Slashdot

reginaldo writes to clue us that pirates in Somalia have opened up a cooperative in Haradheere, where investors can pay money or guns to help their favorite pirate crew for a share of the piracy profits. "'Four months ago, during the monsoon rains, we decided to set up this stock exchange. We started with 15 "maritime companies" and now we are hosting 72. Ten of them have so far been successful at hijacking,' Mohammed [a wealthy former pirate who took a Reuters reporter to the facility] said. ... Piracy investor Sahra Ibrahim, a 22-year-old divorcee, was lined up with others waiting for her cut of a ransom pay-out after one of the gangs freed a Spanish tuna fishing vessel. 'I am waiting for my share after I contributed a rocket-propelled grenade for the operation,' she said, adding that she got the weapon from her ex-husband in alimony. 'I am really happy and lucky. I have made $75,000 in only 38 days since I joined the "company."'"

dasButcher notes that the Supreme Court will hear arguments next week brought by a Nevada accounting firm that asserts the oversight board for the Sarbanes-Oxley Act is unconstitutional. If the plaintiffs are successful, it could force Congress to rewrite or abandon the law used by many companies to validate tech investments for security and compliance. "Many auditing firms have used [Sarbanes-Oxley Section] 404 as a lever for imposing stringent security technology requirements on publicly traded companies regulated by SOX and their business partners. SOX security compliance has proven effective for vendors and solution providers, as it forces regulated enterprises to spend billions of dollars on technology that, many times, doesn’t prevent security incidents but does make them compliant with the law."

duguk writes "Microsoft has confirmed that it is investigating a problem described as the 'black screen of death,' which affects Windows 7 — and reports suggest it affects Vista and XP, too. The firm said it was looking into reports that suggest its latest security update, released on Tuesday 25 November, caused the problem. The error means that users of Windows 7 and earlier operating systems see a totally black screen after logging on to the system." Update: 12/01 22:35 GMT by KD : Microsoft now says that its November Windows updates are not causing the BlackSOD: "The company has found those reports to be inaccurate and our comprehensive investigation has shown that none of the recently released updates are related to the behavior described in the reports."

Nashville Guy writes "According to Australia's The Age, 'A New Zealand man living in Queensland and believed to be behind the world's largest spam operation, has been ordered to pay more than $16 million for running the illegal enterprise. Lance Atkinson, 26, originally from Christchurch, was living in Pelican Waters on the Sunshine Coast when the US Federal Trade Commission (FTC) had his assets frozen last year. ... The FTC found Atkinson and American Jody Smith were at the centre of the world's largest internet spam operation, dubbed 'AffKing,' having recruited spammers from around the world.'"

theodp writes "Over at CNET, James Urquhart sings the praises of cloud computing, encouraging folks to 'really listen to what is being said, understand how the cloud is being used, and seriously evaluate how this disruptive model will change your projects, your organization, and even your career.' Fair enough. Over at the Google Docs Help Forum, some perplexed cloud computing users spent the month of November unsuccessfully trying to figure out why they've been zinged for inappropriate content. Among the items deemed inappropriate and unshareable include notes on Henry David Thoreau ('the published version of this item cannot be shared until a Google review finds that the content is appropriate'), homework assignments, high school yearbook plans, wishlists, documents containing botanical names for plants, a list of websites for an ecommerce class, and a list of companies that rent motorcycles in Canada. When it comes to support in the cloud, it kind of looks like you might get what you pay for."

Trailrunner7 writes "A researcher has published an explanation of a new flaw in FreeBSD that allows a remote attacker to take control of a vulnerable machine. The vulnerability could give an attacker root access to the FreeBSD machine, and the FreeBSD developers have published a patch for the flaw early Tuesday. The vulnerability lies in run-time link-editor and, if exploited, gives an attacker the ability to run arbitrary code. The researcher, Kingcope, has posted an explanation of the flaw on the Full Disclosure mailing list. In a message to FreeBSD users, Colin Percival, the project's security officer, said that because of the severity of the flaw and the fact that exploit code already is available, he felt it was necessary to post the patch as soon as possible, without even publishing a security advisory."

Lucas123 writes "Researchers at Harvard Medical School pored over survey data from more than 4,000 'wired' hospitals and determined that computerization of those facilities not only didn't save them a dime, but the technology didn't improve administrative efficiency either. The study also showed most of the IT systems were aimed at improving efficiency for hospital management — not doctors, nurses, and medical technicians. 'For 45 years or so, people have been claiming computers are going to save vast amounts of money and that the payoff was just around the corner. So the first thing we need to do is stop claiming things there's no evidence for. It's based on vaporware and [hasn't been] shown to exist or shown to be true,' said Dr. David Himmelstein, the study's lead author."

