web technologies, open source, and security
I don’t know what’s going on with blogsavy now, but I’ve tried to make several new posts — including twice this morning — and they haven’t posted. I’m looking into moving to a host site that isn’t down more often than it’s up, that doesn’t lose half my content overnight, that doesn’t lock me out from posting, etc.
A new version of the Gozi Trojan horse has been circulating the Internet since mid-April. The new version was discovered by Don Jackson of Secure Works, who also first discovered the original Gozi earlier this year.
The new version is stealthier because it uses a
new and hitherto unseen “packer” utility that encrypts, mangles, compresses and even deletes portions of the Trojan code to evade detection by standard signature-based anti-virus tools. The original Gozi Trojan, in contrast, used a fairly commonly known packing utility called Upack, which made it slightly easier to detect than the latest version.
This version of Gozi also has a new keystroke logging capability for stealing data, in addition to its ability to steal data from SSL streams. According to Jackson, the keystroke logger appears to be activated when the user of an infected computer visits a banking Web site or initiates an SSL session.
Gozi exploits MSIE’s iFrame tags, a vulnerability which Microsoft had already previously patched. Thirty top anti-virus providers have been supplied signature information from Secure Works, and half of them have integrated the signatures in their products.
The ISP hosting the server to which logged data were being sent has no-routed the destination. The original variant is believed to have affected over 5000 home users. The new variant is believed to have affected another 2500. The server was managed by a Russian group called 76service who purchased the virus code from the Russian criminal group known as HangUp Team (or HT), who are known to have released malware like Backdoor.Padodor before.
Castle, the company that sells Iyonix computers with RISCOS, and RISCOS Open have released the first batch of code for RISCOS 5. According to the last link, “The first set of components released by RISC OS Open and Castle comprises of major applications and modules that form part of the backbone of the operating system”:
These include utility CloseUp; desktop applications Paint, Draw and Edit; the RISC OS Filer and Pinboard; CDFS, various CD device drivers and CDFS Filer; the MessageTrans and BASIC modules; and Browse fetchers. The software is written in a mix of BASIC, C and ARM assembler.
Under terms of the license under which the code has been released, development is limited to ARM processors, meaning x86, PPC, and RISCOS fans using other architectures are locked out. For non-ARM users, rox is a very good, easy to use, and RISCOS-like environment (options can be set so it’s very familiar to RISCOS users).
I changed icons again and just uploaded more screenshots.
Randall Kennedy has posted the results of his test to determine of Vista’s Aero graphics are a laptop battery drain.
As I suspected, the battery consumption for the non-Aero scenario was within 1-2% of the consumption with Aero enabled. In other words, disabling Aero had little or no measurable impact on battery consumption under Windows Vista Ultimate when running a mix of common business productivity (Internet Explorer, Word, Excel and PowerPoint) applications.
I’ve come across a web-based service called Clipperz that may at first glance seem just a password manager, but the service can be as broad as any user wants it to be.
First, some highlights. It’s platform (OS) neutral — it uses the browser’s javascript capabilities to encrypt information locally and upload it, in encrypted form, to their servers for storage. It works with Firefox, Opera, MSIE, etc. So you can use it on any operating system and continue to access service if you change temporarily (such as borrowing a friend’s computer). It’s completely portable so you can access it from any computer, any time, anywhere. It allows you to store your passwords, certificates, and any other online credentials. You can use it to manage and auto-log into your online accounts through one interface. It can also be used to encrypt and manage other text-based information like PINs, access codes, confidential notes, etc., so they can be accessed from anywhere.
Second, some technical information. They use standard 128-bit encryption (SRP, AES, SHA-2, ECC, Fortuna PRNG, SSSS) which all occurs on your own computer using javascript. You keep your own key (Clipperz doesn’t); you lose it, you’re screwed. All they get on the server-side is scrambled data. They don’t know what you’ve uploaded, they don’t even know who you are; your account isn’t tied to an e-mail account, but to your own registered account. They don’t install anything on your computer.
Third, some minor concerns. Encryption is only as strong as the protocols used: stronger passphrases are harder to break than weak ones. I’m also not keen on the idea of storing PINs, account passwords, and information best not shared with the world on someone else’s servers; Clipperz does have an offline copy, which basically dumps what they have in your account down to your computer. The offline copy can’t be modified; modifications are online. And since it’s encrypted, the offline copy is only accessible by passphrase.
This could be a solution for people who use multiple computers and are concerned about the security of data they need to access and store online.
Coming soon: a review of PassPack, a competing service to Clipperz.
Jim Zemlin, CEO of the Linux Foundation, answered questions from IT Business Edge about Microsoft’s claims that Linux and other open source software violate 235 MS patents. He says,
Microsoft itself is actually on the record as saying the software patent system in this country has problems. [Microsoft General Counsel] Brad Smith last year called on Congress to reform the U.S. patent system, stating that reforms were needed to curb abusive litigation. I just find it ironic that Microsoft is doing this now, while at the same time agreeing that software patents are a problem. They seem to be a little schizophrenic. I can only translate that as meaning this is more about marketing strategy than any legal strategy.
Linus Torvalds has come out swinging after Microsoft’s claims that Linux and other open source projects have violated some 235 Microsoft patents. In this article, Linus says:
It’s certainly a lot more likely that Microsoft violates patents than Linux does. If the source code for Windows could be subjected to the same critical review that Linux has been, Microsoft would find itself in violation of patents held by other companies.
Aside from sports, I don’t watch very much television. There are only two network shows I regularly watch, 24 and Survivor. I normally wouldn’t write here about either, but after watching last night’s episode of 24 I’m ready for 24 to be over.
I’ve been disappointed at every twist and turn in the current season. It started out with Jack being pawned off to a terrorist as an extortion payment, he manages to escape and get in touch with CTU just as a nuclear bomb goes off. Good enough. Then he learns Audrey is dead, then learns she’s not really dead. Meanwhile, his brother dies at the hand of their father and Jack starts to rekindle a relationship with his now-widowed sister-in-law and ex-flame. Then there’s the dopey nephew and the grandfather’s decision to use him to lure Jack and then the grandfather’s decision to take him to China as part of his legacy. Jack likes his nephew, too. All of a sudden we get to see the introspective, contemplative side of Jack Bauer. Why? Geez. And don’t get me started out President Wayne Palmer, his goofy sister, or his in-and-out-and-in-again coma and addiction to adrenaline injections. Who wrote all this crap? Enough with all the lovey-dovey relationships already.
My prediction: Palmer is okay and resumes his job as President for the third time in one day just in time to prevent the Russians from bombing US troops in the Middle East, Jack kills his father, his daughter still won’t have anything to do with him, Audrey snaps out of her mental illness, she and Jack decide to visit Disneyworld or run away to a Jack Russell terrier farm, and her father wants to kill Jack for not leaving her alone. That sets up next season where Jack and Audrey are on the run from Secretary Heller and some malevolent CPAs he knows from his country club. That sounds a lot more interesting than this season has been.
