Microsoft has tried to combat the problem by building a variety of safeguards into its operating systems and its Internet Explorer browser, with mixed success. The User Account Control feature of Windows Vista, which popped up an endless stream of warnings that irritated users, proved to be one of the key factors in the poor reception for Vista. Last week in Los Angeles, the company said it had entirely reworked the user interface of its new Windows 7 operating system to minimize user frustration.

A zero-day patch is a security alert that's been issued for some major, Internet-threatening bug, one that's so serious that they give people zero days of warning. It means the bad guys know about it. It's so bad that it needs to be fixed right away, I get that. But do you think IT departments are staffed for one zero-day patch over another?

Of course not. Your infrastructure doesn't scale, but who cares? And why pay for all that automation? We have people here. Or in Bangalore, or somewhere. But when an operation takes 10 minutes per machine, multiplied by hundreds of servers and thousands of workstations for millions of customers ... well, I'll get complaints about the overtime charges, but my managers already told me they didn't want to pay to configure the automated solution. See? I can't win, even if Arista replaces every Cisco box on the network.

The bright side: This morning, I worried I'd be out of a job by noon. Thanks to Microsoft, I now have another life-or-death upgrade to install. I'll do it this weekend. I may not have a family life, but I have a job.

I happened to be in Tel Aviv when Tenenbaum turned himself in to Israeli authorities on the day he was set to report for compulsory military service — he was treated as something of a national hero, a symbol of Israel's technology prowess, with even then Prime Minister Bibi Netanyahu praising him as "damn good." Tenenbaum ended up with probation and community service instead of jail time. So it wasn't with much surprise when I read Tenenbaum's mother calling the arrest a frame-up by the FBI.

The truth? The prepaid credit card scam described is a classic modus operandi in Canadian tweaker circles, at least as described in Zero Day Threat. And Tenenbaum certainly had to chops to pull it off, with the cast of fellow suspects who've been released probably participating as mules to make transactions. So once again, I'm betting Canadian dollars to donuts from Tim Horton's on meth.

This much is easy to understand: Sending 100 friends a link to your company's site is spam by any reasonable person's definition, whether you think it's "efficient" or not. Facebook has to crack down on such behavior because its users are getting sick of a surfeit of irrelevant messages, whether they're from friends or advertisers. Web security firm Cloudmark says 37 percent of Facebook users have noticed an uptick in spam over the past six months. What's more, Facebook is dealing with an increasing barrage of worms, viruses, phishing scams, as well as security threats for which researchers haven't invented suitably scary jargon yet.

Sarah Palin never thought of herself as an investigator. Yet there she was, hacking uncomfortably into Randy Ruedrich's computer, looking for evidence that the state Republican Party boss had broken the state ethics law while a member of the Alaska Oil & Gas Conservation Commission.

The next week, when Palin went back to work at the AOGCC, she noticed that Ruedrich had removed his pictures from the walls and the personal effects from his desk. But as she and an AOGCC technician worked their way around his computer password at the behest of an assistant attorney general in Fairbanks, they found his cleanup had not extended to his electronic files.

The technician "said it looked like he tried to delete this, but she knew a way to go around and get some of the deleted stuff," Palin said in an interview. "I didn't know what I was looking for, but I was there."

Palin found dozens of e-mail messages and documents stacked up in trash folders, many showing work Ruedrich had been doing for the Republican Party and others showing how closely he worked with at least one company he was supposed to be regulating.

According to a fresh eWeek report:

By rejecting the appeal, the human rights court paved the way for McKinnon to come to the United States, where he faces up to 70 years if convicted. He is accused of hacking his way into computers at the Pentagon, NASA and the U.S. Army and Navy in 2001 and 2002, causing a reported $700,000 worth of damage.

Attorney Karen Todner, who is representing McKinnon, said her client would now appeal to Home Secretary Jacqui Smith to try to persuade her to reconsider an earlier decision and prosecute her client in the United Kingdom.

"Failing that he will be extradited...probably within the next three weeks," Todner added.

She said her client had recently been diagnosed with Asperger's Syndrome and hoped Smith would take this information into account. McKinnon told Reuters in 2006 he was just a computer nerd who wanted to find out whether aliens really existed and became obsessed with trawling large military networks for proof.

