>the laziest blog on earth...contact me: mudwerks AT gmail DOT com
ALL MY SONGS!...
AVAILABLE NOW on bandcamp!
(via Major glitch in Bitcoin network sparks sell-off; price temporarily falls 23% | Ars Technica)
A technical glitch in the core Bitcoin software forced developers to call for a temporary halt to Bitcoin transactions, sparking a sharp sell-off. The currency’s value briefly fell 23 percent to $37 before regaining much of its value later in the evening.
The core of the Bitcoin network is a shared transaction register known as the blockchain. Approximately every 10 minutes, a new block is created containing a record of all Bitcoin transactions that occurred since the previous block. Nodes in the network, known as miners, race to “discover” this next block by solving a cryptographic puzzle. The winner of this race announces the new block to the other nodes. The other nodes verify that it complies with all the rules of the Bitcoin protocol and then accepts it as the next official entry in the block chain, starting the race anew.
It’s essential for all miners to enforce exactly the same rules about what counts as a valid block. If a client announces a block that half the network accepts and the other half rejects, the result could be a fork in the network. Different nodes could disagree about which transactions have occurred, potentially producing chaos.
That’s what happened on Monday evening. A block was produced that the latest version of the Bitcoin software, version 0.8, recognized as valid but that nodes still running version 0.7 or earlier rejected…
fascinated by this - seems both very clever and very dangerous…
(via DSL modem hack used to infect millions with banking fraud malware | Ars Technica)
Millions of Internet users in Brazil have fallen victim to a sustained attack that exploited vulnerabilities in DSL modems, forcing people visiting sites such as Google or Facebook to reach imposter sites that installed malicious software and stole online banking credentials, a security researcher said.
The attack, described late last week during a presentation at the Virus Bulletin conference in Dallas, infected more than 4.5 million DSL modems, said Kaspersky Lab Expert Fabio Assolini, citing statistics provided by Brazil’s Computer Emergency Response Team. The CSRF (cross-site request forgery) vulnerability allowed attackers to use a simple script to steal passwords required to remotely log in to and control the devices. The attackers then configured the modems to use malicious domain name system servers that caused users trying to visit popular websites to instead connect to booby-trapped imposter sites.
“This is the description of an attack happening in Brazil since 2011 using 1 firmware vulnerability, 2 malicious scripts and 40 malicious DNS servers, which affected 6 hardware manufacturers, resulting in millions of Brazilian internet users falling victim to a sustained and silent mass attack on DSL modems,” Assolini wrote in a blog post published on Monday morning. “This enabled the attack to reach network devices belonging to millions of individual and business users, spreading malware and engineering malicious redirects over the course of several months…”
…The first step is to determine how securely you’ve configured your cloud service accounts—and how much interdependency they have. The best passwords in the world won’t help if the exposure of just one account by a server hack or social engineering lets a hacker or fraudster bypass the password and your accounts are too heavily connected.
- Do you use strong passwords, and change them regularly? While passwords won’t stop an attacker who has exploited other means to gain access to your account, a strong password can at least protect you from a direct breach.
- Do you share access to your cloud services with other people, such as family members or friends? If you have devices that belong to your kids set up with your credentials for reasons like sharing an app or music, you’re also creating an opportunity for that data to get stolen—or shared by them with friends. Set up individual accounts for each person in the family on devices to prevent accidental exposure of your own personal data.
- Do you use the same e-mail address and password as your credentials for more than one service? If your password gets exposed by one service—as it did with some Dropbox users last month—and you’ve used the same information in multiple places, you could be a target for a broader hack. Many sites and services require you to use an e-mail address as a user name. Make sure you vary the credentials you use, selecting a different user name or e-mail account for each to avoid a one-shot exposure. If you don’t want to create an e-mail address specific to each service, at least use randomly generated passwords that are at least nine characters long.
- Do you use two-factor authentication? Some cloud services now provide a second level of authentication before you sign in or make changes to the account, often by sending a code via text message to your phone. This feature adds another step to authentication, and is often used to double-check security when you log in from an unfamiliar machine. Microsoft, for example, has added two-factor authentication to its cloud services for Windows 8 when adding new “trusted computers” to the account or making other changes. Google provides two-factor authentication for Google Apps accounts as an option for additional security, and Dropbox is now adding the capability.
