If Tyranny and Oppression come to this land, it will be in the guise of fighting a foreign enemy
James Madison (American 4th US President (1809-17), and one of the founding fathers of his country. 1751-1836)

Tuesday, April 17, 2007

How much information is too much information when reporting flaws

I don't know, but that is an interesting dilemma. Whereas software companies want to do the responsible thing and let their customers know of a flaw, without disclosing the flaw itself, and provide a workaround until a patch is available, but it seems that there are a few people out there who take the workaround information and figure out what the flaw actually is. Outside of those that intend to do good with the exploit, pen testers and such, you still have that group of people that intend to do harm with an exploit. So this leaves what may have been an unnoticed flaw, until it was reported as such, a real security hazard for those that actually use said vulnerable software. Now they HAVE to do the workaround and the patch as soon as it is available, because X software company published in essence a "how to" expose' on it's own software.

It is a vicious circle this damn responsible disclosure, but I would take the software companies letting this information being known and speeding up the process of patching versus having something in the wild that is widely used but still an unknown hole.

Where do you stand on this debate?

- "MS Giving Exploit Writers Clues To Flaws" @ slashdot
- "Microsoft’s advisories giving clues to hackers" @ ZDNet blogs

Windows Media Plugin for Firefox

In reading the TechNet blog of "The Sean Blog" I found out that Port 25 has made a plug-in for Firefox that allows you to view Windows Media fiiles. Although I might add that I have not had an issue with this...don't know why...but it just hasn't been an issue...although I do think it is cool that there is a specific plug-in for those of you that do.

- "Windows Media now works on Firefox!" @ The Sean Blog
- "Windows Media Player Firefox Plugin - Download" @ Port 25


Don't is Oracle Patch day!

Today is patch Tuesday for Oracle admins and the like. Oracle will be releasing a critical Patch update today that will fix some 37 bugs in the following products:

* Oracle Database 10g Release 2, versions,
* Oracle Database 10g Release 1, versions,
* Oracle9i Database Release 2, versions,
* Oracle Secure Enterprise Search 10g Release 1, version 10.1.8
* Oracle Application Server 10g Release 3 (10.1.3), versions,,
* Oracle Application Server 10g Release 2 (10.1.2), versions -,,
* Oracle Application Server 10g (9.0.4), version
* Oracle10g Collaboration Suite Release 1, version 10.1.2
* Oracle E-Business Suite Release 11i, versions 11.5.7 - 11.5.10 CU2
* Oracle E-Business Suite Release 12, version 12.0.0
* Oracle Enterprise Manager 9i Release 2, versions,
* Oracle Enterprise Manager 9i, version
* Oracle PeopleSoft Enterprise PeopleTools versions 8.22, 8.47, 8.48
* Oracle PeopleSoft Enterprise Human Capital Management version 8.9
* JD Edwards EnterpriseOne Tools version 8.96
* JD Edwards OneWorld Tools SP23
* Oracle9i Database Release 1, versions, FIPS
* Oracle9i Database Release 2, versions
* Oracle Database 10g Release 2, version

The following are things that are fixed in the various components of the above products:

Oracle Database
* Advanced Queuing
* Advanced Replication
* Authentication
* Change Data Capture (CDC)
* Core RDBMS
* Oracle Agent
* Oracle Instant Client
* Oracle Streams
* Oracle Text
* Oracle Workflow Cartridge
* Rules Manager, Expression Filter
* Ultra Search
* Upgrade/Downgrade

Oracle Application Server
* Oracle COREid Access
* Oracle Discoverer
* Oracle Portal
* Oracle Wireless
* Oracle Workflow Cartridge
* Oracle WebCenter Suite - Secure Enterprise Search

Oracle Collaboration Suite
* Oracle Workflow Cartridge fix
* 1 new Specific fix for OCS; no name

Oracle E-Business Suite
* 2 of these vulnerabilities may be remotely exploited without authentication; no other specifics, but "may be exploited over a network without the need for a username and password"
* Oracle Application Object Library
* Oracle Applications Manager
* Oracle Common Applications
* Oracle iProcurement
* Oracle iStore
* Oracle iSupport
* Oracle Report Manager
* Oracle Sales Online
* Oracle Trade Management
* Oracle Workflow Cartridge

Oracle Enterprise Manager
* 2 fixes; "both of which may be remotely exploitable without authentication, i.e. they may be exploited over a network without the need for a username and password."

