"Could we be constantly tracked through our clothes, shoes or even our cash in the future? I'm not talking about having a microchip surgically implanted beneath your skin, which is what Applied Digital Systems of Palm Beach, Fla., would like to do. Nor am I talking about John Poindexter's creepy Total Information Awareness spy-veillance system, which I wrote about last week. Instead, in the future, we could be tracked because we'll be wearing, eating and carrying objects that are carefully designed to do so." Read the interesting editorial at ZDNews.
Privacy, Security Archive
TechTV published a look at security issues in the past year, and they found that worms, viruses, spam, and other security scourges are on the rise, and are affecting common computer users as well as big data centers: If 2001 was the year of corporate headaches, 2002 saw average PC users under attack.
"Reid Ellison is a 15-year-old high school hacker who, for a time, had complete control over his school's computer system. A hack attack from a smart kid is just about any school's worst nightmare. But Ellison got a pat on the back for his exploits, rather than a slap on the wrist. This is actually a good news story about a kid who used his hacking talents for good rather than evil." Read the full story at ABC News.
Nicholas writes: "There's an interesting interview over at LinuxWorld about U.S. government and open-source security. Robert McMillan of LinuxWorld.com talks to Marc Sachs of the White House Cyberspace Security Office about the role of open-source software in the US government."
This is old news, but still, everyone should be aware of it. And on a theoretical basis, the co-creator of UNIX, Ken Thompson wrote a paper on which he explains that it is possible to add a backdoor to a closed source compiler and when you first compile any other compiler (e.g. GCC), any concequent compiles from this new compiler, would include the backdoor by default. Pessimistic thought of the day: nothing is safe. Neither Windows or Unix. I wonder how "safe" the Security-Enhanced Linux from NSA is. It might secure you from others, but does it secure you from NSA itself? ;P Update: More info here (Ms reply on the issue) and here.
According to a report published November 12 by Aberdeen Group, "Security advisories for open source and Linux software accounted for 16 out of the 29 security advisories - about one of every two advisories - published for the first 10 months of 2002 by Cert." Read the report at NewsForge.
"Palladium is not secure Windows. Not exactly. Nor is it a standalone OS. Not exactly. Manferdelli presents it as a sort of parallel OS that is securely ringfenced from Windows, but which doesn't run all the time, and which actually you wouldn't want to run all the time. It works like this..." Read the rest of the article at TheRegister.
"At the USENIX Security Conference held here recently, Microsoft developers touted the company's upcoming Palladium architecture as technology that would enhance privacy, stymie piracy and increase a corporation's control over its computers." Read it at ZDNews.
Based on the number of vulnerabilities announced in 2002 that affect operating systems, the SCO Unix, Apple Macintosh and Compaq Tru64 Operating Systems appear to be the least prone to hacker attack and damage from viruses and worms. This is one of the startling conclusions of the end-of-October 2002 analysis of digital attacks to be released on 1st November.
Critics have slated a Microsoft document on its upcoming Palladium digital rights software as containing several outright "lies". The 1,500-word frequently asked questions (FAQs) paper gives some details about how Palladium will work and how it relates to digital rights management and the Trusted Computing Platform Alliance. Read the rest at VNUnet. Update: Another article about Palladium, here.
Is open source software more secure? To most Linux enthusiasts, the answer is obvious: open source means more people can look for bugs and a faster dissemination of bug fixes. Obviously, yes. But noted security expert Gene Spafford says that this may not necessarily be true. According to the Purdue professor of computer science and co-author of Practical Unix & Internet Security, good security begins with good design and neither Windows nor Linux have much to brag about in that category.
Ramen, Slapper, Scalper and Mighty may sound like Santa's new team of reindeer, but they are creatures far lower down the evolutionary ladder -- and much less welcome. These are worms that have infiltrated Linux servers in recent months, commandeering the servers for use in distributed denial-of-service attacks. Linux enthusiasts who once believed they were less vulnerable to attack than Microsoft users have begun to wonder whether they were overly optimistic. Read the article at NewsFactor.
"Intel is to embed certificates into the processor. Embedded certificates will be a feature of Banias processors next year. What are the downsides? You can count them. The business of ownership of a device suddenly becomes very important indeed - your PC is tagged at birth, and your choice of operating system or browser is contingent on the generosity of the certification authority." Read the report at TheRegister.
Microsoft is undergoing a major cultural shift in the way it deals with security, but it has come much later than it should have, is the consensus at the TechEd conference in Brisbane. In the meantime, web servers and corporate PCs are at risk from vulnerabilities in the popular Apache server software and in a component of Microsoft's Windows 2000.
A security expert makes the case that Windows' architecture encourages insecure applications and is vulnerable to the 'Shatter Attack' but Microsoft disagrees. Read about it at ZDNews.
"This paper presents a new generation of attacks against Microsoft Windows, and possibly other message-based windowing systems. The flaws presented in this paper are, at the time of writing, unfixable. The only reliable solution to these attacks requires functionality that is not present in Windows, as well as efforts on the part of every single Windows software vendor." Read the paper over at Tombom.co.uk. In the meantime, another flaw affects Windows 2000, Linux and MacOSX.
Why Microsoft's Palladium project threatens to send Linux and open-source into exile: "Unless Microsoft signs a particular Linux kernel, it will almost certainly refuse to run on Palladium-equipped hardware." Read the editorial at SecurityFocus.
The Sun-backed group will unveil the detailed workings of their Liberty Alliance specification--leading the way to build "single-sign-on" Web sites and software. Read the report at ZDNews.
"A security mailing list has alerted Apple's OSX users to a program that could let a hacker piggyback malicious code on downloads from the company's SoftwareUpdate service." Read the report at ZDNews.
Following widespread skepticism of Microsoft's motives for developing its trusted computing platform, the software giant this week moved to reassure the software community that Palladium will not be limited to Microsoft's platforms. Read the report at ZDNews.