Archive for Software

New Evidence Links a 20-Year-Old Hack on the US Government to a Modern Attack Group

The artifacts they found on Hedges’ server provide an interesting look at the group’s early operations, showing how they improved their code and methods over time, if indeed they are the group now known as Turla.

“It’s almost like archaeology; you can see the evolution of tradecraft,” Rid told Motherboard. “There was a lot of handiwork involved. They didn’t really use automated command-and-control at the time; they actually had to log in and move data around [manually].”

The Moonlight Maze group stripped away components that didn’t work and combined tools that did to make them more potent. And unlike modern hacking operations that use a lot of automated scripts, the Moonlight Maze operators did everything in real time. They would log-in to Hedges’ server in the morning and manually set up tasks to tell their malware what to do, which got populated out to all the infected machines on DoD and government networks that they controlled.

“This is hacking in the 90s, so it looks very different from what we’re used to in modern operations,” Guerrero-Saade said.

Source: New Evidence Links a 20-Year-Old Hack on the US Government to a Modern Attack Group – Motherboard

Google Brain’s Co-Inventor Tells Why He’s Building Chinese Neural Networks

To chat with Andrew Ng I almost have to tackle him. He was getting off stage at Re:Work’s Deep Learning Summit in San Francisco when a mob of adoring computer scientists descended on (clears throat) the Stanford deep learning professor, former “Google Brain” leader, Coursera founder and now chief scientist at Chinese web giant Baidu.

[snipped]

Um, can you elaborate on studying time?

By moving your head, you see objects in parallax. (The idea being that you’re viewing the relationship between objects over time.) Some move in the foreground, some move in the background. We have no idea: Do children learn to segment out objects, learn to recognize distances between objects because of parallax? I have no idea. I don’t think anyone does.

There have been ideas dancing around some of the properties of video that feel fundamental but there just hasn’t yet been that result. My belief is that none of us have come up with the right idea yet, the right way to think about time.

Animals see a video of the world. If an animal were only to see still images, how would its vision develop? Neuroscientists have run experiments in cats in a dark environment with a strobe so it can only see still images—and those cats’ visual systems actually underdevelop. So motion is important, but what is the algorithm? And how does [a visual system] take advantage of that?

I think time is super important but none of us have figured out the right algorithms for exploring it.

[That was all we had time for at the Deep Learning Summit. But I did get to ask Ng a followup via email.]

Do you see AI as a potential threat?

I’m optimistic about the potential of AI to make lives better for hundreds of millions of people. I wouldn’t work on it if I didn’t fundamentally believe that to be true. Imagine if we can just talk to our computers and have it understand “please schedule a meeting with Bob for next week.” Or if each child could have a personalized tutor. Or if self-driving cars could save all of us hours of driving.

I think the fears about “evil killer robots” are overblown. There’s a big difference between intelligence and sentience. Our software is becoming more intelligent, but that does not imply it is about to become sentient.

The biggest problem that technology has posed for centuries is the challenge to labor. For example, there are 3.5 million truck drivers in the US, whose jobs may be affected if we ever manage to develop self-driving cars. I think we need government and business leaders to have a serious conversation about that, and think the hype about “evil killer robots” is an unnecessary distraction.

Read full interview via Google Brain’s Co-Inventor Tells Why He’s Building Chinese Neural Networks — Backchannel — Medium.

DARPA to hunt for space and time vulnerabilities of software algorithms

In the endless chess game of cybersecurity, the Defense Advanced Research Projects Agency wants to thinks a few moves ahead, with a new program that will search for revolutionary ways to deal with vulnerabilities inherent in software algorithms.

When defensive techniques close off one vulnerability, hackers inevitably move on to the next. They have exploited flawed implementations of algorithms for several years, the agency said, but as implementation defenses improve, hackers will move on to flaws in the algorithms themselves. So the agency’s Space/Time Analysis for Cybersecurity (STAC) program wants to identify vulnerabilities in software algorithms’ space and time resource usage, according to a presolicitation. These vulnerabilities, inherent to many types of software, can be used to carry out denial of service attacks or steal information.

