Security professionals said the bell has tolled for the WEP protocol, which is used as a default intrusion-prevention system for IEEE 802.11 wireless LAN Wi-Fi devices.

The troubled protocol suffered its first blow in 2001, when a flaw was revealed in the WEP protocol's RC4 key scheduling algorithm, which allowed radio sniffer programs to extract and inject wireless data packets from and into the network where statistical analyzers, known as WEP crackers, can recover the encryption key to unscramble the data. However, the WEP security key required about 4 million packets to be intercepted for it to be calculated. Now, security experts in Germany have claimed that they can outfox the beleaguered protocol in three seconds, down from the previous best of about five minutes, which kept up with changing security keys.

The experts said they can extract a 104-bit WEP key from intercepted data using a 1.7-GHz Pentium M processor so much faster that the process could be performed in real time by someone walking through an office. Bank of Queensland IT security manager Grant Slender agreed that the WEP protocol is lax and said he would not trust anything built on it.

"We don't use wireless technology, and we wouldn't rely on any form of built-in encryption; we would treat it akin to an untrusted Internet connection," Slender said. "We wouldn't put the same applications over wireless as we would for a cable connection because the wireless security standards have been compromised," he said. "It's simply easier for us to consider the WEP protocol untrusted."

Full Article

JavaScript coding errors and Web developers who are inexperienced at working with emerging programming techniques represent serious threats to the security of many Internet sites and the people who visit them, according to malware researchers.

Speaking at the ongoing ShmooCon hacker convention on March 24, Billy Hoffman, lead research engineer at Atlanta-based software maker SPI Dynamics, detailed what he views as an epidemic problem in today's online world. SPI markets penetration testing tools used by businesses to ferret out security issues from their online sites and applications.

The proposed threat is centered on the prevalence of JavaScript errors and insecure use of so-called Web services programming languages such as AJAX -- which combines asynchronous JavaScript with XML -- in many popular Web sites and applications.

In addition to opening holes in Web applications, Hoffman illustrated how JavaScript and AJAX-based tools can be used by hackers to find new vulnerabilities online, and build XSS (cross-site scripting) attacks that can move from one online domain to another, which he cited as a relatively cutting-edge malware development.

"In the last two years, we've seen JavaScript go from stealing cookies to doing key-logging, screen-scraping and all sorts of phishing attacks," Hoffman said. "JavaScript used to be something that was more annoying than anything, but now it's being used in port scanning, to create self-propagating malware and to steal browser histories."

The researcher, who said that JavaScript vulnerabilities are present in sites maintained by everyone from well-known online retailers to large financial services companies, demonstrated a proof-of-concept exploit based on a JavaScript flaw on CNN.com, and how it could be used to manipulate content on the news site's pages. The issue was reported in security forums several months ago, and sent to CNN by researchers, but it still hasn't been fixed.

Malicious-code writers are using the same techniques to create cross-site scripting threats -- malware attacks that inject code into end users' browsers via holes in legitimate sites -- to mislead consumers into handing over their passwords and giving hackers access to their personal information, according to the researcher.

PayPal and MySpace.com are among the major Web properties that have been targeted by major JavaScript-based XSS attacks in recent months. More Here

Almost 70 percent of all electronic mail from Asia is "spam", or unsolicited advertisements, an anti-virus firm said Friday.

The Philippines had the worst record with spam making up 88 percent of all emails, Symantec Corp. said in excerpts of its Internet Threat Security Report released here.

The average percentage of emails sent from the Asia-Pacific region that were spam was 69 percent, the report added.

Although the Philippines had the highest proportion of spam, China was the largest source of spam by sheer volume, the report said.

Thirty-seven percent of all spam detected from Asia-Pacific originated from China.

Symantec said in a statement that it could not provide the total number of e-mails monitored but that the results was based on data from over two million "decoy accounts" attracting email from 20 different countries.

