A Russian security company claims it found a way to beat a security measure in Microsoft's Windows XP Service Pack 2, a major update aimed at securing customers' PCs.
The SP2 measure, known as Data Execution Protection, is intended to prevent would-be attackers from inserting rogue code into a PC's memory and tricking Windows into running the program. However, in a paper published Friday, Moscow-based Positive Technologies said two minor mistakes in the implementation of the technology allow a knowledgeable programmer to sidestep the protection.
The company notified Microsoft of the problem Dec. 22, but it apparently decided not to wait for the software giant to patch the flaws.
Neither Microsoft nor Positive Technologies immediately responded to requests for comment Friday.
After several delays, Microsoft began rolling out SP2 in August of last year, at which time company Chairman Bill Gates called the update "a significant step in delivering on our goal to help customers make their PCs better isolated and more resilient in the face of increasingly sophisticated attacks."
I wonder why it is that any individual or group of individuals choosing to do so can self-annoint and self-appoint to the level of "expert" without the slightest bit of scrutiny from the media as to the veracity of such claims.
Basically, anyone who hacks anybody's software these days for the express purpose of *getting around* its security code in some fashion to misuse and abuse said software can proclaim himself an "expert" and receive immediate acclaim by a media which often doesn't seem to have a clue.
Take this story, for instance. Instead of analyzing the "paper" released as to whether or not the self-proclaimed experts actually have something to talk about besides themselves, the story simply assumes that what the experts have said is true without a doubt. Yet, it does not appear that the reporters filing the story have the ability to determine whether the "paper" has anything worthwhile to say, or whether it's full of pompous, meaningless hot air (I say this because the details comprising many so-called "flaws" which the media trumpets are so unlikely to occur as a set of common, simultaneous conditions a hacker might deem suitable for exploitation that the chance of such flaws being used against a given target are much less than the odds of the target being struck and killed by a bolt of lightning while using his keyboard.)
Rare indeed it is when the media ever bothers to investigate the "expert" status of the groups and individuals it quotes with pomposity, and rarer still is the media outlet which investigates the veracity and probity of the actual "flaws" such groups make loud noises about (I say "groups" but the truth is that many so-called "expert firms" sitting behind such claims consist of a single, unincorporated individual--and the terms "expert" and "firm" are often used by the media to enhance the credibility of such people, and thus the credibility of the stories the media write which use such individuals as their primary basis.)
Wouldn't it be nice to once in awhile read a story like this which examined the claims made--instead of the all too familiar format of simply writing stories that do nothing except mindlessly parrot the "experts" making such claims?
News.com and other similiar news sites are for general consumption and do not have the expertise to evaluate the veracity of a particular claim. They, like others rely on the experts. Some good places to start are:
The Common Vulnerabilities and Exposures project: <a class="jive-link-external" href="http://cve.mitre.org/" target="_newWindow">http://cve.mitre.org/</a>
A vendor neutral security site that provides updates on security related information: <a class="jive-link-external" href="http://www.securityfocus.com/" target="_newWindow">http://www.securityfocus.com/</a>
These are places where vulnerabilities are verified or exposed.
I wonder why it is that any individual or group of individuals choosing to do so can self-annoint and self-appoint to the level of "expert" without the slightest bit of scrutiny from the media as to the veracity of such claims.
Basically, anyone who hacks anybody's software these days for the express purpose of *getting around* its security code in some fashion to misuse and abuse said software can proclaim himself an "expert" and receive immediate acclaim by a media which often doesn't seem to have a clue.
Take this story, for instance. Instead of analyzing the "paper" released as to whether or not the self-proclaimed experts actually have something to talk about besides themselves, the story simply assumes that what the experts have said is true without a doubt. Yet, it does not appear that the reporters filing the story have the ability to determine whether the "paper" has anything worthwhile to say, or whether it's full of pompous, meaningless hot air (I say this because the details comprising many so-called "flaws" which the media trumpets are so unlikely to occur as a set of common, simultaneous conditions a hacker might deem suitable for exploitation that the chance of such flaws being used against a given target are much less than the odds of the target being struck and killed by a bolt of lightning while using his keyboard.)
Rare indeed it is when the media ever bothers to investigate the "expert" status of the groups and individuals it quotes with pomposity, and rarer still is the media outlet which investigates the veracity and probity of the actual "flaws" such groups make loud noises about (I say "groups" but the truth is that many so-called "expert firms" sitting behind such claims consist of a single, unincorporated individual--and the terms "expert" and "firm" are often used by the media to enhance the credibility of such people, and thus the credibility of the stories the media write which use such individuals as their primary basis.)