For instance, hackers can deny service to users by inputing code that causes one part of a system to consume space and time to process that input—potentially disabling the entire system. Also, hackers indirectly observing the space and time characteristics of output could potentially deduce hidden information. Adversaries with adequate knowledge of these “side-channels” could then obtain secret information without direct observation.

The primary problem presented by these vulnerabilities is that they are inherent in algorithms themselves, DARPA said. Thus, they cannot be mitigated through traditional defensive techniques.

Instead, the STAC program is looking at new program analysis techniques that could allow analysts to find those vulnerabilities and predict where leaks and denial of service might be possible. These new techniques and tools would enable a methodical search for vulnerabilities in critical government, military and economic software.

via DARPA to hunt for space and time vulnerabilities of software algorithms — Defense Systems.

University research dollars poured into developing a Holodeck

It may seem like this would be an early April Fool’s joke, but the image above shows serious research in action. [Ben Lang] recently had the chance to interview the director of a program that wants to make the Holodeck a reality. The core goal of the research — called Project Holodeck — is to develop an affordable multi-player virtual reality experience outside of the laboratory. We’ve heard speculation that Sony and Microsoft will release their next-gen systems in 2013; we’d rather wait for this to hit the market.

[Nathan Burba] is the director of the program. It’s part of the University of Southern California Games Institute and brings together students of Interactive Media, Cinema Arts, and Engineering. The hardware worn by each player is shown off at the beginning of the video after the break. Most of the components are commercially available (a Lenovo laptop worn in the backpack, PlayStation controllers, etc.) but the stereoscopic display which gives each eye its own 90-degree view was developed specifically for the project.

After seeing the in-game rendered footage we can’t help but think of playing some Minecraft with this equipment. We just need some type of omni-directional treadmill because our living room floor space is very limited.

via University research dollars poured into developing a Holodeck.

www.projectholodeck.com

Silent Circle: Mike Janke’s iPhone app makes encryption easy, governments nervous.

Lately, Mike Janke has been getting what he calls the “hairy eyeball” from international government agencies. The 44-year-old former Navy SEAL commando, together with two of the world’s most renowned cryptographers, was always bound to ruffle some high-level feathers with his new project—a surveillance-resistant communications platform that makes complex encryption so simple your grandma can use it.

This week, after more than two years of preparation, the finished product has hit the market. Named Silent Circle, it is in essence a series of applications that can be used on a mobile device to encrypt communications—text messages, plus voice and video calls. Currently, apps for the iPhone and iPad are available, with versions for Windows, Galaxy, Nexus, and Android in the works. An email service is also soon scheduled to launch.

The encryption is peer to peer, which means that Silent Circle doesn’t centrally hold a key that can be used to decrypt people’s messages or phone calls. Each phone generates a unique key every time a call is made, then deletes it straight after the call finishes. When sending text messages or images, there is even a “burn” function, which allows you to set a time limit on anything you send to another Silent Circle user—a bit like how “this tape will self destruct” goes down in Mission: Impossible, but without the smoke or fire.

Silent Circle began as an idea Janke had after spending 12 years working for the U.S. military and later as a security contractor. When traveling overseas, he realized that there was no easy-to-use, trustworthy encrypted communications provider available to keep in touch with family back home. Cellphone calls, text messages, and emails sent over the likes of Hotmail and Gmail can just be “pulled right out of the air,” according to Janke, and he didn’t think the few commercial services offering encryption—like Skype and Hushmail—were secure enough. He was also made uneasy by reports about increased government snooping on communications. “It offended what I thought were my God-given rights—to be able to have a free conversation,” Janke says. “And so I began on this quest to find something to solve it.”

via Silent Circle: Mike Janke’s iPhone app makes encryption easy, governments nervous. – Slate Magazine.

Windows XP: The OS that won’t die?

And from the LOL dept.

Microsoft has had to create a new build of Windows XP Professional for computer makers because the six-year-old operating system’s continued popularity has nearly exhausted the supply of product activation keys.

The new build, dubbed SP2c, includes no fixes or feature changes, but was created simply to address the shrinking pool of product keys. XP Pro SP2c, which has been released to manufacturing, will be made available to OEMs and system builders next month, said Microsoft.