A federal judge dealt a blow to Vonage Holdings Corp. that sent its stock reeling on Friday, when he agreed to bar the company from using Internet phone call technology patented by Verizon Communications Inc.

Vonage said it was confident its customers would not experience service interruptions, but investors sent its shares down nearly 26 percent.

U.S. District Judge Claude Hilton said he would delay signing the order for two weeks to give Vonage time to try to convince him to stay the injunction while it appeals the entire patent infringement case. "I will sign the injunction at the time I rule on the stay," Hilton said at a hearing.

Hilton agreed with Verizon that it would suffer irreparable harm if he allowed continued infringement of the Voice-over-Internet Protocol (VoIP) technologies that allow consumers to make calls over the Internet.

He rejected arguments by Vonage that the harm to Verizon, the No. 2 U.S. telephone company, was outweighed by other factors, including the public interest.

"I don't think it's going to kill Vonage," said Albert Lin, an analyst at American Technology Research. But he said the legal costs and management distractions were disruptive.

Another Trojan horse is spreading through the Internet telephone network of Skype Ltd.

The malicious code, known as both Warezov and Stration, is similar to an earlier version detected in February, but with a new URL (uniform resource locator) and a new version of the malicious code, according to an alert posted Thursday by Websense Inc.

Websense warns Skype users to watch for the message "Check up this," with a URL containing a hyperlink.

The code itself isn't self-propogating but when it runs, the URL is sent to everyone on the user's contact list.

When users click on the link, they are redirected to a site that is hosting a file named file_01.exe. Users are then prompted to run the file and if they do, several other files are downloaded and run. The downloaded files are other versions of the Waresov/Stration malicious code.

However, that server doesn't appear to be operating, according to Websense.

It's the early 21st Century, the United States is the reigning capital of computer attacks, hackers have become international crime rings, and you can buy a stolen credit card number for as little as $1 or a complete identity for $14.

This might read like near-future science fiction, but it's reality, according to a new security report released Monday by Symantec, covering the last six months of 2006.

The Internet Security Threat Report, issued twice yearly by the computer security firm, paints a grim picture. "Attackers are now refining their methods and consolidating their assets to create global networks that support coordinated criminal activity," the report stated.

While a recent report from McAfee showed that Internet domains from Romania, Russia, and the tiny island of Tokelau were among the riskiest in relative terms, the Symantec report found that the U.S. is the source of about 31 percent of all malicious computer activity, beating China (7 percent) and Germany (7 percent).

As for servers used for buying or selling stolen personal information, 51 percent were located in the U.S.

In most areas profiled in the report, the situation has gotten worse. Nearly 30 percent more computers are part of botnets than the previous six months. Trojans can take over a computer without the user knowing it, turning it into a zombie machine used for pumping out spam, launching denial-of-service attacks, or participating in other nefarious activities at the behest of the remote hackers.

On a given day in the period the report covered, there were an average of about 64,000 active bot computers, with China having the highest number.

If you thought you're seeing more and more junk mail, you're right. Spam makes up an astounding 59 percent of all email traffic, the report said, an increase of 5 percent over the first half of the year.

Intel privately shared parts of its roadmap for memory technologies through 2008. Intel’s progress on phase-change memory, PCM or PRAM, will soon be sampled to customers with mass production possible before the end of the year.

Phase-change memory is positioned as a replacement for flash memory, as it has non-volatile characteristics, but is faster and can be scaled to smaller dimensions. Flash memory cells can degrade and become unreliable after as few as 10,000 writes, but PCM is much more resilient at more than 100 million write cycles. For these reasons, Intel believes that phase-change memory could one day replace DRAM.

“The phase-change memory gets pretty close to Nirvana,” said Ed Doller, CTO of Intel’s flash memory group. “It will start to displace some of the RAM in the system.”

For its implementation of phase-change memory, Intel has since 2000 licensed technology from Ovonyx Inc.. The Ovonyx technology uses the properties of chalcogenide glass, the same material found in CD-RW and DVD-RW, which can be switched between crystalline and amorphous states for binary functions.

