November 7, 2007

Yahoo Messenger, QuickTime top list of most vulnerable Windows apps

November 2nd, 2007

Posted by Ryan Naraine @ 8:35 am Software products marketed by Yahoo and Apple have topped the list of the most vulnerable Windows-based applications in 2007, according to endpoint security vendor Bit9.

The list, available here (registration required), focuses on popular, widely deployed Windows programs that are often very difficult for an IT department to locate or patch and, as Bit9 explains, “represent unexpected and unquantified vulnerabilities in an enterprise IT environment.”

[Gallery: Ten free security utilities you should already be using ]

Yahoo’s standalone IM client, which has been riddled with security holes all year, is #1 on the list. The buggy Yahoo Widgets software also makes an appearance at number 9.

Apple’s QuickTime media player and iTunes music download software also feature high on the list.

Strangely, Microsoft does not feature heavily on the Bit9 list. In fact, a Microsoft product appears only once on the list — Windows Live MSN Messenger at #4.

The Bit9 explanation:

The reason most Microsoft software doesn’t make the list is because by now most companies have a pretty good process in place for identifying, patching, and fixing vulnerable Microsoft software. The same cannot be said for apps cialis generic brand like Firefox, iTunes, and other packages.

That does make sense but it’s hard to imagine Internet Explorer 6, the world’s most widely used — and heavily targeted — browser, not making an appearance on this list.

I could also make the argument that Microsoft Word, which has struggled with zero-day attacks and multiple code execution hole, should be high on any list of most-vulnerable Windows apps.

Here’s the top-ten from Bit9:

  1. Yahoo! Messenger 8.1.0.239 and earlier
  2. Apple QuickTime 7.2
  3. Mozilla Firefox 2.0.0.6
  4. Microsoft Windows Live (MSN) Messenger 7.0, 8.0
  5. EMC VMware Player (and other products) 2.0, 1.0.4
  6. Apple iTunes 7.3.2
  7. Intuit QuickBooks Online Edition 9 and earlier
  8. Sun Java Runtime 1.6.0_X
  9. Yahoo! Widgets 4.0.5 and previous
  10. Ask.com Toolbar 4.0.2.53 and previous

As I always recommend for Windows users, be sure to scan your system for security holes and apply all the necessary patches. Secunia’s free Web-based software inspector is a great place to start. A downloadable version is also available.

Permalink • Print • Comment

Picture Perfect Envelopes

Do you print a lot of envelopes with your MS Word documents?

Ever wonder how to dress up your envelope with a picture or business logo?

If you're thinking that might be a wonderful way to give your mailings that extra "punch," you're in the right place, because that's exactly what we're going to discuss today!

So, let's get down to business of turning this:

Into this:

Or, any design that suits your needs (or your mood of the moment).

In older versions of MS Word, you need to begin in the ever handy Envelopes and Labels window (Tools menu, Envelopes and Labels choice).

In Word 2007, you need to go to the Mailings ribbon and click the Envelopes button on the far left.

Once in that window, enter your delivery and return addresses as normal and then click on the Add to Document button.

You will then be returned cialis generic best price to your document, but with one major difference. You should see an envelope at the top of your document (before the first page).

If you don't see the envelope, you probably aren't in the Page Layout or Print Layout view (the name depends on the version of Word you're using). To switch your view, go to the View menu/ribbon and select the correct view.

Now, you can click into the envelope and use the Insert menu/ribbon, Picture choice to insert the picture you'd like to use (you know, the exact same thing you'd do in any document).

It can be moved, resized, etc. just like clipart in all Word files. Right clicking on the picture will allow you to adjust its properties in the Format Picture choice. (I found that I had to change the wrapping style and text alignment to get the text to start next to the top of the picture, instead of the bottom).

You can also highlight the addresses to change the font or text content, using the menus the same as you would for any Word document.

Now, I find it useful to have an envelope saved in a blank document. That way, I can simply keep changing the delivery address on the envelope. (For printing just the envelope, I make sure I've got the cursor on the envelope and I then choose Current Page in the Print window).

This method will really allow you to spice up your envelopes. So, go on, be creative and have fun!

Permalink • Print • Comment

U of Oregon fights RIAA subpoenas

Posted by Richard Koman @ November 2, 2007

The fight against the RIAA seems to be lining up some serious firepower. The University of Oregon and the state’s attorney general are asking a federal judge to quash a subpoena issued by the recording industry seeking the names of 17 unidentified UO students, says Ars Technica.

