...from:
http://en.wikipedia.org/wiki/Address_space_layout_randomization
Address space layout randomization (ASLR) is a computer security
technique which involves arranging the positions of key data areas,
usually including the base of the executable and position of
libraries, heap, and stack, randomly in a process' address space. [The
most common exploits take advantage of a known positions for specific
structures such as heap and stack locations in memory. The idea behind
ASLR is to randomly position in memory these sometimes vulnerable
structures to make it more difficult for an automated exploit.]
In Linux, a weak form of ASLR has been enabled by default since kernel
version 2.6.12. The PaX and ExecShield patchsets to the Linux kernel
provide more complete implementations. Various Linux distributions
including Adamantix, Hardened Gentoo, and Hardened Linux From Scratch
come with PaX's implementation of ASLR by default.
Microsoft's Windows Vista and Windows Server 2008 have ASLR enabled by
default, although only for executables which are specifically linked
to be ASLR enabled. [NOTE: from http://blogs.zdnet.com/security/?p=104
- Those applications which link to the ANSI C heap allocation API
malloc() are less vulnerable to exploitation. Beyond ASLR, there is /
GS, a compile-time option in Visual C++ that adds stack-based buffer
overrun detection, /SafeSEH, Data Execution Protection and Function
Pointer Obfuscation. As Microsoft's Michael Howard explained when ASLR
was added to Windows Vista Beta 2, it is not a panacea or a
replacement for insecure code. "[But] when used in conjunction with
other technologies,it is a useful defense because it makes Windows
systems look 'different' to malware, making automated attacks harder."]
Apple introduced randomization of some library offsets in Mac OS X
v10.5[3], presumably as a stepping stone to fully implementing ASLR at
a later date.
Wayne
...from:
http://news.nationalgeographic.com/news/2008/03/080325-antarctica-photo.html
March 25, 2008—New satellite images reveal what scientists call the
"runaway" collapse of an enormous ice shelf in Antarctica as the
result of global warming. (Read full story.)
The chunk of coastal ice was some 160 square miles (415 square
kilometers) in area—about seven times the size of Manhattan.
The shelf's rapid collapse began on February 28 (see image sequence at
top right), sending a giant swath of broken ice into the sea—as seen
in the bottom image, which shows a 2-mile-wide (3.2-kilometer-wide)
area.
"[It's] an event we don't get to see very often," Ted Scambos, lead
scientist at the U.S. National Snow and Ice Data Center in Boulder,
Colorado, said in a press statement.
...from:
http://www.nytimes.com/2008/03/28/technology/28yahoo.html?th&emc=th
China Law Could Impede Microsoft Deal for Yahoo
By JOHN MARKOFF
Published: March 28, 2008
SAN FRANCISCO — Microsoft’s hostile-takeover attempt againstYahoo may
encounter an unexpected hurdle in August after a Chinese antimonopoly
law takes effect that will extend the nation’s economic influence far
beyond its borders.
The law, which goes into effect on Aug. 1, is intended to strengthen
an existing set of antitrust regulations the Chinese originally
established in 1993. It will make China a third sphere of regulatory
influence, matching the power of the European Union and the United
States, according to legal specialists in this country and in China
who have studied it.
Formally enacted by the National People’s Congress last year, the
measure gives Chinese regulators authority to examine foreign mergers
when they involve acquisitions of Chinese companies or foreign
businesses investing in Chinese companies’ operations. Beijing could
also consider national security issues, according to a report by the
official news agency Xinhua.
The law could give China influence in Microsoft’s courtship of Yahoo
because in August 2005, Yahoo, a premier search portal, invested $1
billion in Alibaba.com, China’s largest e-commerce business. The
investment gave Yahoo about a 40 percent stake in the Chinese company.
Alibaba officials have said they believe that a Microsoft takeover of
Yahoo would set in motion a buyback provision, making it possible for
them to gain independence from Microsoft.
Nathan G. Bush, an antitrust law specialist with O’Melveny & Myers in
Beijing, said the law represented the ascendance of China “as another
regulatory capital contending for influence with Brussels and
Washington.”
“Multinational corporations will need to develop strategies for all
the markets they operate in,” he added, “and China is a big market.”
Whether China would seek to review a Microsoft acquisition, and what
kind of posture it might take, would be closely watched by regulators
and global companies as an indication whether it will play a
conciliatory or a nationalistic role on the world stage.
“I don’t think anyone has worked through the issue of where an
Internet merger should be reviewed, given that it truly is a World
Wide Web,” said Andrew I. Gavil, a law professor at Howard University.
There are potentially dozens of jurisdictions that could claim
oversight in such a deal because of the global business interests of
the two huge companies and because it could potentially transform the
Internet into two megaportals, Google and Microsoft. Other parts of
the world that might have an active interest in the outcome of a
merger include South Korea, a vibrant Internet economy where an
antitrust investigation into Microsoft was previously opened.