Every potential PCRAM memory maker thus far licenses Ovonyx technology. According to Ovonyx’s Web site, the first licensee of the technology was Lockheed Martin in 1999, with Intel and STMicroelectronics in the following year. Four years after that, Nanochip signed an agreement.  Elpida and Samsung were the next two in 2005, and Qimonda marks the latest with a signing this year.

Mozilla has issued another minor update to its Firefox 2.0 web browser. New for Firefox 2.0.0.3 is a single security fix that patches up a hole in the browser’s FTP PASV functionality. A malicious web page hosted on a specially-coded FTP server could use this feature to perform a rudimentary port-scan of machines inside the firewall of the victim.

Mozilla says that by itself this causes no harm, but information about an internal network may be useful to an attacker should there be other vulnerabilities present on the network. Also new in 2.0.0.3 are fixes to improve Web site compatibility.

The last time the Firefox was updated was less than a month ago when 2.0.0.2 was released to address issues with AutoComplete, how the "Save" dialog box displays for known file extensions, a bug where a mouse's scroll wheel would stop working, two memory leaks and a number of security-related concerns.

Firefox users can download 2.0.0.3 from Mozilla's homepage or use the auto update function within the browser.

PayPal has been dying! This has got the attention of the media. Which gets more attention from the general public. Which gets more attention of the media. Eventually it'll get the attention of law enforcement. With Enron and MCI going down, people realize again that just because you are a big publicly traded business doesn't mean you are honest. (FAR FROM IT!)

In addition, we've been getting interview requests from additional media. It started with Forbes several months ago. But as each of them pick up the story, so will 10 more. We now have reached "critical mass." We are too big to ignore anymore. So now the media has to pay attention. Now is the time to strike back harder than ever. Not with truck bombs or pipe wielding thugs but with our keyboards, telephones, and pens.

There are options here is but one.

As promised, Microsoft Corp. did not unveil any security fixes for March. But it did push out several other patches it deemed "high priority," including two for Windows Vista.

The last time Microsoft went a month without releasing security fixes was September 2005.

Among the four updates Microsoft pegged as "non-security, high-priority" today were the usual monthly revamp of the Microsoft Malicious Software Removal Tool and new signatures for the Outlook 2003 and Outlook 2007 antispam filters.

One Vista-specific update was also on the list, as was another that affected both XP and Vista.

The first, dubbed "March 2007 Windows Vista Application Compatibility Update," added compatibility "shims" -- code that makes an application think it's actually running on a pre-Vista PC -- for older Windows titles, including Trend Micro's Internet Security, Windows Server 2003 (SP1) Administration Tools Pack and RealNetworks' RealPlayer 6.0.12.

The second was another revision to the Windows Media Format 11 SDK (software developer's kit) code. In the associated support document, Microsoft said that the update corrected a problem that some portable music players had in synchronizing data with subscription services.

The rare no-patch Tuesday caught some security analysts and professionals trying to figure out how to spend their free time.

The SEC is serious in its effort to combat stock spam -- bulk e-mail messages pushing unknown stocks in get-rich-quick schemes. On Thursday, the federal agency suspended trading for 10 days in 35 stocks highlighted in spam campaigns.

By most accounts, spam now represents roughly 90 percent of all e-mail sent or received on the Internet, with stock-pushing spam accounting for as much as a third of all unsolicited commercial e-mail -- as many as 100 million e-mails each week, according to the SEC.

The kinds of e-mail that the SEC is pursuing usually push a company that has only a relatively small number of shares available to the public. The e-mails are readily recognizable with subject lines such as "Ready to Explode," "Ride the Bull," and the unsubtle "Fast Money."

Those spam victims who do buy the stock often find the value dropping quickly after the spammers have seen a spike in prices and sold their shares. The SEC said this could account for hundreds of millions of dollars in losses.

