Secunia claims second IE 7 flaw – Network World

 I understand vendor-speak. When a vendor says “there is an issue” it means “you caught us” It’s hard to know what it is that will make this issue after issue after issue end.

Secunia claims second IE 7 flaw

By Robert McMillan, IDG News Service, 10/25/06

Just one week after claiming that users of Microsoft’s Internet Explorer 7 browser could be at risk to an online attack, Danish security vendor Secunia is reporting a new bug in the browser.

The bug allows hackers to place a fake Web address in one of the browser’s pop-up windows, and could be used to trick a victim into inadvertently downloading something from what appeared to be a trusted Web site. Secunia has described the flaw in an advisory, which can be found here.

Based on its initial investigation, Microsoft believes that there is “an issue,” a spokesman with the company’s public relations agency said in an e-mail.

Source: Secunia claims second IE 7 flaw – Network World

TechEBlog » RFID Passports Flawed

More proof of the vulnerabilities of RFID. Avoid one if you can. 

RFID Passports Flawed

According to Wired, “RFID chips are passive, and broadcast information to any reader that queries the chip — thieves could collect the personal data of people as they walk down a street.” Now check out a short demonstration of a “real‐world vulnerability associated with the failure of the shielding component in the current proposed electronic passport design.” Video after the jump.

…RFID passports will now include a thin radio

Source: TechEBlog » RFID Passports Flawed

BOSS Ships Micro BR Digital Recorder @ Music Gear Review

 This looks very cool. The last eight track recorder I bought cost 1500 and was the size of a TV and used analog tape.

---

BOSS Ships Micro BR Digital Recorder

Press Release

2006-10-28

---

BOSS is now shipping the new Micro BR Digital Recorder (MSRP $319.50). Meet the ultimate palmtop guitar companion and recording studio. Only slightly larger than an iPod, the tiny-yet-powerful Micro BR is a dream for anyone on the go. The Micro BR offers the ability to load and play back MP3 files, time-stretch MP3s in real time without affecting pitch, has an onboard guitar multi-effects processor, built-in rhythm patterns, and offers 32 recording tracks (V-tracks) with four simultaneous playback tracks

Source: BOSS Ships Micro BR Digital Recorder @ Music Gear Review

Search and Explore Flickr with a Sketch « Rooster’s Rail

This looks very cool. I wonder what you could sketch and find? I will have to play with it a bit.

Architecture, faces, bodies, what? 

Searching the Internet for anything with a simple sketch is a technology that is in it’s infancy. Actually getting something useful from the results is difficult if not impossible. The current offerings of searching with drawings or sketches are suited to searching visual databases and today I found a site called retrievr.

retrievr uses the Flickr API and is implemented well. It is a search of Flickr from a sketch that you have made in a small square box. Before I go further I have to say that the quality of tools that are being developed with the Flickr API are getting better and there are some people out there creating very useful applications that are very well done. retrievr is well done in that it’s presentation is great and the interface is easy enough to use.

Source: Search and Explore Flickr with a Sketch « Rooster’s Rail

Identity Man Video

I’ve been fiddling with an Identity Man Avatar. This is short video of IdMan charging to the identity big bang. If you don’t know what that is don’t worry it won’t really be a big bang.

Researchers hack RFID credit cards. Big surprise. – Engadget

Everybody knew this was coming. What are we thinking? 

Researchers hack RFID credit cards. Big surprise.

Posted Oct 23rd 2006 7:06PM by Cyrus Farivar
Filed under: Misc. Gadgets, Wireless

RFID has been riddled with so many problems, it’s amazing that anyone even has a shred of confidence in this technology at all. Our latest security problem du jour is that credit card companies are apparently issuing plastic that relays your digits wirelessly; as you might have guessed, security researchers are checking into this, and in a demonstration for The New York Times, easily hacked a University of Massachusetts computer science professor’s newfangled RFID credit card. In short order (and with his permission), a researcher working with RSA Labs was able to steal the professor’s name and credit card number that was being transmitted in cleartext — thereby poking massive holes in Visa, MasterCard and American Express’ claims that these card include “the highest level of encryption allowed by the U.S. government.” Predictably, the credit card companies have already dismissed claims that the populus will be greatly affected by this hack. Brian Triplett, senior vice president for emerging-product development for Visa, told the Gray Lady: “This is an interesting technical exercise, but as a real threat to a consumer – that threat really doesn’t exist.” Well, Brian, care to put your plastic where your mouth is?
[Via TechDirt]

Source: Researchers hack RFID credit cards. Big surprise. – Engadget

Welcome to the Microsoft Security Response Center Blog! : Information on Reports of IE 7 Vulnerability

Amazing. The FUD around the browser and vulnerabilities is intense. It takes a programmer/technologist to really know. The rest is hype. 