His lawyers have argued that sending him to the United States would breach his human rights because he could be prosecuted on account of his nationality or political opinions.

Not surprisingly, McKinnon has a lot of support among technical people:

Graham Cluley, senior technology consultant with Sophos, said a poll of IT professionals conducted in 2006 found that more than half were against extraditing him, mostly because they did not feel he had malicious intent.

“There is a feeling in much of the IT community that McKinnon is being treated as a scapegoat by the U.S. authorities, that because he was arrested shortly after 9/11 that the U.S. agencies felt that they had to send out a strong message that hacking was not going to be tolerated."

(Photo by AP/Lefteris Pitarakis)

The solution to the problem is the same one you would use for your grandma who refuses to get off of her 56K connection. Pack a free version of AVG and their update files onto a flash drive and talk them through the installation and cleaning process. Don't forget the part where they owe you a beer or dinner for helping them out. You have plenty of time to plan — the next supply run is due to leave on or about November 10 from Launch Pad 39A at Kennedy Space Center.

(Virus-protein image by Allen Portner and Gopal Murti)

If you need the joke explained, Moskovitz is making fun of a common tactic used by hackers: Sending fake messages which appear to come from an authority, in an effort to get people to give up their passwords. But he's got a backhanded point. If Facebook insists on using its own software to make major announcements, a fake Mark Zuckerberg has a decent chance of fooling a lot of the people, a lot of the time.

You get a Facebook message from a friend, urging you to check out this video. You go there, and it's a YouTube phishing site (with your friend's facebook profile picture and name on it), which then urges you to update your Flash player. Don't do it — it fucks up your computer and then spams all your Facebook contacts (not sure exactly how it does that). But it's interesting that hackers are now using a supposedly "trusted" messaging platform such as Facebook to launch attacks

If the hackers' method sounds familiar — a third party attempts to get a user to click based on what looks to be the endorsement of a friend — that's because Facebook tried the same idea with Beacon last year. And it's trying it again with Engagement Ads, a new format coming this fall.

Most security scare stories are about potential problems. This was a real, successful break-in at the open source movement's most high-profile brand. So here's the big question: Why did it take Red Hat a week to acknowledge the problem? Because I can imagine the reaction if Microsoft did that.

(Photo by Eric Skiff)

First, a company wall would remind employees daily that their private details are available to anyone on the network who's installed Kismet and Wireshark. It's not the whiz kids from Black Hat you should worry about. It's the coworker looking to sell a list of sales leads to pay off a gambling debt.

A company Wall of Sheep would be run by one or two in-house sysadmins. They would use network-snooping tools to check for unprotected data on the network. They'd publish carefully redacted versions of anything they caught onto an in-house webpage. If you neglect to set the SSL options on your mail client, just the fact that you've sent 37 emails to Carolyne at the front desk will be the day's watercooler talk. What could be more motivational?

Second, a Wall of Sheep forgives no one. Not the CEO, not the star salesman, not the hotshot in Professional Services. Showing up on the wall because you didn't follow company security rules is like showing up late for work: Everyone sees it, even if they don't dare call you on it. When it comes to changing human behavior, embarrassment is far more effective than an error message. (Photo by RobotSkirts)

That's an understatement. The Russian Business Network is infamous for operating botnets, distributing malware, and stealing private information. But its usual targets are businesses, not nation-states. A year ago, Brian Krebs wrote in the Washington Post about RBN's exploits, which included an attack on the Bank of India. The Estonian government blamed the RBN for three days of attacks on its Web sites in April.

Armin, the security researcher says Georgia's hacked sites are now routed them through servers in Russia and Turkey that are "well known to be under the control of Russian Business Network and influenced by the Russian Government." The Ministry of Foreign Affairs of Georgia has moved its website to Google's Blogger — itself a notorious hotbed of spam, but at least one that's hosted on a theoretically more secure network.

Hackers write software that automatically designs “phishing” websites — those sites that look like a bank’s site but are really controlled by a hacker. Rather than operate the sites themselves, they sell the software to a newbie, who runs the scam. But the software is programmed to send a copy of whatever information it collects back to the author.