As one of several examples, the SEC cited Apparel Manufacturing Associates, Inc., which trades as APPM. It closed on a Friday in December of 2006 at $0.06 a share, with 3,500 shares traded.

After a weekend spam campaign, touting "huge news expected out of APPM," it spiked to $0.19 a share on Monday, with nearly 500,000 shares trading, before collapsing back down to $0.10 about a week later.

AV-Comparatives, a project in Austria overseen by security researcher Andreas Clementi, published the antivirus comparison report, which also looked at products from Symantec Corp., McAfee Inc., Kaspersky Lab Ltd., BitDefender, Fortinet Inc., F-Secure Corp. and several other antivirus products from smaller vendors.

In detecting Windows viruses, worms, macros, scripts and other OS threats, Microsoft ranked last out of the 15 vendors tested, detecting them 91 percent of the time. G Data Software AG's Anti-Virus Kit (AVK) ranked first with 99.6 percent detection, while products from three vendors-- Kaspersky Anti-Virus, MicroWorld Technologies Inc.'s eScan and F-Secure Anti-Virus-- tied for second with 99 percent detection. TrustPort Antivirus Workstation from AED Ltd. came in third with 98.9 percent detection.

In preventing intrusion through backdoors, Trojans and in other malware detection, Windows OneCare also ranked last out of 13 vendors, with 79.6 percent detection. TrustPort came in first at 99.5 percent detection; AVK came in second with 99.4 percent detection; and AVIRA GmbH's AntiVir Personal Edition Premium came in third with 98.9 percent detection.

If ranking low in its rates of malware and virus detection isn't enough to irk users, a recent update to the product has been quarantining the Outlook.PST file, which stores mail in Outlook and Outlook Express, users reported recently on a Microsoft Windows user form.

"This is the most unacceptable act Microsoft has ever committed," groused one user, with the log-in TG4752, on the forum. "I run a small business and I am screwed. I have no way to respond to e-mails because I made the mistake of trusting Microsoft... and all of my e-mails and contacts are gone."

Microsoft confirmed the problem and has patched it.

Meta Tag Generator 1.1

Meta Tag Generator 1.1 builds HTML META tags for better search indexing by robot-based search engines. In addition the software allows you to view the meta tags of the top 100 results for a given search query as retrieved from the Yahoo search engine.

SCSI vs SATA
       It is a relatively common belief that SCSI, or serial attached SCSI (SAS) in its newest incarnation, is faster than SATA for any and all situations. While this may be true for server usage patterns, and may have been true at one point for desktop applications, it no longer applies.

MTBF
      This is a measurement of a hard drive’s reliability that is often quite misunderstood. The MTBF, or mean time between failures, is a length of time that is achieved by monitoring failure rates for a large number of drives. For example, if drive A has a 600,000-hour MTBF and drive B has a 1.2 million-hour MTBF, don’t assume that drive A will last 68 years and drive B will last 137 years, it just isn’t going to happen.

SATA I/O
      The term ‘SATA II’ is often used, incorrectly, to indicate that a drive has a 300MB/sec interface. The organisation that penned out the features of the newest SATA standard was named ‘SATA II’ which is where the confusion came from; the name is now changed to SATA-IO in an attempt to stop manufacturers from using incorrect terminology.

NCQ
      Native command queuing, or NCQ, is a feature that has been included in many consumer SATA drives in the last few years. Command queuing is a technology that was introduced in 1994 as TCQ (tagged command queuing) with the SCSI2 standard, so it’s by no means a new development. The technology allows for significant performance improvements when used in server environments by reordering commands sent to the drive, optimising them so that there is as little head movement as possible when servicing the commands.

Full Article

Microsoft Corp. quietly deployed a patch to its Windows Live OneCare security suite earlier than expected to fix a bug that has erased some users' e-mail.