- Do you use the same credentials for iCloud and iTunes? One potential problem that users of Apple’s iCloud and other services can easily fall into is the overuse of a single account across the services used on their devices—for example, using the same Apple ID for both iCloud and the iTunes store. The iTunes store links your credit card data to your Apple ID for music and application purchases, as well as in-app purchases. It stores your contact information and address as well. So it’s a potential source of even bigger headaches if it’s exposed along with your iCloud account.
- Do you use the same cloud-based e-mail account as your password recovery contact address for more than one service? If you use a single account as your alternate contact point for all your services, and that one gets exploited, the others don’t need to be hacked to be taken over. The attacker can simply reset passwords on accounts and take them over, getting access to everything in them.
- Do you have multiple webmail accounts connected into a single mailbox? For example, does your Google account retrieve your e-mail for your Apple iCloud, Microsoft Live, or other cloud services account? Again, this creates a single point of failure, and can provide an attacker with enough information about your other accounts to potentially take them over.
- How hard is it to guess or research your answer to your chosen security question? Depending on how determined someone is to take over your account, and how public your life is on the Internet, the security questions used to reset your account could be particularly vulnerable (the hacking of Sarah Palin’s Yahoo account is a prime example). If you’re using “mother’s maiden name” or some other personal biographical fact that could be found in a public records search, someone with time on their hands or an axe to grind could find the answer and exploit it to take over your account…
As if the recent weak earnings report and associated stock downturn weren’t bad enough news for Zynga, at least five law firms are now actively investigating the social gaming powerhouse for security law violations related to sales of company stock three months ago…
“It’s an urban legend that the government launched the Internet,” writes L. Gordon Crovitz in Monday’s Wall Street Journal, launching into just one of a myriad of problems with his short opinion piece.
While he concedes that the military’s Defense Advanced Research Projects Agency (DARPA) program funded the creation of the ARPAnet, the first large-scale packet-switched network, he argues that the government doesn’t deserve credit for the creation of the Internet:
If the government didn’t invent the Internet, who did? Vinton Cerf developed the TCP/IP protocol, the Internet’s backbone, and Tim Berners-Lee gets credit for hyperlinks.
But full credit goes to the company where [Robert Taylor] worked after leaving ARPA: Xerox. It was at the Xerox PARC labs in Silicon Valley in the 1970s that the Ethernet was developed to link different computer networks. Researchers there also developed the first personal computer (the Xerox Alto) and the graphical user interface that still drives computer usage today.
Crovitz is right that Vinton Cerf, along with Bob Kahn, invented the TCP/IP protocol that is the foundation of the modern Internet. But he neglects to mention that Cerf’s early work on the protocol was funded by the US military through its DARPA program.
“Hyperlinks” are not the Internet, and Tim Berners-Lee didn’t invent them. Nor is the World Wide Web the Internet, although the Web has become such a popular Internet application that many people confuse the two. But more to the point, Berners-Lee was working at CERN, a research organization funded by European governments, when he invented the World Wide Web in the early 1990s.
Xerox is indeed a private company, and Xerox PARC researchers did develop some important computing technologies, including Ethernet and the graphical user interface. But it’s not accurate to say that “the Ethernet was developed to link different computer networks.” Ethernet was designed primarily as a local networking technology to connect computers in a home or office. The point of the Internet’s TCP/IP protocol was to allow networks using different standards, including Ethernet, to communicate with each other. Many of the networks that now comprise the Internet use the Ethernet protocol, but what makes the Internet the Internet is TCP/IP, not Ethernet.
Indeed, not only is Crovitz confused about the origins of the Internet, he also seems not to understand the conventions of the World Wide Web. He quotes George Mason University economist Tyler Cowen as saying that “The Internet, in fact, reaffirms the basic free market critique of large government.” But that quote wasn’t written by Cowen. It was quoted by Cowen in a 2005 blog post.The page Cowen was quoting has succumbed to bitrot, but the Internet Archive has a copy.
The Wall Street Journal has earned a reputation for producing in-depth and meticulously fact-checked news coverage. Unfortunately, it doesn’t always apply that same high standard of quality to their editorial page.
If you haven’t already seen the screaming headlines across the blogosphere declaring the arrival of Internet Armageddon for a quarter-million PCs because of a virus, allow us to get you up to speed. Believe it or not, some of the 4 million computers hijacked by Estonian and Russian hackers through a long-running botnet called DNSChanger are still not patched, over eight months after the FBI and Estonian authorities broke up the ring in November of 2011.