Wouldn't it be nice to once in awhile read a story like this which examined the claims made--instead of the all too familiar format of simply writing stories that do nothing except mindlessly parrot the "experts" making such claims?
News.com and other similiar news sites are for general consumption and do not have the expertise to evaluate the veracity of a particular claim. They, like others rely on the experts. Some good places to start are:
The Common Vulnerabilities and Exposures project: <a class="jive-link-external" href="http://cve.mitre.org/" target="_newWindow">http://cve.mitre.org/</a>
A vendor neutral security site that provides updates on security related information: <a class="jive-link-external" href="http://www.securityfocus.com/" target="_newWindow">http://www.securityfocus.com/</a>
These are places where vulnerabilities are verified or exposed.
They waited thirty days before publishing their "paper".
It's been generally accepted that 90 days is an acceptable time to wait for a major corporation to present a viable solution to a security threat, so thirty days *is* sort of pushing a bit too hard. Indeed, I *believe* that laws have been passed to that effect? Giving the flaw-finder a limited form of immunity to prosecution by over-zealous corporations trying to protect their baby with massive firepower?
Again, IANAL, but I also recall-from the dim, cobwebbed recesses of my brain-that when served with such a notice, said corporation should provide some sort of official response to the ones presenting them the info that yes, they *ARE* going to initiate a trouble-call (sic) and will be working towards a viable solution to the problem.
It's a polite way to notify the corp that their software is vulnerable and not get sued for meddling with the code. At the same time, this puts the meddlers under a contract to keep their mouths shut for 90 days, giving the developer a chance to present a solution, or at least notify the public of the vulnerablility. If they blab before the 90 days are up, they *could* get in trouble.
Still digging in my brain, I *believe* that if the ones who discovered the flaw do not receive any form of official contact from the developer, saying, "Thanks for the info, we're looking into the problem, now please keep it mum for now,", then they should wait 30 days before blabbing it to the world at large.
So...what's the poop?
Are my brain-scrapings accurate? Did the Russian group give MS enough time to formulate a proper response? Did MS even *respond*? I'm left wondering if MS didn't back-slide into it's old habits of security through obscurity; hear-no-evil, see-no-evil, speak-no-evil?
They waited thirty days before publishing their "paper".
It's been generally accepted that 90 days is an acceptable time to wait for a major corporation to present a viable solution to a security threat, so thirty days *is* sort of pushing a bit too hard. Indeed, I *believe* that laws have been passed to that effect? Giving the flaw-finder a limited form of immunity to prosecution by over-zealous corporations trying to protect their baby with massive firepower?
Again, IANAL, but I also recall-from the dim, cobwebbed recesses of my brain-that when served with such a notice, said corporation should provide some sort of official response to the ones presenting them the info that yes, they *ARE* going to initiate a trouble-call (sic) and will be working towards a viable solution to the problem.
It's a polite way to notify the corp that their software is vulnerable and not get sued for meddling with the code. At the same time, this puts the meddlers under a contract to keep their mouths shut for 90 days, giving the developer a chance to present a solution, or at least notify the public of the vulnerablility. If they blab before the 90 days are up, they *could* get in trouble.
Still digging in my brain, I *believe* that if the ones who discovered the flaw do not receive any form of official contact from the developer, saying, "Thanks for the info, we're looking into the problem, now please keep it mum for now,", then they should wait 30 days before blabbing it to the world at large.
So...what's the poop?
Are my brain-scrapings accurate? Did the Russian group give MS enough time to formulate a proper response? Did MS even *respond*? I'm left wondering if MS didn't back-slide into it's old habits of security through obscurity; hear-no-evil, see-no-evil, speak-no-evil?
...before someone finds ways around your security. So someone found a way around some of the security in SP2, big deal. If your job is to sit there for 8 hours a day 5 days a week, of course you are eventually going to find vulnerabilities in someone's software. Atleast it seems to have slowed the amount of major viruses poping up, unlike the several months before when virus after virus was crippling computers.
...before someone finds ways around your security. So someone found a way around some of the security in SP2, big deal. If your job is to sit there for 8 hours a day 5 days a week, of course you are eventually going to find vulnerabilities in someone's software. Atleast it seems to have slowed the amount of major viruses poping up, unlike the several months before when virus after virus was crippling computers.
It's not important that they didn't give MS that much time to respond because the number of people who have the hardware in place that allows that particular protection scheme to work is rather low in the first place. Just like the virus writers don't shoot at the Mac, the number of users they'd catch with this is so low as to make it not worth the effort it would take to exploit it.