"On Sunday, March 11, the Windows Live OneCare team released a new anti-malware engine that will fix the issue of OneCare erroneously quarantining certain Outlook .pst or Outlook Express .dbx files when infected files were detected within them," a Microsoft representative confirmed today. "Windows Live OneCare customers whose PCs are connected to the Internet will automatically get this fix."

Last week, Microsoft responded to user complaints that their Outlook and Outlook Express mail had vanished by acknowledging the bug and naming today as the patch date. As complaints continued to mount, it released the patch ahead of schedule.

1) Create a text file and name it Backup.sql (or what ever you want).

2) Paste the below script in it:

DECLARE @BackupFile varchar(255), @DB varchar(30), @Description varchar(255), @LogFile varchar(50)
DECLARE @Name varchar(30), @MediaName varchar(30), @BackupDirectory nvarchar(200)
SET @BackupDirectory = 'E:\SQLBackup\'
--Add a list of all databases you don't want to backup to this.
DECLARE Database_CURSOR CURSOR FOR SELECT name FROM sysdatabases WHERE name <> 'tempdb' AND name <> 'model' AND name <> 'Northwind'
OPEN Database_Cursor
FETCH next FROM Database_CURSOR INTO @DB
WHILE @@fetch_status = 0

    BEGIN
    SET @Name = @DB + '( Daily BACKUP )'
    SET @MediaName = @DB + '_Dump' + CONVERT(varchar, CURRENT_TIMESTAMP , 112)
    SET @BackupFile = @BackupDirectory + + @DB + '_' + 'Full' + '_' +
    CONVERT(varchar, CURRENT_TIMESTAMP , 112) + '.bak'
    SET @Description = 'Normal' + ' BACKUP at ' + CONVERT(varchar, CURRENT_TIMESTAMP) + '.'

    IF (SELECT COUNT(*) FROM msdb.dbo.backupset WHERE database_name = @DB) > 0 OR @DB = 'master'
    BEGIN
    SET @BackupFile = @BackupDirectory + @DB + '_' + 'Full' + '_' +
    CONVERT(varchar, CURRENT_TIMESTAMP , 112) + '.bak'
    --SET some more pretty stuff for sql server.
    SET @Description = 'Full' + ' BACKUP at ' + CONVERT(varchar, CURRENT_TIMESTAMP) + '.'
    END
    ELSE
    BEGIN
    SET @BackupFile = @BackupDirectory + @DB + '_' + 'Full' + '_' +
    CONVERT(varchar, CURRENT_TIMESTAMP , 112) + '.bak'
    --SET some more pretty stuff for sql server.
    SET @Description = 'Full' + ' BACKUP at ' + CONVERT(varchar, CURRENT_TIMESTAMP) + '.'
    END
    BACKUP DATABASE @DB TO DISK = @BackupFile
    WITH NAME = @Name, DESCRIPTION = @Description ,
    MEDIANAME = @MediaName, MEDIADESCRIPTION = @Description ,
    STATS = 10
    FETCH next FROM Database_CURSOR INTO @DB
END
CLOSE Database_Cursor
DEALLOCATE Database_Cursor

Open scheduler and create a new task that calls the below command line:
            sqlcmd -S . -i "E:\Backup.sql"

Clean up Old Backup Files.

If you are running Windows Server 2003 you can also run a command utility to delete any files older then x number of days. This helps keep it cleaned up. Just paste this in a batch file and schedule the batch file.

echo on

rem First Delete old SQL Backup Files

FORFILES /p E:\SQLBackup /s /m *.* /d -3 /c "CMD /C del /Q @FILE"

rem pause

Windows contains a trap in which quite a few computers seem to get caught sooner or later. The trap was described in a Web article whose link no longer works (and also in another one mentioned below):

PIO mode is enabled by default in the following situations:

For repeated DMA errors. Windows XP will turn off DMA mode for a device after encountering certain errors during data transfer operations. If more that six DMA transfer timeouts occur, Windows will turn off DMA and use only PIO mode on that device.