Oracle PeopleSoft Enterprise PeopleTools
* 1 new security fix for PeopleSoft Enterprise Human Capital Management
* 1 new security fix for JD Edwards EnterpriseOne and JD Edwards OneWorld Tools
* JD Edwards HTML Server
* PeopleSoft Enterprise Human Capital Management
* PeopleTools

* All information comes from the following Oracle Security Bulletin: Oracle Critical Patch Update Pre-Release Announcement - April 2007

- Oracle Downloads @ Oracle
- Critical Patch Updates and Security Alerts @ Oracle

Friday, April 13, 2007

IT Professional Step-by-Step Guides for Vista

Just cruising the web and found myself on the MS forums...where I stumbled on these little helpful how-to's for Vista. I haven't read them all...but in scanning the Netsh commands for a wireless network...I can see where they can be handy. Check 'em out!

- "Windows Vista Step-by-Step Guides for IT Professionals" @ Microsoft

Thursday, April 12, 2007

Death of XP!

Okay...I am going to go out on a limb here and say that maybe Paul Thurrott knew something the rest of us did not when we put out his comment about there being no Service Pack 3 for XP. If you are glassy eyed wondering WTF I am going on about...well read up here, "Service Pack wonders...when? and if ever?". Now onto what Paul might have seems that Microsoft has let out of the bag that it will be discontinuing the sell of XP starting during the first quarter of 2008 and with that announcement it has left more than a few wondering if that will mean that Microsoft will also shift some dates around with it's "Service Pack Roadmap" and cut that road short, while putting Vista in the express lane. up on some of these links and share your thoughts...kinda sucks if you ask me...the least Microsoft can do is have a viable alternative rather than something that is less than viable from the standpoint of software and driver compatibility. Something that most importantly will not force one to update the majority of their software library or find alternatives that work with the Vista OS.

- "Windows XP to be Phased Out by Year's End Despite Strong Demand" @ OS News
- "Windows XP to be phased out by year's end despite customer demand" @ APC
- "Microsoft to Discontinue OEM sales of XP by the End of 2007" @ Daily Tech
- "Time is Running Out for Windows XP" @ Yahoo News
- "Time is Running Out for Windows XP" @ PC World
- "Windows XP execution date set" @ The Inquirer
- "Service Pack wonders...when? and if ever?" @ CTRL Zone Blog

Symantec issues a patch for it's Enterprise Security many will do it?

Now...this is more of a wager post or is that a prediction of failure post...hrm? I am sure most remember the Time Warner screw-up!? If not, you can read up on one of my previous posts on the subject, "Geez talk about a slackin ass IT department...", in which it goes on to tell the tale of an IT department that didn't apply a patch from Symantec that was almost a year old and fell victim to a worm that exploited the very vulnerability that "should have" been patched. My guess is that some IT department in the future will not heed the warning today and let this patch fly on by and do a lot of finger pointing when it is eventually exploited on their network. So, don't be a bonehead and patch it now!

Well, now Symantec has found a vulnerability in it's ESM (Enterprise Security Manager) product that is susceptible to remote code execution. I am proud to say that Symantec found this in it's own testing and disclosed as such, which means a lot in this time when most would just sweep under the rug any vulnerabilities that may have been found under their own testing. Well done Symantec!

You can view the affected versions of ESM and get the patch on the Symantec link below, as well as read more on the vulnerability and related articles.