buchner.johannes writes "I was fed up with the general consensus that Linux is oh-so-secure and has no malware. After a week of work, I finished a package of malware for Unix/Linux. Its whole purpose is to help white-hat hackers point out that a Linux system can be turned into a botnet client by simply downloading BOINC and attaching it to a user account to help scientific projects. The malware does not exploit any security holes, only loose security configurations and mindless execution of unverified downloads. I tested it to be injected by a PHP script (even circumventing safe mode), so that the Web server runs it; I even got a proxy server that injects it into shell scripts and makefiles in tarballs on the fly, and adds onto Windows executables for execution in Wine. If executed by the user, the malware can persist itself in cron, bashrc and other files. The aim of the exercise was to provide a payload so security people can 'pwn' systems to show security holes, without doing harm (such as deleting files or disrupting normal operation). But now I am unsure of whether it is ethically OK to release this toolkit, which, by ripping out the BOINC payload and putting in something really evil, could be turned into proper Linux malware. On the one hand, the way it persists itself in autostart is really nasty, and that is not really a security hole that can be fixed. On the other hand, such a script can be written by anyone else too, and it would be useful to show people why you need SELinux on a server, and why verifying the source of downloads (checksums through trusted channels) is necessary. Technically, it is a nice piece, but should I release it? I don't want to turn the Linux desktop into Windows, hence I'm slightly leaning towards not releasing it. What does your ethics say about releasing such grayware?"

jtavares2 writes "In what is being dubbed Throttlegate, scores of users on many message boards have been complaining about nexplicably aggressive throttling policies on their Dell Latitude E6500 and E6400 laptops which cause their CPUs to be throttled to less than 5% of their theoretical maximums even while at room temperatures. In many cases, the issue can be triggered just by playing a video or performing some other trivial, but CPU intensive, task. After being banned [PDF] from the Dell Forums for revealing 'non-public information,' one user went so far as to write and publish a 59-page report [PDF] explaining and diagnosing the throttling problem in incredible detail. Dell seems to be silent on the issue, but many users are hoping for a formal recall."

theodp writes "Fortune's Dear Annie takes on the case of poor Dazed and Confused, an independent webmaster who's expected to be on call for his client at all hours of the day and night, but doesn't get paid for being on call, only for the 40 hours a week that he's in the office. Surprisingly, Annie throws cold water on the contractor's dreams of paid OT, citing these pearls of wisdom from an attorney who's apparently never had the 'privilege' of being a techie on call: 'Many companies see the on-call issue as analogous to a fire fighter's job. Most of the time, a fire fighter is off-duty but on call, hanging around the firehouse, cooking, sleeping, or whatever. What that person really gets paid for is the relatively small, but crucial, amount of time he spends walking into a burning building with an ax. A webmaster, likewise, has slow times and busy times.'" What on call policies are you used to working with and how should it work in an ideal world?

Unexpof writes "A man has been arrested by the British Police Central e-Crime Unit (PCeU), accused of stealing the usernames and passwords from players of the RuneScape MMORPG. Security experts report that this is one of the first occasions when a Brit has been apprehended for 'virtual robbery,' although incidents have happened in the past. For instance, the CEO of the sci-fi trading game EVE Online stole 200 billion 'kredits,' which he then used as a deposit on a real-world house, and in October last year a Japanese woman was arrested by police after allegedly hacking her virtual husband 'to death.'"

truesaer writes "I'll be spending all of next year backpacking through South America. In the past I've used Internet cafes while away, but this time I plan to bring a netbook and rely primarily on Wi-Fi hotspots. I'll be facing the same issues and risks that business travelers in hotels and airports face, as well as those encountered by millions of other backpackers, gap-year travelers, and students. Since my trip is so long I'll have no choice but to access my banking, credit card, and investment accounts on public networks. I will not have a system at home to connect through. Other than an effective firewall, a patched system, and the use of SSL, what else should I do to protect my information? Keep in mind that many places have very poor bandwidth and latency."

An anonymous reader writes "The phrase 'IT' is so overused, I'm not sure what it means any more. OK, maybe it's an ego thing, but I spent a lot of years in grad school, lots of years getting good at creating software, and lots of years getting good at creating technical products and I don't want the same label as the intern who fixes windoze. I'm looking at a tech management job at a content company that is trying to become a software company, and they refer to everything about software development, data center operations, and desktop support as 'IT.' I'd like to tell the CEO before I take the job that we have to stop referring to all these people as 'IT people' or I'm not going to be able to attract and retain the top-tier talent that is required. Am I just being petty? Should I just forget it? Change it slowly over time? These folks are really developing products, but we don't normally call software creators 'product developers.' Just call them the 'Tech Department' or the 'Engineering Deptartment?'"

1sockchuck writes "The data center of the future may have no central UPS units, and be filled with servers with on-board batteries. Facebook says it will adopt a new power distribution design that shifts the UPS and battery backup functions from the data center into the cabinet by adding a 12-volt battery to each server power supply, an approach pioneered by Google. Facebook says the move will slash its power bill and save millions in capital expenses on UPS systems and PDUs. Facebook acknowledged that these types of custom designs are limited to large companies, but called on server vendors and data center builders to adapt their offerings to make them available to smaller companies."