In this case, the user cannot turn on DMA for this device. The only option for the user who wants to enable DMA mode is to uninstall and reinstall the device.

Windows XP downgrades the Ultra DMA transfer mode after receiving more than six CRC errors. Whenever possible, the operating system will step down one UDMA mode at a time (from UDMA mode 4 to UDMA mode 3, and so on).

If you're not interested in the details, but just want to fix this problem as quickly as possible:

1. Click here.
2. Despite any warnings click on the [Open] or [Execute] buttons as required to execute the file resetdma.vbs. (If you fear that this web site could be malevolent, you can use the manual method instead, which is described below. Or you could download, save, and inspect the program with an editor like the Windows Notepad. It is a script text file.)
3. If the program found any ATA channel to reset, reboot your computer and test all drives.
4. If the problem is still not solved, set the offending channel to PIO manually, reboot your computer, set the channel back to DMA, and reboot again.

Full article

Insulting the country's founder, Mustafa Kemal Ataturk, is a crime in Turkey punishable by prison.

Turk Telekom, the country's largest telecommunications provider, immediately began enforcing the ban Wednesday. Those who tried to access the YouTube site from Turkey encountered the message: "Access to this site has been blocked by a court decision!..."

"We are not in the position of saying that what YouTube did was an insult, that it was right or wrong," the head of Turk Telekom, Paul Doany, told the state-run Anatolia news agency. "A court decision was proposed to us, and we are doing what that court decision says."

A message in both Turkish and English at the bottom of the page said, "Access to http://www.youtube.com site has been suspended in accordance with decision no: 2007/384 dated 06.03.2007 of Istanbul First Criminal Peace Court."

The court — acting on a petition from Turk Telekom — ruled later Wednesday that it would revoke the ban as soon as it ascertained that the offending videos had been removed from YouTube. YouTube is owned by internet search engine giant Google.

In recent days, Turkish media publicized what some called a "virtual war" between Greeks and Turks on YouTube, with both sides posting videos to belittle and berate the other.

The video prompting the ban allegedly said Ataturk and the Turkish people were homosexuals, news reports said. The CNN-Turk Web site featured a link allowing Turks to complain directly to YouTube about the "insult."

On its front page on Wednesday, the newspaper Hurriyet said thousands of people had emailed YouTube and that the Ataturk videos had been removed from the site. "YouTube got the message," the headline said.

We do not understand why Nvidia seems to have abandoned Raid 10. Intel Matrix Storage Technology on the 965P and Q965 chipset both support raid 10 on board with several motherboards. We again searched to web only to find the misleading, non factual information still is alive and well.

What we cannot understand is the number of people who still seem to think that raid 10 is the same as 0+1. Are these people just picking up incorrect information and pasted it in their site without any research at all? If there is any question what so ever ask and ask.

Yes 1+0 is different from 0+1. We have thought about simply pointing at the sites which are wrong but that is not wise.
What is hard to believe is there are data recovery companies claiming 0/1 is the same as raid 10. It is simple 10 is 1+0 and the mirror comes before the strip.

We could point you at our resources and we will, but since there appears to be endless misleading information.  We will simply point at the correct information and let the others run wild.

ActiveServers
Webopedia
ACNC

A Web site posted a tool that can apparently crack Windows Vista's activation process by applying brute force -- and lots of time -- to come up with valid product keys, circumventing one of Microsoft's most important antipiracy methods.

Microsoft said it is investigating the attack. "We're looking into this issue now," said Alex Kochis, senior product manager of WGA (Windows Genuine Advantage) , on the group's blog.

According to the KezNews.com write-up by someone identified as Computer User, who created the "KeyGen" tool, the process uses a modified version of the software license manager script file to search for valid keys. Crackers, however, must periodically check to see if the key they entered earlier has changed, then attempt to activate using the changed key. Those parts of the procedure can only be done manually.