Information on Reports of IE 7 Vulnerability

Hi, this is Christopher Budd.

We’ve gotten some questions here today about public reports claiming there’s a new vulnerability in Internet Explorer 7. This is an issue that we have under investigation and so we have some technical information we can share about the issue.

These reports are technically inaccurate: the issue concerned in these reports is not in Internet Explorer 7 (or any other version) at all. Rather, it is in a different Windows component, specifically a component in Outlook Express. While these reports use Internet Explorer as a vector the vulnerability itself is in Outlook Express.

While we are aware that the issue has been publicly disclosed, we’re not aware of it being used in any attacks against customers.

We do have this under investigation and are monitoring the situation closely and we’ll take appropriate action to protect our customers once we’ve completed the investigation.

I hope that helps to clarify.

Christopher

Source: Welcome to the Microsoft Security Response Center Blog! : Information on Reports of IE 7 Vulnerability

Identity 2.0 » Yahoo’s Identity Silo

Dick nailed this one. What a yawner of an announcement. Visionaries my ass. 

Yahoo has joined Google’s silo building by releasing BBAuth, a mechanism for other sites to access services and data within the world of Yahoo.

Unlike Google’s Account Authentication, Yahoo is allowing their service to be used for SSO and registration.

BBAuth is clearly targeted at Web 2.0 site developers, encouraging them to build apps on the Yahoo platform so that they get access to all those Yahoo users.. While I understand how this helps Yahoo strengthen their relationship with their users, it would seem Yahoo did not learn what Microsoft learned with Passport, as Yahoo is deepening their identity silo, rather then participating in the emerging identity infrastructure.

Source: Identity 2.0 » Yahoo’s Identity Silo

In less than 24 hours a IE7 hole is found!

 Hard to believe. This is a persistent lot.

Secunia Advisory:
SA22477

Release Date:
2006-10-19

Critical:

Less critical

Impact:
Exposure of sensitive information

Where:
From remote

Solution Status:
Unpatched

Software:
Microsoft Internet Explorer 7.x

This advisory is currently marked as unpatched!
- Companies can be alerted when a patch is released!

Description:
A vulnerability has been discovered in Internet Explorer, which can be exploited by malicious people to disclose potentially sensitive information.
The vulnerability is caused due to an error in the handling of redirections for URLs with the “mhtml:” URI handler. This can be exploited to access documents served from another web site.
Secunia has constructed a test, which is available at:
http://secunia.com/Internet_Explorer_Arbitrary_Content_Disclosure_Vulnerability_Test/
Secunia has confirmed the vulnerability on a fully patched system with Internet Explorer 7.0 and Microsoft Windows XP SP2. Other versions may also be affected.

Source: Internet Explorer 7 “mhtml:” Redirection Information Disclosure – Advisories – Secunia

Onerous Vista Activation—A Time Bomb?

 Some bright engineering person at the bequest of Ray Noorda decided NetWare needed a “keycard” for every version of NetWare. Each key card had to be burned to match the NetWare serialization. Then, a glob of epoxy was gooped on the security chip to make sure the serial number couldn’t lifted from the chip.

I am not kidding you. This is what the thinking was at the time. It took me more than two years–still under the expectancy of rapid fall into bankruptcy–to get rid of the damn keycard. Sales quickly went through the roof and support costs through the floor.

Ubiquity is a funny thing. You can’t force it, you’ll kill it. Msft is going to learn this the hard way and only give impetus to Apple and Linux distributions.  Sometimes you gotta wonder.

Onerous Vista Activation—A Time Bomb?
10.16.06
Do we really need Windows Genuine Advantage?

Total posts: 16

By John C. Dvorak

There has been a lot of chatter recently over some of the newer activation and validation schemes that Microsoft may or may not implement with its new Vista operating system. Nobody at Microsoft is saying much, and a lot of bloggers and pundits are all over these alleged schemes, calling them bad news for users. I personally see these developments as bad news for Microsoft, especially if what I’m about to outline actually happens

Source: Columns by PC Magazine: Onerous Vista Activation—A Time Bomb?