A post by Cyberveillance a couple of weeks back revealed a complex black-hat operation involving Google searches leading to hundreds of thousands of bogus blogs, exploiting the "long tail" of search results and isolated from Google's auto-detection of malware sites by a shifting network of redirectors. The fake blog posts are innocuous when visited directly, but make aggressive attempts to install a fake Windows anti-virus tool (which is actually a Trojan horse) if clicked through from Google. Other search engines do not index the bogus sites. The Unmask Parasites site has a detailed two-part analysis of the badware operation, which puts some numbers on its scope: almost 688,000 bogus scareware blogs can be located in Google; some of them have upwards of 1000 posts. This analysis also reveals that a large majority of the sites hacked to host fake blogs are on the network of Servage.net. From the second Unmask Parasites link: "What we have here is millions of rogue web pages targeting the long tail of web search (millions of keywords) where each page tries to install fake (and malicious) "anti-virus" software on visitors' computers. While this black-hat campaign is active for at least 6 months, webmasters of the compromised sites and their hosting providers don't simply notice this illicit activity. The good news is Google seems to have noticed this problem. Probably thanks to the Cyveillance blog post. During the week after that post I see a steady decrease in search results returned by the queries that you can find in this post."

nk497 writes "F-Secure researchers are calling attention to the fact that it's impossible to run third-party anti-virus on iPhones, because the SDK doesn't allow for it. It's a problem, as they claim malware will start to target the phone. 'None of the existing anti-virus vendors can make one, without help from Apple,' chief research officer Mikko Hypponen said. 'Apple hasn't been too interested in developing antivirus solutions for the iPhone, because there are no viruses, which of course, isn't exactly true.' At the moment, the only worms faced by the iPhone have targeted unlocked, jailbroken devices — so Apple's not too bothered protecting users of such phones." While Apple claims that the iPhone's closed nature offers protection to its users, and security vendors maneuver for a piece of a market now closed to them, clearly both sides are pushing their own self-interest.

An anonymous reader writes "The FreeBSD Release Engineering Team is pleased to announce the availability of FreeBSD 8 stable release. Some of the highlights: Xen DomU support, network stack virtualization, stack-smashing protection, TTY layer rewrite, much improved ZFS v13, a new USB stack, multicast updates including IGMPv3, vimage — a new virtualization container, Fedora 10 Linux binary compatibility to run Linux software such as Flash 10 and others, trusted BSD MAC (Mandatory Access Control), and rewritten NFS client/server introducing NFSv4. Inclusion of improved device mmap() extensions will allow the technical implementation of a 64-bit Nvidia display driver for the x86-64 platform. The GNOME desktop environment has been upgraded to 2.26.3, KDE to 4.3.1, and Firefox to 3.5.5. There is also an in-depth look at the new features and major architectural changes in FreeBSD 8.0, including a screenshot tour, upgrade instructions are posted here. You can grab the latest version from FreeBSD from the mirrors (main ftp server) or via BitTorrent. Please consider making a donation and help us to spread the word by tweeting and blogging about the drive and release."

Eugen tips news that Microsoft has sent DMCA takedown notices to several websites to stop them from offering the Computer Online Forensic Evidence Extractor (COFEE) tool for download after it was leaked earlier this month. One of the sites, Cryptome.org, has posted their correspondence with Microsoft over the software. "... Microsoft contacted Network Solutions, which hosts Cryptome, and since John Young, the owner of the website, wasn't too keen on losing his whole website for the sake of a single 15MB file, he removed the download link and sent Network Solutions a notice of compliance."

derrida writes "After over a year of intensive development and refactoring, Inkscape 0.47 is out. This version of the SVG-based vector graphics editor brings improved performance and tons of new features, including: timed autosave, Spiro splines, auto-smooth nodes, Eraser tool, new modes in Tweak tool, snapping options toolbar & greater snapping abilities, new live path effects (including Envelope), over 200 preset SVG filters, new Cairo-based PS and EPS export, spell checker, many new extensions, optimized SVG code options, and much more. Additionally, it would be wrong to not mention the hundreds of bug fixes. Check out the full release notes for more information about what has changed, enjoy the screenshots, or just jump right to downloading your package for Windows, Linux, or Mac OS X." We've been following the progress of Inkscape for years (2006, 2005, 2004).

After this weekend's report of a dangerous flaw in IE (which Microsoft confirmed today), intrudere points out an exclusive report in The Register on a new hole in IE8 that could allow an attacker to pull off cross-site scripting attacks on Web sites that ought, by rights, to be safe from XSS. This is according to two anonymous sources, who told El Reg that Microsoft had been notified of the vulnerability a few months ago.