While we got all you Pirates foaming at the mouth perhaps you might want to read this article first. It has been most amusing the lengths people go to crack on MS. This is a good article and recommend it before formatting that disk. 

Mozilla Foundation on Monday issued a critical fix designed to address vulnerabilities in a recent security update for the Firefox browser and SeaMonkey application suite.

The security flaws were discovered in Firefox 1.5.0.9 and 2.0.0.1, as well as in SeaMonkey 1.0.7, according to a security advisory posted by Mozilla.

Security researchers say the initial fix, issued in mid-December, was designed to address vulnerabilities in Firefox, SeaMonkey and Mozilla's Thunderbird e-mail client. But that particular fix introduced a flaw that could allow JavaScript code from Web content to be exploited, then lead to the execution of arbitrary code.

Mozilla advises Firefox users to upgrade to version 1.5.0.10 and 2.0.0.2, and SeaMonkey users to update to version 1.1.1 and 1.0.8.

Disabling JavaScript will not protect users from the vulnerabilities, Mozilla warned.

AMD today introduced its first chipset products to be released only under its own brand rather than ATI's: the integrated 690G and 690V.

The 690G incorporates two independent display controllers and ingratea signalling for DVI, HDMI, TV, CRT and LCD monitors. It also has HDCP support built in. The 690V drops the integrated DVI and HDMI signalling, and features a lower-clocked graphics core.

AMD said the integrated GPUs deliver significant 1,024 x 768 un-antialiased, un-aniso'd graphics benchmark leads over Intel's rival G965 chipset, though it won't be long before Intel has the G965's successor, the G35, out the door in Q2, which may change the scores. AMD may well have the edge on price, however.

Both products incorporate AMD's ATI-inherited SB600 South Bridge chip, which provides ten USB 2.0 ports, four SATA ports and legacy parallel ATA and PCI support. Interestingly, the North Bridges both handle audio. They also provide PCI Express connectivity, both for external graphics cards, as usual, and for other devices.

All this has taken a while coming. The RS690 - the codename under which the 690G was developed - was first roadmapped for a Q2 2006 release alongside the SB600. The SB600 shipped as expected, and while the RS690 appeared in June at least year's Computex show, only now are boards based on the part coming to market. "Read More Here"

Security researchers have found a way to use JavaScript to map a home or corporate network and attack connected servers or devices, such as printers or routers.

The malicious JavaScript can be embedded in a Web page and will run without warning when the page is viewed in any ordinary browser, the researchers said. It will bypass security measures such as a firewall because it runs through the user's browser, they said.

"We have discovered a technique to scan a network, fingerprint all the Web-enabled devices found and send attacks or commands to those devices," said Billy Hoffman, lead engineer at Web security specialist SPI Dynamics. "This technique can scan networks protected behind firewalls such as corporate networks."

A successful attack could have significant impact. For example, it could scan your home network, detect a router model and then send it commands to enable wireless networking and turn off all encryption, Hoffman said. Or it could map a corporate network and launch attacks against servers that will appear to come from the inside, he said.

"Your browser can be used to hack internal networks," said Jeremiah Grossman the chief technology officer at Web application security company WhiteHat Security. Both SPI Dynamics and WhiteHat Security came up with the JavaScript-based network scanner at about the same time, he said. The companies plan to talk about their findings at next week's Black Hat security event in Las Vegas.

Full Article

While I have been waiting to buy a new box and get off and running with Vista I have been reading. I admit I have always been a windows fan. If you started in DOS and windows 3.1 how could you resist. XP has proven to be a good OS and though right now I am reading many of switch to MAC comments, with more questions.

It is a difficult thought when one considers the things they would be missing. Provided they actually use their computer as a serious user. I admit even I am a bit torn over the single issue of how much work I am willing to give toward setting every perm on a daily basis. I have enough experience just with I.E. 7.0 to know I really do not care for labors of trusting sites and while the granularity is great, and security is improved no doubt about that fact.  

