s refusal to do so and said that the EFF will now go ahead with a planned appeal of the decision to issue the gag order in the U.S. Appeals Court for the First Circuit.

The restraining order was handed down by another judge one day before Anderson, Ryan and Chiesa were scheduled to detail the MBTA’s vulnerabilities at the Defcon hacker convention in Las Vegas. In its motion requesting the restraining order (download PDF), the MBTA claimed that it was forced to seek the court’s intervention because neither MIT nor the students had given the transit agency enough information to assess the vulnerabilities that were about to be publicly disclosed.

The MBTA said that its intention wasn’t to permanently gag the students but to give itself some time to determine the validity and seriousness of the issues being raised by the students and to develop a course of action for addressing them.

In a statement sent via e-mail today, the MBTA said it was pleased that a second federal judge had upheld the restraining order, but “disappointed at the defendants’ continued resistance to provide the information” requested by the agency. The MBTA added that it remains hopeful that all of the defendants will be “cooperative” as the case continues.

Although the students had to cancel their talk, the slides that they put together for the presentation were included on a CD given to Defcon attendees and thus have become publicly available.

The EFF has called the restraining order a violation of the students’ First Amendment rights as well as a prior restraint on free speech. Along with the filing that requested the lifting of the order, the EFF submitted a letter in support of the students signed by 11 computer science professors and security researchers (download PDF).

David Farber, a professor of computer science and public policy at Carnegie Mellon University’s School of Computer Science, was one of the people who signed the letter. He said today that the decision to issue the restraining order was a “bad, bad idea.”

Based on the available information, the students appear to have notified MBTA officials about their research and even provided them with confidential information relating to the vulnerabilities, Farber said. The students also appear to have assured the MBTA in advance that their presentation wouldn’t provide the level of detail needed for someone to actually exploit the vulnerabilities, he said. For the MBTA to then ask a court to gag the students was totally out of line, according to Farber.

What makes its actions even more egregious, he claimed, is the fact that the paper the students were scheduled to present had been vetted by MIT professor Ron Rivest, who Farber described as one of more respected figures in the security community.

It could be argued that the students could have worked with the MBTA to fix the issues before publicly disclosing them, Farber acknowledged. But it is unconstitutional to prevent them from speaking about their discoveries just because the MBTA felt that it wasn’t given adequate notice, he contended. “In practice,” Farber said, “a good middle ground is to keep the courts out of it.”

But Gartner Inc. analyst John Pescatore said the MBTA wasn’t given a reasonable amount of time to fix the problems or develop work-arounds for them before the aborted presentation at Defcon.

The intent of disclosing flaws should be to make software and systems more secure, “not to make headlines or sell tickets to security conferences,” Pescatore said. In this case, he added, “the students went for publicity.”

Source

These tools will keep you in close contact with customers, allowing you to cultivate long-lasting relationships.

Read more…

The criteria to determine whether P2P users reach this level are both the number of files shared and the specific value of the shared files. From the interview:

“The economic value of a music file is about one Euro, whereas a movie is valued at about 15 Euro. Based on that we define a commercial level as damages greater than 3000 Euro.”

Does that mean that you can now share up to 3000 MP3s without getting sued in Germany? Well, not exactly. Another indicator for so-called commercial infringement is the specific nature of the files shared. Sharing a movie that has not been released theatrically in Germany could get you in trouble even if you don’t share to many other files, according to the prosecutor’s spokesperson.

North-Rhine Westphalia isn’t the only state in Germany that chooses to ignore small-time file sharing. Similar regulations are also put in place in Bavaria, Baden-Wuerttemberg, Saxony, Saxony-Anhalt as well as in Berlin. The regulations are a reaction to hundreds of thousands of lawsuits against file sharers that have been filed by rights holders in recent years. North-Rhine Westphalia’s prosecutor told jetzt.de that one of three offices in his state has received 25,000 lawsuits in the first half of this year alone.