The botnet took control of PCs, changing their DNS settings to connect to rogue DNS servers, which allowed the ring to reroute a user’s click on web advertisements to alternative sites and replace web ads with those of companies that paid the ring for clicks. When the FBI shut down the rogue DNS servers at the center of the ring, the US District Court for the Southern District of New York appointed Internet Systems Consortium, a not-for-profit company, to keep running replacement DNS servers so affected users would not lose Internet access before they could remove the botnet and fix their DNS settings. The FBI also posted tools to help PC owners check to see if their system was affected by the botnet. (If you haven’t checked yours, go there now.)
On Monday, July 9, the court order runs out, and ISC will pull the plug on the DNS servers. But by some estimates, as many as 300,000 computers are still using the DNS servers to resolve their Internet searches. Those systems will lose the ability to resolve domain names for web sites and email when the server is disconnected.
Don’t say you weren’t warned.
[seriously WTF…]
(via New study, same authors: patent trolls cost economy $29 billion yearly | Ars Technica)
…The $29 billion number comes from measuring the more straightforward costs associated with fighting off patent troll suits: those include legal fees going to lawyers, and the licensing fees paid in tribute to make the trolls go away (which nearly always get paid). The findings come from a relatively small sample of 83 companies, both small and large.
The study paints one of the clearest pictures yet of the impact patent trolls—more politely called non-practicing entities or “NPEs”—are having on the economy.
Even if the numbers are inflated, there’s little doubt those costs are significant. The total spending of US businesses on research and development is $247 billion per year. So even if one only considers the direct costs of patent trolls, they may be sucking up more than 10 percent of the money that could be spent on R&D.
Bessen and Meurer are the authors of Patent Failure, a 2008 book criticizing the patent system that has become a bête noire in some quarters of the patent bar…
Judge Lucy Koh of California’s Northern District Court ruled today in favor of granting Apple an injunction against Samsung’s Galaxy Nexus phone. The injunction would seek to stop the import of Samsung’s phone, which Apple alleged had infringed on four of its patents.
Apple sued for patent protection on the following software features:
1. A means of detecting and marking up data like a phone number or an e-mail address, and then initiating a phone call or an e-mail when the linked data is clicked
2. A means of searching multiple databases and sources for data.
3. A slide to unlock feature.
4. An autocorrect-type function that completes the word as a user types and allows the user to accept or reject the word.
Reuters reports that the decision appears to have been driven by Apple’s claim to the patent to search multiple sources, which Apple says is the basis of Siri. Reuters reporter Dan Levine, who was in the courtroom at the time of the ruling, tweeted that Judge Koh said “‘Apple has articulated a plausible theory of irreparable harm’ [because] of ‘long-term loss of market share and ‘losses of downstream sales.’”
The Galaxy Nexus is Google’s flagship device, and while the ruling will not have a direct impact on the import of Google’s recently announced Nexus 7 tablet, the ruling is surely a blow to Google during its IO 2012 conference.
=:O
Hackers are actively exploiting a critical vulnerability in Microsoft’s Windows operating system that allows them to remotely execute malicious code when victims visit a booby-trapped website.
“These attacks are being distributed both via malicious web pages intended for Internet Explorer users and through Office documents,” Andrew Lyons, a Google security engineer, wrote in a blog post published Tuesday. “Users running Windows XP up to and including Windows 7 are known to be vulnerable.”
In their own advisory, Microsoft officials confirmed the active attacks and encouraged customers to apply a temporary fix as soon as possible. The vulnerability exploits an uninitialized variable in XML Core Services, which is installed by default in all supported versions of Windows. Users of Microsoft Office 2003 and 2007 are also susceptible.
Attacks work when a vulnerable system uses Internet Explorer to visit a website that contains XML code that corrupts memory in a way that can execute malicious code. The code has the same privileges of the logged-on user, so accounts that don’t include administrative privileges may be less affected.
The warnings came the same day that Microsoft issued seven updates that patch at least 26 vulnerabilities in its software as part of its monthly Patch Tuesday. Lyons said Google researchers alerted Microsoft to the attacks on the XML package two weeks ago and that “Microsoft has been responsive to the issue and has been working with us.
As part of its monthly “Patch Tuesday” security updates for June, Microsoft announced changes in how Windows manages certificates. These changes include a new automatic updater tool for Windows 7 and Windows Vista that will flag stolen or known forged certificates. This shift will have a huge impact on companies and software vendors who use Microsoft’s implementation of public key infrastructure as part of their authentication and software distribution—especially if they haven’t followed best practices for certificates in the past…