The RIAA’s investigator, SafeNet, flagged IP addresses which resolved to accounts at the university. The U refused to deliver RIAA’s prelitigation letter, which presumably made the standard offer of “pay us four figures or we’ll turn you into Jammie Thomas.” As a result the lawsuit and ex parte subpoena for the names.

So what cialis free gives? Why are state institutions dragging their feet on the RIAA’s attempts to identify their prey? The school has several issues:

  • It can’t identify 16 of the 17 students without conducting interviews or doing forensic investigations, according to Dale Smith, director of network services. Nine of the students accessed a P2P net from the school’s wireless network. Smith testified that he can’t determine “whether the content was accessed by the individual assigned that user name or by someone else using the computer associated with the user name.”
  • More importantly, the AG’s office says the RIAA is engaging in unethical behavior towards the court. Despite the fact that deputy AG Randolph Geller told RIAA counsel Katheryn Coggon that the school would preserve all the relevant data, the RIAA said in its subpoena request that:
  • there was a “very real danger the ISP will not long preserve” the data it wanted.

    Having just taken the California Bar’s professional responsibility exam I can tell you such a misrepresentation could result in disciplinary action, IMO.

    Since it would take so much effort to ID the students, the RIAA is essentially shifting its own investigatory burden onto the state.

    “In short, the subpoena requires the University to create discoverable material to assist Plaintiffs in their litigation rather than merely disclose existing documents,” argues the school, citing case law that indicates that non-parties “are not required to create documents that do not exist, simply for the purposes of discovery.”

    Critically, says the Electronic Frontier Foundation, the school argues that the DMCA is the appropriate procedure for the RIAA to identify John Does.

    The last argument, if accepted by the court, could radically change the nature of the RIAA’s 4-year litigation campaign against music fans. Currently, the recording industry’s strategy relies on pressuring universities into handing over student targets, either by having the university deliver “pre-litigation settlement letters” to students or, failing that, forcing universities to respond to subpoenas obtained after filing a “John Doe” lawsuit. If these avenues are blocked, the recording industry would have to undertake its own investigatory efforts to determine who to sue.

    Whether the university wins or loses its effort, it’s nice to see it standing up on behalf of its students, rather than simply giving in to recording industry demands.

Permalink • Print • Comment

Thanks to BitTorrrent, Net neutrality debate reignites

By Marguerite Reardon, News.com

Published on ZDNet News: Nov 2, 2007 1:34:00 PM

The controversial issue of Net neutrality is surfacing again amid allegations that phone companies and cable operators are throttling BitTorrent traffic and perhaps even censoring politically charged language.

Net neutrality, as it's often called, is the principle that all content transmitted over a cable or a phone company's network be treated equally and without preference. cialis free offer Last year, several consumer groups and Internet companies banded together to lobby Congress to pass a law to protect this principle. But those attempts failed.

Now Net neutrality is back in the political spotlight after a string of potential abuses have come to light. Last month, the Associated Press reported that it had carried out experiments across the country proving that Comcast prevented some users from uploading content to peer-to-peer networks including BitTorrent. Comcast disputed the results.

Over the summer, during a Webcast of the Lollapalooza concert in Chicago, AT&T bleeped portions of the Pearl Jam song "Daughter," in which singer Eddie Vedder altered lyrics to include anti-Bush sentiments. Other bands had also been censored on AT&T's Webcasts, including the John Butler Trio and Flaming Lips. AT&T admitted that these remarks had been deleted, but the company said these were mistakes made by an overzealous contractor hired to monitor the performances for obscene language.

Cell phone companies have also been accused of limiting access to their networks. In September, Verizon Wireless denied a request from an abortion rights group to use its mobile network for a new text-messaging campaign. After The New York Times wrote an article about the denial, Verizon changed its mind.

The Net neutrality issue has even crept into the 2008 presidential race with Sen. Barack Obama publicly saying earlier this week that the issue would rank high on his list of priorities in the first year of his administration. Obama added he would make Net neutrality support among appointed Federal Communications Commissioners a priority.