- "Symantec Enterprise Security Manager™ Signature Fix" @ Symantec
- "Symantec has closed critical hole in its Enterprise Security Manager" @ Heise Security
- "Symantec Patches 'High-Risk' Bug" @ Information Week
- "Geez talk about a slackin ass IT department..." @ CTRL Zone Blog

Peeps are jumping on the bandwagon and rightfully so!

Some may remember the article I wrote about the USBCell rechargeable battery, "Pretty cool battery...". Well, it turns out that Energizer is hopping on the USB rechargeable battery tech with it's own "Dock & Go" and "DUO Charger". I must admit that I actually like the fact that the market for this kind of product or technology is expanding to include the larger battery manufacturers, although USBCell is still the innovator IMO(In My Opinion).

I will include the links for this article after the Energizer pic posts of their two new products:

DUO Charger

DUO Charger

DUO Charger

Dock & Go

Dock & Go

Dock & Go

- "Pretty cool battery..." @ CTRL Zone Blog

AC troubles...DAMN and I really like their products!

For those of you that don't know...I am a huge Arctic Cooling! Anyhow...I have used AC CPU cooling exclusively for years, when I didn't think the CPU manufacture fan that comes in the retail box wasn't up to snuff. I even use their case it just seems they put out a quality product. Now...onto the seems that there is a power struggle over at AC between the founders of this company. Turns out the CEO, Magnus Huber, got a controlling interest of the company recently and decided to clean house, which includes '86ing co-founder, Gebhard Scherrer.

I hope this has no effect on the quality of products I have come to expect from AC, if it survives this struggle at all. Anyhow...WORK IT OUT GUYS...think of the children...err...the customers.

- "Company Information" @ Arctic Cooling
- "Police visit Arctic Cooling offices in Hong Kong" @ The Inquirer

Vista and backup data!

I am sure at this point with Digg and a few other sources catching onto the article "The Vista Backups That You Can't Have" over at PC Pitstop that most have heard about this backup issue that exists in Vista. If we go, if you own one of the Vista business versions (Ultimate, Business, or Enterprise) you have a utility known as "Shadow Copy" (a newer repackaged version of the "Volume Shadow Copy" technology used in XP to include user files), which allows you to restore a single file that you may have overwritten, accidentally deleted, or any other form of data loss/corruption. Sounds cool...the problem that some people are having is that...the key part of "Shadow Copy" is a tool known as "Previous Versions", which is included in all versions of Microsoft Vista, is backing up these changed files and you the user of those "Home" versions of Vista cannot restore or access this data without upgrading to Vista Ultimate for that "Shadow Copy" tool.

The biggest gripe is that if "Shadow Copy" isn't a part of the "HOME" versions, why then is "Previous Versions" still backing up this data? If half of the application is available then make the whole application available! If Microsoft insists on backing up this data regardless of the lack of access the user has to it, then we have an issue of a company holding YOUR data hostage and in my opinion...Microsoft has no right to duplicate MY data or to keep it in a form that I cannot access it. I am sure most will disagree on my proposed fix, but hey...I can take criticism. Microsoft needs to either add "Shadow Copy" to the "HOME" versions or it needs to stop these individual file backups, while retaining the Vista Restore functionality. From what I understand...Vista Restore and "Previous Versions" both utilize the "Shadow Copy" technology.

- "Shadow Copy" @ Microsoft
- "Recycle Bin not enough, Microsoft adds "Previous Versions" support on the file system level" @ ARS Technica (Old article...still applies)
- "Selected Scenarios for Maintaining Data Integrity with Windows Vista" @ Microsoft
- "Vista "Previous Versions" Feature" @ Realtime-Vista
- "Windows Vista "Time Warp": Understanding Vista's Backup and Restore Technologies" @ Channel9
- "Windows Vista File “Versioning” Feature a Security Threat" @ forever geek
- "Want Those Backed Up Files? You've Gotta Upgrade Vista" @ Gizmodo
- "All Your File Are Belong To Vista" @ Information Week
- "The Vista Backups That You Can't Have" @ PC Pitstop

Wednesday, April 11, 2007

This is the biggest WTF ever!!