Executives at Microsoft and Yahoo declined to comment on the possible
effect of the new Chinese law. In rejecting Microsoft’s takeover bid
in January, Yahoo’s chief executive,Jerry Yang, said in a letter to
employees that the offer substantially undervalued the company, in
part because of the significant growth potential of the Alibaba
business in China.
[...]
Last week, a vice minister in the State Council Information Office,
which oversees the Internet, said there were 230 million Chinese users
of the Internet. He said the Internet sector accounted for 7 percent
of the country’s gross domestic product, and he expected that to rise
to 15 percent in three to four years, according to a Reuters report.
The official, Cai Mingzhao, warned that foreigners should not use the
Internet to interfere in Chinese internal matters, according to a
report in The Guardian.
Even if the Chinese government did not try to prevent a takeover by
Microsoft, a prolonged review could substantially damage the value of
the business, a number of Internet industry executives said.
On 26-Mar-08, at 3:18 PM, Lonnie Smetana wrote:
> Tool makes mincemeat of Windows passwords
> By Dan Goodin in San Francisco
> Published Tuesday 4th March 2008 23:57 GMT
>
> A security researcher has released an easy-to-use tool that accesses
> locked Windows computers in seconds without entering a password.
>
> The tool, which was released Tuesday by Adam Boileau, works by
> connecting a Linux machine to the Firewire port of the target PC and
> modifying the password protection that's stored in local memory.
>
> The attack exploits a well-known weakness in Firewire that makes it
> easy for connected devices to read and write to the memory of the
> host machine. Similar hacks work on machines running OS X and Linux
> (see here (http://www.matasano.com/log/695/windows-remote-memory-access-though-firewir…)
> ).
> [...]
...from:
http://rentzsch.com/macosx/securingFirewire
Friday, November 12, 2004
"The only evidence I have seen of the 'fix' [for the Firewire hack]
was in Darwin's source-code - ie, nothing official from Apple. It
first appeared in IOFireWireFamily v122.4.2 (Darwin v6.2/Mac OS X
10.2.2) which was released November 2002. That was obviously a few
months after MacHax Best Hack Contest 2002 where [the Firewire/DMA
exploit won first prize.]"
- - - - - -
In addition, Apple's technical people suggest, if you wish more
protection against any RAM exploits under OS X that you "Use secure
virtual memory". They've said that this will protect not only
application memory but also the actual OS areas where password
exploits would most probably be aimed.
How to enable "Use secure virtual memory":
- from the Apple
menu, select "System Preferences..."
- click on
(Security) and choose the General tab
if necessary
- ensure there is a check mark next to "Use secure virtual memory"
I've been running this for a while now without any problems and there
does not appear to be any performance hit either.
Finally, I've done a little bit of looking for similar protections for
LINUX and Windows. Will post if I stumble across them.
Wayne
...from:
http://www.nytimes.com/2008/03/09/business/09digi.html?_r=1&th&emc=th&oref=…
They Criticized Vista. And They Should Know.
By RANDALL STROSS
Published: March 9, 2008
ONE year after the birth of Windows Vista, why do so many Windows XP
users still decline to “upgrade”?
RelatedMicrosoft's E-mail Messages (pdf)Text of Plaintiff Complaints
(pdf)Text of Microsoft's Response to Plaintiffs (pdf)
Microsoft says high prices have been the deterrent. Last month, the
company trimmed prices on retail packages of Vista, trying to entice
consumers to overcome their reluctance. In the United States, an XP
user can now buy Vista Home Premium for $129.95, instead of $159.95.
An alternative theory, however, is that Vista’s reputation precedes
it. XP users have heard too many chilling stories from relatives and
friends about Vista upgrades that have gone badly. The graphics chip
that couldn’t handle Vista’s whizzy special effects. The long delays
as it loaded. The applications that ran at slower speeds. The
printers, scanners and other hardware peripherals, which work dandily
with XP, that lacked the necessary software, the drivers, to work well
with Vista.
Can someone tell me again, why is switching XP for Vista an “upgrade”?
Here’s one story of a Vista upgrade early last year that did not go
well. Jon, let’s call him, (bear with me — I’ll reveal his full
identity later) upgrades two XP machines to Vista. Then he discovers
that his printer, regular scanner and film scanner lack Vista drivers.
He has to stick with XP on one machine just so he can continue to use
the peripherals.
Did Jon simply have bad luck? Apparently not. When another person,
Steven, hears about Jon’s woes, he says drivers are missing in every
category — “this is the same across the whole ecosystem.”
Then there’s Mike, who buys a laptop that has a reassuring “Windows
Vista Capable” logo affixed. He thinks that he will be able to run
Vista in all of its glory, as well as favorite Microsoft programs like
Movie Maker. His report: “I personally got burned.” His new laptop —
logo or no logo — lacks the necessary graphics chip and can run
neither his favorite video-editing software nor anything but a hobbled
version of Vista. “I now have a $2,100 e-mail machine,” he says.
It turns out that Mike is clearly not a naïf. He’s Mike Nash, a
Microsoft vice president who oversees Windows product management. And
Jon, who is dismayed to learn that the drivers he needs don’t exist?