It has been my observeration that many people do not even have a firm grip of controlling security settings in their browsers. Which leads one to wonder is there a better way? It appears there is clearly no shortage of debate surrounding the OS.

Here are some articles on the topic.  <Bit-Net> <Uninspired> <Toms>

The Storm worm that wreaked havoc in January has opened up a new front in its war against users—instant messaging.

The Trojan virus that was responsible for countless spam e-mails sent around the globe has spawned a new variant that is using AOL Instant Messenger, Google Talk and Yahoo Messenger to proliferate. The worm attacks by detecting when someone is chatting and sending out a message with a link to the first stage of malware on a site. If the user clicks the link, the first stage will execute.

"The botnet handlers will periodically inject new commands into this peer-to-peer network, and one of the first things they do is tell the infected machines to download several executables," explained Jose Nazario, software and security engineer for Arbor Networks.

Click here to read about research showing that IM malware attacks are on the rise.

Coghead empowers tech-savvy business people to develop applications for common business problems. By combining the benefits of zero infrastructure, drag and drop tools, powerful development features and more, Coghead is changing the app development game, in your favor.

Now you can develop custom apps quickly, and share them with your co-workers in real time. The revolutionary Coghead application delivery service provides an intuitive drag and drop development environment so you can build, and maintain, your custom applications yourself... no coding required!

Two of the flaws could allow an attacker to execute code on an unpatched system, Apple said. Patches are now available on Apple's Web site or through the Software Update selection under the Apple menu on a Mac.

Apple noted that proof-of-concepts for the flaws were posted on the Month of Apple Bugs Web site. But it doesn't appear that attack code has surfaced using the concepts outlined by the project. Apple has fixed several flaws identified during the course of January by the project, but some remain open.

The two flaws that could lead to arbitrary code execution are found in Finder and iChat. There's a buffer overflow flaw in Finder that could allow an attacker to take control of a system by "enticing a user into mounting a malicious disk image," or tricking someone into enabling local access of a file supposedly stored on a remote server. Apple credited Kevin Finisterre, one of the participants in the Month of Apple Bugs project, for reporting the issue, something it did not do on the three other flaws patched on Thursday.

The other patch, for iChat, fixes an issue in which a user could click on a malicious URL in a chat session and trigger an overflow, possibly opening the system to an attacker.

I cannot understand this from the most arrogant group of people on the planet. The OS that claims to be the best solution known to man has flaws? What next no santa claus or the tooth fairy? Perhaps we may not have to watch the stupid commericals anymore with PC and MAC.

I have no idea about these things accept what I have been told. Certainly nothing like those of you in the newly formed EU, state of insanity! It appears they have volume control restrictions on their Ipods. What the heck is that about? I know the UK has big brother watching everywhere but really volume control restrictions.

This little software program called goPod will allow you to uncap your iPod's volume so the sound comes out louder. Apart from the iPod Shuffle, every (recent) iPod is now compatible with this software version (1.3), including the nano. Reminder, the prolonged use of an MP3 player at a high sound volume damages your hearing Get it Here!

Win32++ provides a framework for developing applications, using the Win32 API directly. It supports all MS operating systems which run the Win32 API, from Windows 95 through to Windows XP and Vista. This framework is designed to produce programs with a similar look and feel to those created using MFC. It can develop applications based on simple windows, dialogs, frames and MDI frames. The frames produced by Win32++ have the following features:

• Rebar Control (to contain the Menubar and Toolbar)
• Menubar
• Toolbar
• Status bar
• Tool tips

Win32++ also brings an object oriented approach to programming directly with the Win32 API. Each window created is a C++ class object capable of having its own window procedure for routing messages.

Hopefully, beginners will find this framework simpler and easier to use than MFC. There are no confusing macros in the message maps for example, just straightforward C++. Most importantly, for beginners perhaps, this framework runs on free compilers readily available for download from the internet. You don't need to buy a compiler to use it.