OK...first let me say that I am about to quote an article, Firm's Personal Info Loss Just The Latest In A Proud Line Of Data Leaks @ Techdirt, and the odd part of that will be a big quote. After the "BIG" quote...I will give my take. Now onto the "BIG" quote:
Another day, another data leak: a CD containing the personal information of 2.9 million Georgia residents has been lost by a contractor, potentially exposing them to identity theft. Even such a big leak is hardly notable these days, except for one factor -- the disk was lost by Affiliated Computer Services, a company that's been responsible for several other data leaks. An ACS computer got stolen in Denver last November, and on it was personal information of between 500,000 and 1.4 million people in Colorado. A few months earlier, a glitch on a student-loan web site run by ACS exposed the information of 21,000 students, while earlier in the year, credit-card data from seven years' worth of customers was stolen from a system run by ACS at the Denver airport. Rounding out the list -- or at least the list of ACS-related incidents that made it into the media -- is the theft of two of the company's laptops with data on tens of thousands of Motorola employees in May 2005. This company clearly has a problem with protecting personal information, but it doesn't appear that there are ever any repercussions to these losses. It just accepts whatever minimal fines, if any, it has to pay, and paying for some credit monitoring, as a cost of doing business. The fact that these problems keep happening to ACS reflect how seriously many companies take the threat of identity theft -- which is to say, not seriously at all. But perhaps more distressing is that with the company's track record, government officials don't seem to have any problem passing ACS personal information with little to no oversight.

Now if you didn't utter the words or even think the words..."WHAT THE F(*K!" after reading are far more forgiving than me. How in the hell does this company stay in business with a track record like that. If my figures are correct in what we know, with the exclusion being that unnamed number in the 7 years of credit info and the tens of thousands number of the Motorola fiasco, they have subjected at least 4.3 million people's info to fraudulent activity or the potential of. I ask in the hell do they stay in business? I can assume that their customers care less about the security of their clients than ACS does about the data they were supposed to protect. You can't tell me that there isn't another company that can provide security for this information, as ACS has apparently failed miserably at doing so. I can't see how any other company could do worse with people's private information. For all those people that use this company for security...FIND SOMEONE ELSE, IT ISN'T WORKING AT ACS! Here I thought that you had to be competent to do something like security...apparently not...with that I might have a new career!

Tuesday, April 10, 2007

The AVG Free Anti-Rootkit...

AVG has become a more popular brand it seems in the past months. I am aware that they have been around a while and have been offering free versions of their anti-virus and anti-spyware for a while as well. More recently they have seen a growth of people using this software as people migrated to Vista...who can beat free and Vista compliant all in one fail swoop. Well, now it seems they have added yet another free tool to their the form of an anti-rootkit. Unfortunately as of my last check on the AVG Anti-Rootkit page...the system requirements do not list this tool as Vista compliant. So, for now...only Windows 2000 and XP(32-bit)users will be able to take advantage of this new application/tool.

Rootkits are defined as the following via Wikipedia:
A rootkit is a set of software tools intended to conceal running processes, files or system data from the operating system. Rootkits have their origin in relatively benign applications, but in recent years have been used increasingly by malware to help intruders maintain access to systems while avoiding detection. Rootkits exist for a variety of operating systems, such as Linux, Solaris and versions of Microsoft Windows. Rootkits often modify parts of the operating system or install themselves as drivers or kernel modules.

- AVG Anti-Rootkit @ AVG

Tuesday = Patch Day

Well another patch Tuesday is upon without further is the download list with what I hope will be a brief explanation of each:

April 2007 Security Releases ISO Image: Download
- ISO image that contains all the Windows updates that were released today. There are no other patches for any other Microsoft products are included in this ISO.
- ISO contains the following patches:
Security Bulletins:MS07-017MS07-019 MS07-020 MS07-021 MS07-022 Knowledge Base (KB) Articles:KB925902 KB931261 KB932168 KB930178 KB931784

Microsoft® Windows® Malicious Software Removal Tool (KB890830): Download
- Just a general update that is inline with this quote from Microsoft:
Microsoft will release an updated version of this tool on the second Tuesday of each month.