Hansen has a long, adversarial history with Google, going back at least four years to when he warned Google, eBay, DoubleClick and Visa of a vulnerability being used by "phishers," fraudsters who create fake emails and websites to look like trustworthy domains in order to steal user data. eBay, DoubleClick and Visa fixed the problem within weeks. Hansen says Google still hasn't. Or perhaps it simply hasn't agreed to pay Hansen's consulting fee — think it's a coincidence that eBay's now a customer of his? — and he's just playing hardball. Either way, careful where you get your widgets — and your security advice.

John Heasman, vice president of research at Next Generation Security Software, claims to have made "Java applets that for all intents and purposes is an image," and calls them GIFAR files, a combination of GIF, an image format, and JAR, an archive of Java code. Heasman says users would have be logged into the website in order for the malicious code to work and that "the attack is going to work best wherever you leave yourself logged in for long periods of time" — just about any social network, in other words.

To defend against attacks, researchers notes that websites could implement filtering tools to sniff out suspicious files. Sun Microsystems, makers of Java, could also update the Java runtime environment to prevent attacks. Researchers are expecting Sun to release a fix soon after the Black Hat conference.

Using his own computer at home in London, McKinnon hacked into 97 computers belonging to and used by the U.S. government between February 2001 and March 2002.

McKinnon is accused of causing the entire U.S. Army's Military District of Washington network of more than 2,000 computers to be shut down for 24 hours.

Using a limited 56-kbps dialup modem and the hacking name "Solo" he found many U.S. security systems used an insecure Microsoft Windows program with no password protection.

He then bought off-the-shelf software and scanned military networks, saying he found expert testimonies from senior figures reporting that technology obtained from extra-terrestrials did exist.

At the time of his indictment, Paul McNulty, U.S. Attorney for the Eastern District of Virginia, said: "Mr. McKinnon is charged with the biggest military computer hack of all time."

If found guilty, McKinnon could be jailed for 70 years and fined as much as $1.75 million.

Byron Ng, the inquisitive Canadian computer technician who found a hole in MySpace's linkup with Yahoo, tipped me off to this trick, which works with a wide range of widgets, he says, whether or not you're friends with a given user. (SuperPoke has a private-actions option, but it's hard to find and few people seem to use it.)

Is it scandalous to learn that, say, Slide CEO Max Levchin has "bitten" Facebook CEO Mark Zuckerberg? Not especially (though Levchin went through a rather disturbing biting phase last month). What it tells us, really, is just how unseriously people take the widgets on Facebook. That these applications have remained wide open just goes to show that they don't do anything worth hiding. And where's the fun in that?

How did Ng get them? Here are his instructions, which involve no real hacking or unauthorized access — just typing in Web addresses. They work because Yahoo allows its users to add their MySpace profiles to their cell phones without checking their credentials; it requires a login, but accepts any login, not the specific user's login.

This points to a flaw in the notion of data portability, a movement which seeks to have personal information shared between social networks and other websites. Data portability was borne out of a wrongheaded assumption: That data needs to be shared. Most consumers, I believe, aren't particularly interested in the concept; they belong to a few social networks at most, and don't find managing their online personas to be a particular challenge. The technophiles of Silicon Valley, however, join every network they hear about, and find retyping their personal information and manually adding friends maddeningly inefficient.

It's all well and good to speed things up, but how far, how fast? The example discovered by Ng just demonstrates the tendency of Web companies to take shortcuts with security. With data portability, we won't just have to worry about how well a particular social network guards their personal data; we'll now have to worry about every partner website it connects with.

Technical experts — every engineer in the Valley considers himself one — will no doubt weigh in with elaborate approaches to assuring security. I'm skeptical that any of them will work. It's a combinatorial problem; not only will the protocols have to be designed to be airtight, but we'll have to trust that each website implements them flawlessly. It only takes one weak link to break the chain. Already, Facebook has cut off Google's connectivity to its profiles in a dispute over whether Google's software is secure enough. Even the fame-seeking likes of Paris Hilton and Lindsay Lohan deserve better.

KRYOGENICS Defiant and EBK RoXed Comcast
sHouTz to VIRUS Warlock elul21 coll1er seven

No user information was compromised, but customers who use the company's webmail could not access their accounts. [Wired]

There are repeatable patterns evident in the audio file and by applying a set of complex but straightforward processes, a library can be built of the basic signal for each possible character that can appear in the captcha.