The broadband market is really at an inflection point. And it's important to establish laws now because it will essentially set the ground rules for how the market will play out in the future.
–Tim Wu, professor, Columbia University Law School

"The broadband market is really at an inflection point," said Tim Wu, a professor at Columbia University Law School and a supporter of Net neutrality legislation. "And it's important to establish laws now because it will essentially set the ground rules for how the market will play out in the future."

Some supporters of Net neutrality claim that a 2005 Supreme Court decision that changed the regulatory environment for DSL and cable modem service gave too much freedom and control to the Internet service providers.

In the Brand X case the court refused to recognize cable modem service as a "telecommunications" service. Instead, it classified it as an "information" service. This ruling meant that cable operators were not bound to a requirement in the telecommunications service regulation that forced phone companies to provide open access to competitors on their networks. To keep cable and phone companies on equal footing, the FCC changed the classification of DSL service to also be an information service.

Net neutrality supporters say that this change in regulation gives cable operators and phone companies too much control over what applications and content travel across their networks. Large phone companies and cable operators, however, say that no new laws or regulations are needed to explicitly grant protection for Net neutrality. Instead, they believe that a free market is the best protection against abuse. FCC Chairman Kevin Martin agrees that no new regulation is needed.

But Net neutrality supporters point to these recent incidents as evidence that something needs to be done. The most glaring accusation of abuse is Comcast, which critics say is filtering and blocking BitTorrent peer-to-peer file-sharing traffic. Sites that use the protocol have been targeted by the movie industry to stop the illegal distribution of copyrighted video. But there are also many legal uses of BitTorrent.

The problem for broadband operators is the protocol eats up huge amounts of bandwidth. To keep their networks moving smoothly, operators have installed equipment from companies such as Sandvine and Ellacoya that inspects packets to identify the type of application being used. Based on policies established by the provider, the traffic can be blocked or limited.

Earlier this year, bloggers noted that BitTorrent sessions appeared to be targeted and blocked by Comcast's service. Comcast repeatedly denied these claims. The Associated Press did its own test and reported last month that several Comcast broadband connections using BitTorrent had been slowed or blocked.

"We engage in reasonable network management to provide all of our customers with a good Internet experience, and we do so consistently with FCC policy."
–David L. Cohen, executive vice president, Comcast

The SavetheInternet.com coalition, along with professors from Yale, Harvard, and Stanford law schools, have filed a complaint and petition with the FCC against Comcast asking the agency to take immediate action to stop Comcast's practices.

Comcast still denies claims that it is blocking any traffic. "Comcast does not, has not, and will not block any Web sites or online applications, including peer-to-peer services, and no one has demonstrated otherwise," David L. Cohen, executive vice president for Comcast, said in a statement. "We engage in reasonable network management to provide all of our customers with a good Internet experience, and we do so consistently with FCC policy."

A Comcast representative said when it detects congestion in the network due to peer-to-peer traffic such as BitTorrent, it slows down that traffic in the network to make room for other kinds of traffic like Web surfing. The management mechanism is only used for the BitTorrent or other peer-to-peer traffic that is causing the congestion.

But in its filings, the SavetheInternet.com Coalition contends that the way in which Comcast manages its network deceives consumers and also violates the open-access principles outlined by the FCC.

Specifically, the group claims that Comcast is using a technique called "spoofing" to slow down or block the BitTorrent traffic. The way it works is that after a BitTorrent session has been established, Comcast interrupts the session like an operator interrupting a phone call who informs both parties that the connection has been disconnected. But instead of breaking into the connection as Comcast, the company pretends to be a customer participating in the BitTorrent session who is simply ending the session.

Net neutrality supporters say neither Comcast nor any other service provider should selectively limit any particular type of traffic. "No one is suggesting that there is no room for bandwidth management," Wu said. "But right now the operators can pick and choose the applications they want on their networks."

Simple quality-of-service networking technologies that limit the amount of bandwidth that each individual user gets could be the answer to this problem, say experts. But Wu believes the issue is not really about bandwidth management. It's about who controls the Internet.

"The whole Net neutrality issue is really about a power struggle," he said. "It all comes down to a scenario where the phone companies and cable operators want to call all the shots about which applications enter the market. And while that may be good for them, I'd argue it's very bad for the country."

Permalink • Print • Comment
Made with WordPress and the Semiologic theme and CMS • Sky Gold skin by Denis de Bernardy