Update for Windows Mail Junk E-mail Filter [April 2007] (KB905866): Download (Requires Validation)
- This one is for Vista only!
- It is a definition update for the Junk E-mail filter.

Update for Windows XP (KB932168): Download
- This patch is for Windows XP Service Pack 2!
- This is a patch for the following vulnerability as described by Microsoft(more info HERE)
A remote code execution vulnerability exists in Microsoft Agent in the way that it handles certain specially crafted URLs.
Security Bulletins:MS07-020
Knowledge Base (KB) Articles:KB932168

There were also a few patches for the various language packs and a few other releases from yesterday. All of the released patches can be found HERE!

- Microsoft Security Bulletin Summary for April 2007 @ Microsoft
- Patch Tuesday: April 10, 2007 @ eEye

Monday, April 9, 2007

Service Pack wonders...when? and if ever?

It is amazing how the release of information can be related at times. In this case we first read about how Microsoft will not release a single large Service Pack for Vista, instead opting for smaller releases via the Windows Update Service. This whole issue was covered in a previous post here, Waiting to upgrade to Vista until the first Service Pack? Don't your breath!. Well now Paul Thurrott of WinSuperSite and News Editor for Windows IT Pro has made a claim in his Wininfo Short Update: Week of April 9 that states the following:
And What About Windows XP Service Pack 3?
...let's dredge up Windows XP Service Pack 3, which was delayed from 2005 to 2006 to 2007 and now to 2008. If you were looking for any glimpse into the mind of Microsoft, this is it: The company has completely abandoned Windows XP, and it has absolutely no plans to ever ship an XP SP3. My guess is that Microsoft will do what it did with the final Windows 2000 Service Pack: Claim years later that it's no longer needed and just ship a final security patch roll-up. This is the worst kiss-off to any Microsoft product I've ever seen, and you'd think the company would show a little more respect to its best-selling OS of all time.

There is I suggest you go read it...and while we are on the subject and having mentioned is Paul's take on Vista SP1:
The Truth About Vista SP1
I'm tired of Microsoft's insane posturing about Windows Vista SP1. I've written about this before, but it bears repeating. Every single time Vista SP1 comes up, some representative from Microsoft--all the way up to CEO Steve Ballmer, by the way, who has done this twice in public--acts as if the company has no idea when it will ship SP1 or what features it will include. That is not true. Microsoft will ship Windows Vista SP1 concurrently with Longhorn Server in Q3 2007 and SP1 will include a major kernel update for Vista that will bring the client OS up to speed with the version of the Windows kernel in Longhorn Server.

Again there is a lot more to this as go read up on his posts. Now both of his takes on each service pack kind of surprised me as I always assumed that Mr. Thurrott was a fanboy of Microsoft...the type that could see no wrong in anything that Microsoft does, but alas this is not the case and I thank him for saying what he has. Sometimes it takes someone with some standing in such cases as this to say something and get the majority of readers worked up to demand more from a company such as Microsoft.

As far as I am concerned, as a new fanboy of Paul Thurrott, is that he hit the nail on the head in regards to Microsoft's support strategy, the heal dragging on SP releases, and outright lying about the status of things they clearly know everything about, but deny any knowledge of these items. Why no say...yes we are releasing an actual SP1 for Vista that will have X,Y, and Z in it...and to expect this at some future date! Hell...with all those people that are waiting for this almighty service pack to Vista...why wouldn't they want to do it? I always assumed sells figures were what MS was all about? and with SP1 equaling money it is baffling this stale mate they want to promote. I might be the naive one now that I think of it...maybe they are trying to build a buzz around it...with the hopes of praise to follow just as soon as it is released. I feel kind of used all of a sudden...but we will see how this turns out on the Vista front.