It's not important that they didn't give MS that much time to respond because the number of people who have the hardware in place that allows that particular protection scheme to work is rather low in the first place. Just like the virus writers don't shoot at the Mac, the number of users they'd catch with this is so low as to make it not worth the effort it would take to exploit it.
apparently thedssavy young men know what sells to me it's a expecred and almost saddening reflection on the values that my generation has passed on through the media and several other venues. I wish them the best of luck in eir buisiness venture but I personaly wont be ordering a copy any time soon.. Robert Weber
apparently thedssavy young men know what sells to me it's a expecred and almost saddening reflection on the values that my generation has passed on through the media and several other venues. I wish them the best of luck in eir buisiness venture but I personaly wont be ordering a copy any time soon.. Robert Weber
Tommy Jordan, the man who shot his daughter's laptop for YouTube, gets a visit from police and child protection services. Oh, and Good Morning America.
The Samsung Galaxy Mini 2 S6500 could make its debut at the Mobile World Congress in Barcelona later this month, according to a leaked promotional image.
The Washington State Senate passed a bill that would charge electric car owners $100 per year to compensate for not paying gas taxes. The bill still has to pass the House.
Basically, anyone who hacks anybody's software these days for the express purpose of *getting around* its security code in some fashion to misuse and abuse said software can proclaim himself an "expert" and receive immediate acclaim by a media which often doesn't seem to have a clue.
Take this story, for instance. Instead of analyzing the "paper" released as to whether or not the self-proclaimed experts actually have something to talk about besides themselves, the story simply assumes that what the experts have said is true without a doubt. Yet, it does not appear that the reporters filing the story have the ability to determine whether the "paper" has anything worthwhile to say, or whether it's full of pompous, meaningless hot air (I say this because the details comprising many so-called "flaws" which the media trumpets are so unlikely to occur as a set of common, simultaneous conditions a hacker might deem suitable for exploitation that the chance of such flaws being used against a given target are much less than the odds of the target being struck and killed by a bolt of lightning while using his keyboard.)
Rare indeed it is when the media ever bothers to investigate the "expert" status of the groups and individuals it quotes with pomposity, and rarer still is the media outlet which investigates the veracity and probity of the actual "flaws" such groups make loud noises about (I say "groups" but the truth is that many so-called "expert firms" sitting behind such claims consist of a single, unincorporated individual--and the terms "expert" and "firm" are often used by the media to enhance the credibility of such people, and thus the credibility of the stories the media write which use such individuals as their primary basis.)
Wouldn't it be nice to once in awhile read a story like this which examined the claims made--instead of the all too familiar format of simply writing stories that do nothing except mindlessly parrot the "experts" making such claims?
general consumption and do not have the expertise
to evaluate the veracity of a particular claim.
They, like others rely on the experts. Some good
places to start are:
The Common Vulnerabilities and Exposures project:
<a class="jive-link-external" href="http://cve.mitre.org/" target="_newWindow">http://cve.mitre.org/</a>
A vendor neutral security site that provides
updates on security related information:
<a class="jive-link-external" href="http://www.securityfocus.com/" target="_newWindow">http://www.securityfocus.com/</a>
These are places where vulnerabilities are
verified or exposed.
Basically, anyone who hacks anybody's software these days for the express purpose of *getting around* its security code in some fashion to misuse and abuse said software can proclaim himself an "expert" and receive immediate acclaim by a media which often doesn't seem to have a clue.
Take this story, for instance. Instead of analyzing the "paper" released as to whether or not the self-proclaimed experts actually have something to talk about besides themselves, the story simply assumes that what the experts have said is true without a doubt. Yet, it does not appear that the reporters filing the story have the ability to determine whether the "paper" has anything worthwhile to say, or whether it's full of pompous, meaningless hot air (I say this because the details comprising many so-called "flaws" which the media trumpets are so unlikely to occur as a set of common, simultaneous conditions a hacker might deem suitable for exploitation that the chance of such flaws being used against a given target are much less than the odds of the target being struck and killed by a bolt of lightning while using his keyboard.)
Rare indeed it is when the media ever bothers to investigate the "expert" status of the groups and individuals it quotes with pomposity, and rarer still is the media outlet which investigates the veracity and probity of the actual "flaws" such groups make loud noises about (I say "groups" but the truth is that many so-called "expert firms" sitting behind such claims consist of a single, unincorporated individual--and the terms "expert" and "firm" are often used by the media to enhance the credibility of such people, and thus the credibility of the stories the media write which use such individuals as their primary basis.)