“Due to the longevity of Windows XP Professional, it has become necessary to produce more product keys for system builders in order to support the continued availability of Windows XP Professional through the scheduled system builder channel end-of-life (EOL) date, wrote the Microsoft system builder team on its blog Thursday.

Previously, Microsoft has set Windows XP’s EOL for retailers and OEMs (original equipment manufacturers) as Jan. 31, 2008, and for small-scale systems builders a year after that.

New Zealand PC World Magazine > Windows XP: The OS that won’t die?

First pirated HD DVD movie hits BitTorrent

Ars Technica – First pirated HD DVD movie hits BitTorrent

The pirates of the world have fired another salvo in their ongoing war with copy protection schemes with the first release of the first full-resolution rip of an HD DVD movie on BitTorrent. The movie, Serenity, was made available as a .EVO file and is playable on most DVD playback software packages such as PowerDVD. The file was encoded in MPEG-4 VC-1 and the resulting file size was a hefty 19.6 GB.

This release follows the announcement, less than a month ago, that the copy protection on HD DVD had been bypassed by an anonymous programmer known only as Muslix64. The open-source program to implement this was called BackupHDDVD and was released in a manner designed to put the onus of cracking on the user, not the software. To extract an unencrypted copy of the HD DVD source material required obtaining that disc’s volume or title key separately, which the software did not do. However, a key was later released on the Internet, and a method for extracting further keys is allegedly available as well. [More]

Build a Web spider on Linux

IBM: Build a Web spider on Linux

Web spiders are software agents that traverse the Internet gathering, filtering, and potentially aggregating information for a user. Using common scripting languages and their collection of Web modules, you can easily develop Web spiders. This article shows you how to build spiders and scrapers for Linux® to crawl a Web site and gather information, stock data, in this case

A spider is a program that crawls the Internet in a specific way for a specific purpose. The purpose could be to gather information or to understand the structure and validity of a Web site. Spiders are the basis for modern search engines, such as Google and AltaVista. These spiders automatically retrieve data from the Web and pass it on to other applications that index the contents of the Web site for the best set of search terms.

Similar to a spider, but with more interesting legal questions, is the Web scraper. A scraper is a type of spider that targets specific content from the Web, such as the cost of products or services. One use of the scraper is for competitive pricing, to identify the price of a given product to tailor your price or advertise it accordingly. A scraper can also aggregate data from a number of Web sources and provide that information to a user. [Read more]

Which Vista Is the Right Vista?

eWeek: Which Vista Is the Right Vista?

Eventually, we’re going to see Vista come out. Yes, I know, even at this late date, Vista is still getting unexpected delays—it was set to go to manufacturing Oct. 25, but it’s not going to make it—but it is on its way.

My question, though, is: What version will actually work for you come that day?

With six different versions, the potential for buying the wrong version for the job has just gone up. Buy too low and you don’t get the functionality you need. Or, buy too high, and you get some office “functionality,” like the Game Performance Tweaker that you really don’t need.

Let’s me start though by looking at what’s not in Vista. No, I’m not talking over long-lost Vista features like the WinFS or the Next-Generation Secure Computing Base. I’m talking about XP features that aren’t in Vista.

Some of them are minor. I mean, does anyone still use the gopher Internet protocol?

Some of the old features, however, are major departures. For example, Windows Messenger, the XP IM client, is history. There is a link to download Windows Live Messenger, the IM client formerly known as MSN Messenger, but it’s not the same thing. NetMeeting, the VOIP (voice over IP), desktop sharing and videoconferencing client, is also going bye-bye. It’s being replaced by Windows Meeting Space. I know many businesses, and third-party applications, that are using Windows Messenger and NetMeeting together all the time for such purposes as IM discussions over a whiteboard or Web conferencing. I foresee a lot of grief for enterprises that have made these uses central to their business.

I can also see great pain ahead for anyone who’s foolish enough to buy Windows Vista Starter.