Onto the XP comment by Paul...and one that I could not agree with more. Why...OH WHY...would you keep postponing the release of a much awaited service pack as the one for XP? Being the most popular, the most used around the world, and that which has so many more options in regards to working software and drivers than that of Vista...there is no sense in the heel dragging, postpones, and possible killing off of...this OS. I surely don't hope that Microsoft is wagering on muscling people into Vista...granted you would have a mass migration, but I am sure those in the migration will opt for pirated versions vs forking out the dough for a legit copy. I can also state assuredly that the backlash might be more than Microsoft would expect. Then again...this might also be another ploy of Microsoft to build up a buzz...I do hope this is the I intend to keep XP on a few machines for a while to come.

I took the benefit to post the Service Pack Road Map from Microsoft's site and the Microsoft Support Lifecycle for the various OS'.
Service Pack Road Map

Operating SystemPreceding Service PackCurrent Service Pack and Date of AvailabilityNext Update and Estimated Date of Availability
Windows NT Workstation & Windows NT Server 4.xx SP5SP6a and SP6a SRP1 November 30, 1999Windows NT 4.XX is now out of support and Microsoft is no longer producing public monthly security updates or service packs.2
Windows 2000 Professional & Windows 2000 Server, Advanced Server and Datacenter Server 3SP3SP4 June 26th 2003 Update Rollup #1 for SP4June 28, 2005No further updates planned. Customers must be running SP4 to continue to receive monthly security updates. Microsoft recommends updating SP4 machines to Update Rollup #1 (KB891861).
Windows XP Home EditionSP1SP2 August 6, 2004SP3 for Windows XP Home Edition is currently planned for 1H CY2008. This date is preliminary.
Windows XP ProfessionalSP1SP2 August 6, 2004SP3 for Windows XP Professional is currently planned for 1H CY2008. This date is preliminary.
Windows Server 2003SP1SP2 March 13, 2007To Be Determined

Microsoft Support Lifecycle

Products ReleasedGeneral Availability DateMainstream Support RetiredExtended Support Retired
Windows Embedded for Point of Service24/05/200513/07/201014/07/2015
Windows XP Embedded30/01/2002Review Note(1)Review Note(1)
Windows XP Home Edition31/12/200114/04/200908/04/2014
Windows XP Media Center Edition 200228/10/200214/04/200908/04/2014
Windows XP Media Center Edition 200427/10/200314/04/200908/04/2014
Windows XP Media Center Edition 200530/12/200414/04/200908/04/2014
Windows XP Professional31/12/200114/04/200908/04/2014
Windows XP Professional x64 Edition25/04/200514/04/200908/04/2014
Windows XP Service Pack 111/07/2002Not Applicable(3)Not Applicable(3)
Windows XP Service Pack 217/09/2004Review Note(2)Review Note(2)
Windows XP Tablet PC Edition11/02/200314/04/200908/04/2014
Windows XP Tablet PC Edition 200525/08/200414/04/200908/04/2014

**(1):Mainstream support will end two years after the next version of this product is released. Extended support will end five years after mainstream support ends.
**(2):Support ends either 12 months after the next service pack releases or at the end of the product's support lifecycle, whichever comes first. Visit the Lifecycle page to find the support timelines for your particular product.
**(3)Service Pack 1 for Windows XP was retired 10/10/2006

- "Lifecycle Supported Service Packs" @ Microsoft
- "Microsoft Support Lifecycle" @ Microsoft
- "Windows Service Pack Road Map" @ Microsoft
- "Paul Thurrott: Windows XP Service Pack 3 Not Coming" @ Neowin (comments)
- "WinInfo Short Takes: Week of April 9" @ WindowsITPro (article and comments)
- "No Windows XP Service Pack 3!" @ Keznews Forum
- "With slip, concerns that XP SP 3 will be cut" @ Network World* Great article inline with what Paul Thurrott said by Robert McMilan and was amazingly written October 26, 2006...great read!
- "Windows XP SP3 To Be Canceled" @ Softpedia (another SP3 article from last year)
- "XP SP3 canceled? Who cares!" @ IStartedSomething This dude has never had to patch several hundred machines; and doesn't understand that most corporations wait for Service Packs for the most part...aside from the major security patches.