Source

Keyczar is built on OpenSSL, PyCrypto, and the Java JCE libraries, and is “not intended to replace existing cryptographic libraries,” according to Google Code. It works with both symmetric and asymmetric keys, and there is this introduction on the Google Code page:

“Cryptography is easy to get wrong. Developers can often choose the wrong cipher mode, use obsolete algorithms, compose primitives in an unsafe manner, or fail to anticipate the need for key rotation. Keyczar abstracts some of these details by choosing safe defaults, automatically tagging outputs with key version information, and providing a simple interface.”

I’ve talked to many leading people in the field of cryptography, and “easy to get wrong” is an understatement. One of the reasons we don’t see more of our content encrypted–from e-mail messaging to encrypted storage archives–is the sheer complexity of cryptography. I was amused to see that Google has provided a “non-goals” page for Keyczar, where it clarifies that it is not intended for tasks such as encrypting very “short blobs of data.”

If you want to take a gander at some example uses of Keyczar, see the “illustrative use” cases on this page.There, you’ll find actual code that, say, a Python developer might use to encrypt a URL parameter value with a symmetric key.

Keyczar was developed within the Google Security Team. Steve Weis of Google and Arkajit Dey of MIT were among the lead developers.

Like you were suprised…

As of tomorrow morning, VM’s running on all hosts with ESX 3.5U2 in enterprise configurations will not power on.

Boom.

Apparently, there is some bug in the vmware license management code. VMware is scrambling to figure out what happened and put out a patch.

There is a major discussion going on in the vmware communities about it:

http://communities.vmware.com/thread/162377?tstart=0

OK, while we’re all remaining calm….just imagine the implications that bugs like this can occur and get past QA testing….5 years down the road, nearly all server apps worldwide pretty much running in VM’s (pretty easy prediction)……some country decides to initiate cyberwarfare and manages to get a backdoor into whatever is the prevaling hypervisor of the day…..boom. All your VM’s belong to us.

I honestly think a lot of the new hype about products dedicated to the new industry of vm security is crap, but honestly — god protect us if the baseline code for critical hypervisors like ESX isn’t kept secure and regularly audited.

I’d love to find out what happened here. Don’t they do any regression testing on new releases to check for date based bugs? I thought that would be pretty obvious.

UPDATE: Frank Wegner has posted the following suggestions:

You can see the latest status here: http://kb.vmware.com/kb/1006716 Please check back often, because it will notify you when this issue has been fixed. Until then the best workaround I can think of is:* Do nothing
* Turn DRS off
* Avoid VMotion
* Avoid to power off VM’s

I’d council against turning DRS off as that actually deletes resource pool settings….instead, set sensitivity to 5 which should effectively disable it w/ minimal impact.

UPDATE 2: VMware Website appears to be having trouble keeping up with people requesting updates.

UPDATE 3: VMware has stated they will have fixes available in 36hrs at the earliest.

UPDATE 4: Anand Mewalal comments:

We used the following workaround to power on the VM’s.
Find the host where a VM is located
run ‘ vmware-cmd -l ‘ to list the vms.
issue the commands:
service ntpd stop
date -s 08/01/2008
vmware-cmd /vmfs/volumes/
service ntpd start

UPDATE 5: Apparently, there are no easily seen warnings in logs/etc or VC prior to hitting the bug. VC will continue to show the hosts as licensed and no errors will appear in vmkernel log file until you try to start up a new vm, reboot a vm, or reboot the host.

NEW VMware Workstation 6.0 for PC SEALED US $149.00 (0 Bid) End Date: Wednesday Aug-20-2008 14:19:50 PDT Bid now | Add to watch list

NEW VMware Workstation 6.0 for PC SEALED US $149.00 (0 Bid) End Date: Wednesday Aug-20-2008 14:20:26 PDT Bid now | Add to watch list

VMware ESX Server 3i Training Course CBT US $23.99 End Date: Wednesday Aug-20-2008 16:39:13 PDT Buy it now | Add to watch list

VMWARE Fusion (to run Windows on Mac) US $57.00 End Date: Wednesday Aug-20-2008 16:45:39 PDT Buy it now | Add to watch list

NEW EMC VMware Workstation v.6.0 WS6-ENG-L-AP US $125.99 End Date: Wednesday Aug-20-2008 17:09:51 PDT Buy it now | Add to watch list