That’s Jon A. Shirley, a Microsoft board member and former president
and chief operating officer. And Steven, who reports that missing
drivers are anything but exceptional, is in a good position to know:
he’s Steven Sinofsky, the company’s senior vice president responsible
for Windows.
Their remarks come from a stream of internal communications at
Microsoft in February 2007, after Vista had been released as a
supposedly finished product and customers were paying full retail
price. Between the nonexistent drivers and PCs mislabeled as being
ready for Vista when they really were not, Vista instantly acquired a
reputation at birth: Does Not Play Well With Others.
We usually do not have the opportunity to overhear Microsoft’s most
senior executives vent their personal frustrations with Windows. But a
lawsuit filed against Microsoft in March 2007 in United States
District Court in Seattle has pried loose a packet of internal company
documents. The plaintiffs, Dianne Kelley and Kenneth Hansen, bought
PCs in late 2006, before Vista’s release, and contend that Microsoft’s
“Windows Vista Capable” stickers were misleading when affixed to
machines that turned out to be incapable of running the versions of
Vista that offered the features Microsoft was marketing as distinctive
Vista benefits.
Last month, Judge Marsha A. Pechman granted class-action status to the
suit, which is scheduled to go to trial in October. (Microsoft last
week appealed the certification decision.)
Anyone who bought a PC that Microsoft labeled “Windows Vista Capable”
without also declaring “Premium Capable” is now a party in the suit.
The judge also unsealed a cache of 200 e-mail messages and internal
reports, covering Microsoft’s discussions of how best to market Vista,
beginning in 2005 and extending beyond its introduction in January
2007. The documents incidentally include those accounts of frustrated
Vista users in Microsoft’s executive suites.
Today, Microsoft boasts that there are twice as many drivers available
for Vista as there were at its introduction, but performance and
graphics problems remain. (When I tried last week to contact Mr.
Shirley and the others about their most recent experiences with Vista,
David Bowermaster, a Microsoft spokesman, said that no one named in
the e-mail messages could be made available for comment because of the
continuing lawsuit.)
RelatedMicrosoft's E-mail Messages (pdf)Text of Plaintiff Complaints
(pdf)Text of Microsoft's Response to Plaintiffs (pdf)
The messages were released in a jumble, but when rearranged into
chronological order, they show a tragedy in three acts.
Act 1: In 2005, Microsoft plans to say that only PCs that are properly
equipped to handle the heavy graphics demands of Vista are “Vista
Ready.”
Act 2: In early 2006, Microsoft decides to drop the graphics-related
hardware requirement in order to avoid hurting Windows XP sales on low-
end machines while Vista is readied. (A customer could reasonably
conclude that Microsoft is saying, Buy Now, Upgrade Later.) A semantic
adjustment is made: Instead of saying that a PC is “Vista Ready,”
which might convey the idea that, well, it is ready to run Vista, a PC
will be described as “Vista Capable,” which supposedly signals that no
promises are made about which version of Vista will actually work.
The decision to drop the original hardware requirements is accompanied
by considerable internal protest. The minimum hardware configuration
was set so low that “even a piece of junk will qualify,” Anantha
Kancherla, a Microsoft program manager, said in an internal e-mail
message among those recently unsealed, adding, “It will be a complete
tragedy if we allowed it.”
Act 3: In 2007, Vista is released in multiple versions, including
“Home Basic,” which lacks Vista’s distinctive graphics. This placed
Microsoft’s partners in an embarrassing position.Dell, which gave
Microsoft a postmortem report that was also included among court
documents, dryly remarked: “Customers did not understand what
‘Capable’ meant and expected more than could/would be delivered.”
All was foretold. In February 2006, after Microsoft abandoned its plan
to reserve the Vista Capable label for only the more powerful PCs, its
own staff tried to avert the coming deluge of customer complaints
about underpowered machines. “It would be a lot less costly to do the
right thing for the customer now,” said Robin Leonard, a Microsoft
sales manager, in an e-mail message sent to her superiors, “than to
spend dollars on the back end trying to fix the problem.”
Now that Microsoft faces a certified class action, a judge may be the
one who oversees the fix. In the meantime, where does Microsoft go to
buy back its lost credibility?
Randall Stross is an author based in Silicon Valley and a professor of
business at San Jose State University. E-mail: stross(a)nytimes.com.
http://www.sun.com/home-modules/media/k5_030808.html
This would probably be based on the Java Micro Edition, a "mobile"
version of the software most often used for cellphone games and
specialized business applications.
"We're going to work to make sure that the [virtual machine] offers
the Java applications as much access to the native functionality of
the iPhone as possible," Sun's Java marketing VP, Eric Klein said.
Release of Java for the iPhone and iPod touch would not appear until
sometime after Apple's June launch of its version 2.0 firmware and the
App Store needed to download the program.
...more details may be available at Sun's Java One conference May 6-9,
2008.
Wayne