Sunday, April 8, 2007

Asus C90...upgradeable laptop...ABOUT TIME!!!

Well folks...FINALLY...a laptop manufacturer has jumped onto the bandwagon of making it easier for people to upgrade their laptop components themselves vs getting a new one. It seems that for years I have wondered why laptop manufacturers haven't made it so "joe user" could upgrade components in laptops, as the alternative solution of buying a new laptop is just not really an option for the majority of folks that are cash strapped or just can't afford to buy a new laptop as technology changes. However, these people might be able to afford an upgrade on the component level...a processor, video card, etc...and thus still have a somewhat current machine. Way to go Asus...I wish you much success with the C90.

Now onto some of the specs on this bad boy (specs as per the article at Notebook Review "Asus C90 Customizable Notebook Hands on at Asus Headquarters (pics)"):
* Supports Intel Conroe desktop processor platform, 1.86GHz - 2.66 GHz (E6700)
* 15.4" screen
* 2.0 Megapixel camera built-in
* Bluetooth
* TV-Tuner integrated
* 8-in-1 media card reader
* 802.11n
* Graphics: NVidia (???? -- we can't tell)
* Finger Print reader
* HD-DVD and Blu-Ray drive capable
* 3 USB ports
* Piano gloss finish with inlaid pattern

Notice the first spec..."Desktop Processor Platform"...which translated means this little lady must get pretty damn hot. However, if you check out the pics in the Notebook Review article you will see that this laptop has a ton of freakin' ventholes and an obscene looking exhaust port. I am sure this dude will stay cool with everything listed before and the heatpipe cooling it appears to be using for the video, cpu, and chipset. The only drawback apparently is the battery...seems this joker will give you only 14 minutes up time under max load when it isn't suckling power from the socket. I would love to get a hands on of these things...but for now I will be content with the pictures. Check the jumps for more info!

- "Asus C90 Customizable Notebook Hands on at Asus Headquarters (pics)" @ Notebook Review
- "Hands on: Asus' Core 2 Duo-powered C90S notebook" @ Maximum PC
- "Asus C90 Will Be First User Upgradeable Lappie" @ Gizmodo

Tuesday, April 3, 2007

eEye patches Vista animated cursor flaw, much to Microsoft's dislike.

Some of you may have heard about the animated cursor flaw in Vista...which in the wrong hands can leave your machine in a crashing-restart loop. If not, here ya go...more info on the "Animated Cursor Flaw" brought to you by Betanews and the official release by Microsoft on the matter here "Microsoft Security Advisory (935423)/
Vulnerability in Windows Animated Cursor Handling
". Now that we are up to date on the is more info on the eEye fix for the ANI vulnerability and for the is the link to the patch(scroll to the bottom part of the page for the download)! Alternately...eEye has also added the patch or fix for this vulnerability in their Blink Security Software. These patches by eEye have left Microsoft in a precarious position...which ultimately is...saying they don't recommend using these 3rd party patches.

Now that we have all that googly doo out of the way...this whole issue has brought up an interesting possibility in the whole "Responsible Disclosure" debate and overall issue between security firms and software companies. Now the main problem between the two is how long do you wait until you publicly disclose a vulnerability after it has been discovered and reported to the devoloper or company. Also, there is the issue of how do you reimburse these flaw finders in an attempt to keep flaws from being traded or sold on the undernet, however that is a whole other issue. Now...on to my point...what is really keeping these security firms, other developers, or Joe Good from making their own patches for these flaws? Thus circumventing any wait, which can be exceedingly long, and closing the door on such flaws. The length of time between when a flaw is disclosed and when it is ultimately fixed is the big issue...when it can take some patches months, if not years to come to fruition. IMO...good for eEye for doing it has apparently gotten Microsoft off their ass to get this done ASAP. Funny how one companies good deed has spurred another company to actually do the right thing and fix something quickly.