Wouldn't it be nice to once in awhile read a story like this which examined the claims made--instead of the all too familiar format of simply writing stories that do nothing except mindlessly parrot the "experts" making such claims?
general consumption and do not have the expertise
to evaluate the veracity of a particular claim.
They, like others rely on the experts. Some good
places to start are:
The Common Vulnerabilities and Exposures project:
<a class="jive-link-external" href="http://cve.mitre.org/" target="_newWindow">http://cve.mitre.org/</a>
A vendor neutral security site that provides
updates on security related information:
<a class="jive-link-external" href="http://www.securityfocus.com/" target="_newWindow">http://www.securityfocus.com/</a>
These are places where vulnerabilities are
verified or exposed.
It's been generally accepted that 90 days is an acceptable time to wait for a major corporation to present a viable solution to a security threat, so thirty days *is* sort of pushing a bit too hard. Indeed, I *believe* that laws have been passed to that effect? Giving the flaw-finder a limited form of immunity to prosecution by over-zealous corporations trying to protect their baby with massive firepower?
Again, IANAL, but I also recall-from the dim, cobwebbed recesses of my brain-that when served with such a notice, said corporation should provide some sort of official response to the ones presenting them the info that yes, they *ARE* going to initiate a trouble-call (sic) and will be working towards a viable solution to the problem.
It's a polite way to notify the corp that their software is vulnerable and not get sued for meddling with the code. At the same time, this puts the meddlers under a contract to keep their mouths shut for 90 days, giving the developer a chance to present a solution, or at least notify the public of the vulnerablility. If they blab before the 90 days are up, they *could* get in trouble.
Still digging in my brain, I *believe* that if the ones who discovered the flaw do not receive any form of official contact from the developer, saying, "Thanks for the info, we're looking into the problem, now please keep it mum for now,", then they should wait 30 days before blabbing it to the world at large.
So...what's the poop?
Are my brain-scrapings accurate? Did the Russian group give MS enough time to formulate a proper response? Did MS even *respond*? I'm left wondering if MS didn't back-slide into it's old habits of security through obscurity; hear-no-evil, see-no-evil, speak-no-evil?
It's been generally accepted that 90 days is an acceptable time to wait for a major corporation to present a viable solution to a security threat, so thirty days *is* sort of pushing a bit too hard. Indeed, I *believe* that laws have been passed to that effect? Giving the flaw-finder a limited form of immunity to prosecution by over-zealous corporations trying to protect their baby with massive firepower?
Again, IANAL, but I also recall-from the dim, cobwebbed recesses of my brain-that when served with such a notice, said corporation should provide some sort of official response to the ones presenting them the info that yes, they *ARE* going to initiate a trouble-call (sic) and will be working towards a viable solution to the problem.
It's a polite way to notify the corp that their software is vulnerable and not get sued for meddling with the code. At the same time, this puts the meddlers under a contract to keep their mouths shut for 90 days, giving the developer a chance to present a solution, or at least notify the public of the vulnerablility. If they blab before the 90 days are up, they *could* get in trouble.
Still digging in my brain, I *believe* that if the ones who discovered the flaw do not receive any form of official contact from the developer, saying, "Thanks for the info, we're looking into the problem, now please keep it mum for now,", then they should wait 30 days before blabbing it to the world at large.
So...what's the poop?
Are my brain-scrapings accurate? Did the Russian group give MS enough time to formulate a proper response? Did MS even *respond*? I'm left wondering if MS didn't back-slide into it's old habits of security through obscurity; hear-no-evil, see-no-evil, speak-no-evil?
<a class="jive-link-external" href="http://www.razormuscle.com" target="_newWindow">http://www.razormuscle.com</a>
The site has no popups or ads, and you can check out the preview trailer.
Posted @ 05:02:43
to me it's a expecred and almost saddening reflection on the values that my generation has passed on through the media and several other venues. I wish them the best of luck in eir buisiness venture but I personaly wont be ordering a copy any time soon..
Robert Weber
<a class="jive-link-external" href="http://www.razormuscle.com" target="_newWindow">http://www.razormuscle.com</a>
The site has no popups or ads, and you can check out the preview trailer.
Posted @ 05:02:43
to me it's a expecred and almost saddening reflection on the values that my generation has passed on through the media and several other venues. I wish them the best of luck in eir buisiness venture but I personaly wont be ordering a copy any time soon..
Robert Weber