In theory, you won’t be able to buy it in the United States. In practice, I know there will be gray-market copies of it for sale in the States at unbelievable prices. I can think of nothing of any value in Starter for any user. You would be better off running Windows 98. I’m not joking. I could go on and on about this ridiculous bottom-feeder version of Vista, but I can sum it up with two of its “features.” It can only access 256MBs of RAM, and you can only run three applications on it at a time. This isn’t a 21st-century operating system. It’s a bad joke even as a 20th-century one. Windows Vista Home Basic is better. It’s not completely crippled the way Starter is. At the same time, it’s not much of a home operating system, and it’s a flop for businesses.

For instance, what is Vista’s one feature that has people talking? The answer: Vista’s eye-candy, the Aero Glass interface and all of its translucent, 3D prettiness.

Guess what, it’s not in Starter and it’s not in Basic either. You also won’t find such home favorites as DVD Video Authoring.
[Full Article_3pgs]

One More Release Before Windows Vista Goes Gold

eWeek – Just One More Release Before Windows Vista Goes Gold

That build will be made available to a limited group of between 50,000 and 100,000 testers in October, and follows the interim Vista build that Microsoft released on Sept. 22.

Goldberg declined to say if this final test build would be known as Release Candidate 2, adding that the company is focused, from an engineering perspective, on targeting the group of testers from whom it most wants one last set of feedback.

Goldberg, who was on a cross-country tour in late September designed to get the message out about the business value and benefits that Vista brings, also said Vista is on track for availability to businesses via volume licensing in November, with broad general availability to consumers set for January 2007. [Read on]

Hacker Discovers Adobe PDF Back Doors

eWeek-Security: Hacker Discovers Adobe PDF Back Doors

A British security researcher has figured out a way to manipulate legitimate features in Adobe PDF files to open back doors for computer attacks.

David Kierznowski, a penetration testing expert specializing in Web application testing, has released proof-of-concept code and rigged PDF files to demonstrate how the Adobe Reader program could be used to launch attacks without any user action.

“I do not really consider these attacks as vulnerabilities within Adobe. It is more exploiting features supported by the product that were never designed for this,” Kierznowski said in an e-mail interview with eWEEK.

The first back door (PDF), which eWEEK confirmed on a fully patched version of Adobe Reader, involves adding a malicious link to a PDF file. Once the document is opened, the target’s browser is automatically launched and loads the embedded link.

“At this point, it is obvious that any malicious code [can] be launched,” Kierznowski said. [Read on]

Mozilla Patches Critical Firefox, Thunderbird Flaws

eWeek-Security: Mozilla Patches Critical Firefox, Thunderbird Flaws

Microsoft’s Internet Explorer isn’t the only Web browser with serious security issues.

Mozilla on Sept. 15 shipped a “highly critical” Firefox update to correct a range of security flaws that could lead to security bypass, cross-site scripting, spoofing, denial-of-service and system access attacks.

The open-source group patched a total of seven vulnerabilities in its flagship browser and warned that the majority of the flaws could be exploited to run attacker code without any user interaction beyond normal Web browsing.

Since releasing Firefox 1.5 in November 2005, Mozilla has patched 59 security vulnerabilities in the browser, more than half rated by the company as “critical.”

The most serious bug fixed in the Firefox 1.0.7 update is an error in the handling of JavaScript. This can be exploited to cause a heap-based buffer overflow to execute arbitrary code without user action. [Read on]

Exploit Posted for New IE Zero-Day

eWeek-Security: Exploit Posted for New IE Zero-Day

Security researchers in China have published detailed exploit code for a new zero-day vulnerability in Microsoft’s dominant Internet Explorer browser.

The exploit, which was posted to XSec.org and Milw0rm.com Web sites, could be easily modified to launch code execution attacks without any user action on fully patched Windows machines.

A spokesman for the MSRC (Microsoft Security Response Center) said the company is investigating the latest warning, which adds to a list of known high-risk vulnerabilities that remain unpatched.

According to notes embedded in the exploit code, the flaw is a COM Object heap overflow that was tested and confirmed on Chinese-language versions of IE 6.0 running on Windows XP SP2 and Windows Server 2000 SP4.

Malicious hackers typically use code execution browser bugs to launch drive-by attacks to load Trojans, bots and other forms of malware on Windows computers. [Read on]