- "3rd Party Patches Critical Windows Flaw" @ Betanews
- "Microsoft to Fix Critical Vista Flaw Early" @ Betanews
- "Microsoft knew of Windows .ANI flaw since December 2006" @ ZDNET BLOGS

Now the U.S. wants the keys to the Internet...WTF?

I stumbled across this article on Digg...yes I Digg...and well it was very concerning to me that the U.S. wants the keys to the Internet or put precisely as per the article entitled "Department of Homeland and Security wants master key for DNS" @ Heise Online:

"(The DHS; The Department of Homeland Security)wants to have the key to sign the DNS root zone solidly in the hands of the US government. This ultimate master key would then allow authorities to track DNS Security Extensions (DNSSec) all the way back to the servers that represent the name system's root zone on the Internet. The "key-signing key" signs the zone key, which is held by VeriSign."

This just sucks...especially when you think of the track record of the U.S.'s snooping on phones, mail, and god knows what think that they also want to have control and the ability to snoop what people are doing...well that just doesn't sit well with me. I mean if the purpose was to get the bad people in world, which equates to just about anyone by DHS standards, I would be cool. However, on the other hand...I just want to government to keep it's nose out of my business and anyone elses', which is ironic as the Internet's whole purpose was a government minded one.

In any event I do hope this gets out and through public outrage this doesn't come to fruition.

- "Department of Homeland and Security wants master key for DNS" @ Heise Online
- "Homeland Security wants master Key for the Internet" @ Digg FOR COMMENTS
- "Homeland Security wants master key for the Internet" @ Infowars

Monday, April 2, 2007

Waiting to upgrade to Vista until the first Service Pack? Don't your breath!

I came across an interesting article at Information Week entitled "Microsoft Nixes 'Big Bang' Service Pack For Windows Vista". Now don't get the title wrong...there will be a service pack...albeit a lite one...with an undetermined date, but since Vista will rely heavily on using the Windows Update service to get it's fixes in increments through time. Vista will not rely on a huge service pack to fix a huge number of problems all at once. This does make sense as seen from someone in the tech support field, as when XP had both SP1 and SP2 released there were quite a few issues when applied to a lot of machines at once...leaving the support team scrambling from pc to pc fixing any variety of issues, whereas with the trickle patching you can opt out for specific fixes that may cause issues. Windows Update is not a new service by any means...but apparently Vista will be relying on it more heavily to reduce the size of the "lite" service packs in it's future.

So, if you are one of the hold outs for the first Service just might wait a year or so and surrender the dreams of an SP1 upgrade track for that of "I am upgrading on January 30th, 2008!

As a side note...I have hammered Vista, but overall it is a nice OS...albeit I still hate UAC and some of the other security crap that is easily replaced with an open source equivalent or superior. DO IT!

- "Windows Vista Service Pack 1 Canceled?" @ Softpedia
- "There may be no point in waiting for Vista's Service Pack 1" @ Houston Chronicle
- "Forget big service packs, Vista "high quality right out of the gate," says exec" @ ARS Technica

Cool HDR picture!

This has got to be the coolest HDR pic I have seen! Check this link out for another variation on a black background!
Image hosted at Flickr and taken by Stuck in Customs
Here is another wicked HDR photo by the same photographer! Also...another version on black background here!

Image hosted at Flickr and taken by Stuck in Customs

Guess what? Another themed laptop!

Well it appears there is yet another comer to the car themed is HP and it's Maybach. I am guessing this is another PC manufacturer trying to capitalize on a market of car enthusiasts, but how many real enthusiasts are there for a freakin' Maybach. The car isn't sporty...more designed for luxury than anything...but when you are looking at the Maybach price tag...why not go ahead and get a Rolls or something. I guess the same can go for this beast...if you can pay for this with it's $4,000 price tag...then why not go with something proven...get an Alienware or a Falcon? In any event...this was stumbled upon over at Gizmodo in the article "HP Maybach Laptop Follows in the Skidmarks of Ferrari and Lamborghini".