A list of the 20 most commonly exploited Windows, Unix, and Linux security vulnerabilities was issued Oct. 8 by the U.S. Department of Homeland Security (DHS), its British and Canadian equivalents, and the SANS Institute. SANS research director Alan Paller said the list was put together by international experts dedicated to combating cybercrime, and the security industry is backing the list. The list was also developed by Brazilian and Singaporean experts. "Basing the Top 20 on a multinational government/industry consensus endows the list with more authority and makes it easy for each of our agencies to persuade owners and operators of the critical infrastructure to eliminate these vulnerabilities," declared Steve Cummings of the National Infrastructure Security Coordination Center in the United Kingdom. Two major vulnerability testing software providers, Qualys and Foundstone, said that their clients will be able to test for the flaws on the list. The top 10 Windows systems vulnerabilities include Internet Information Services, Microsoft SQL Server, Windows authentication, Internet Explorer, Windows Remote Access Services, Windows peer-to-peer file sharing, Microsoft Data Access Components, Microsoft Outlook-Outlook Express, and the Simple Network Management Protocol. The top 10 Unix/Linux systems security flaws include the BIND domain name system, remote procedure calls, the Apache Web server, general Unix authentication, clear text services, Sendmail, Simple Network Management Protocol, Secure Shell, misconfigured enterprise services, and the Open Secure Sockets Layer. DHS outreach programs director Sallie McDonald said the list is "a useful example" of the deployment of the U.S. National Strategy for Securing Cyberspace.
Click Here to View Full Article

At least a dozen small software companies offer snooping software, or snoopware, that can monitor the computer use of a target, sometimes remotely. Commercial spying software and that published on the Internet by hackers is growing in sophistication and potency, according to McAfee consumer security senior product manager Bryson Gordon, whose company's VirusScan product now ferrets out snoopware on users' computers. Other software products such as NetCop and TrapWare also protect computers from snoopware, which is distinguished from spyware that companies use to gather Internet activity data from large numbers of people. Snoopware records keystrokes and can even turn on Webcams to capture images of the user; it could be used to violate federal wiretap laws, but vendors make users check boxes and read disclaimers so as to waive liability. Electronic Privacy Information Center director Mark Rotenberg says those measures "fail the straight-face test" and should not protect those companies legally. Snoopware vendors, however, insist most people have legitimate uses for their products, such as parents monitoring their children's computer use or companies watching employees at remote offices. TrueActive founder Rick Eaton says he recently disabled a feature on his company's snooping software that allows for remote deployment through email, called "silent deploy," citing not legal worries but ethical concerns; he also says TrueActive's technical support staff received an inordinate amount of calls about that feature. Eaton says the FBI has used his software, with court approval, to investigate hackers. Recently, a 19-year-old college student in Boston was charged with deceptively downloading snoopware onto the computer of an investor, then gaining access to that person's investment account to unload a large number of soon-to-be-worthless stock options.
Click Here to View Full Article
(Access to this site is free; however, first-time visitors must register.)

Crystalline organic semiconductors and their potential technological applications will be the focus of the International Electron Devices Meeting (IEDM) in December, where papers presented there will address such topics as radio-frequency identification (RFID) tags, e-textiles, and synthetic skin that employ pentacene-based transistors. Researchers at 3M's Electronics and Inorganics Technology Center report an innovation that could help reduce the price of RFID tags significantly, clearing the way for major implementations of the technology. The breakthrough organic RF circuit design allows logic circuits to be run without outside rectification--the gate and source areas of the organic pentacene transistors overlap to provide a large-capacitance load that filters out the RF element automatically and eliminates the need for a separate circuit to convert incoming RF transmissions to dc. Meanwhile, scientists at the University of Tokyo's Quantum Phase Electronics Center have fabricated a pressure-sensitive robotic "skin" by building arrays of organic pentacene transistors into a flexible sheet, depositing them one layer at a time on a polyimide substrate. When assembled with large area-printing technology, the design could lead to inexpensive elastic membranes that could improve robots' dexterity by giving them a tactile range comparable to the human hand. An e-textile application for pentacene-based organic transistors is being researched at the University of California, Berkeley, where scientists have developed a technique that employs woven shadow masks to build the transistors directly on fibers, a breakthrough that could permit designs to be scaled up in existing textile plants.
Click Here to View Full Article

Unresolved problems with spam, cybersecurity, and digital piracy were major topics of discussion at the Business Software Alliance's Global Tech Summit on Oct. 9, as were the near-future applications of radio-frequency identification (RFID) and wireless services. CEOs of technology companies proposed several solutions to the spread of unsolicited commercial email, including a bulk email tax and a "do not spam" registry, but spam filtering was still seen as not wholly reliable. Homeland Security Secretary Tom Ridge delivered a luncheon speech in which he stated that physical security and cybersecurity are key parts of U.S. infrastructure, and added that the IT industry plays a vital homeland security role as a disseminator of information. He called on the industry to help spread federal-level data to state and local authorities in order to build "a total situational awareness," but warned that U.S. security could be compromised by information's growing availability; he suggested that corporations be made to reveal the physical and cybersecurity measures they employ to shareholders and affected communities. Anti-piracy was another hot-button issue at the summit, with Adobe Systems CEO Bruce Chizen promising that the next edition of Photoshop will restrict the number of registrations per copy. Borland Software, meanwhile, requires customers to register and get a key from the company so that their software will work, and CEO Dale Fuller reported that the real piracy headache stems from people who acquire unauthorized software copies and sell them cheaply. Fuller also forecast that "Our kids will not know wired computers like we do today," while executives predicted that the near future will witness the incorporation of security into most applications, de facto wireless connectivity, RFID-enhanced inventory management, and continued strong feelings--and fighting--against spam.
Click Here to View Full Article

California voters in Alameda County took to the polls this week, and residents used touch-screen terminals to cast their votes in the recall election, but many said they lacked confidence in the systems and wondered whether their voted really would be counted. Like many counties across the country, Alameda has switched from paper ballots to electronic voting systems in an attempt to meet federal requirements for federal funds. Alameda has purchased 4,000 touch-screens from Ohio-based Diebold, and vendors and election officials say the e-voting technology is safe, speeds up the voting process, and saves money. Bev Harris, author of "Black Box Voting: Ballot Tampering in the 21st Century," said voters had good reasons to be concerned about the new machines; she has uncovered over 100 incidents of erroneous computer voter counts. Stanford University computer scientist David Dill, a leading critic of the county's electronic voting system, has urged voters to use absentee ballots based on the older optical scan technology instead to ensure that their vote is counted. There have been no reported cases of fraud so far, but researchers from Johns Hopkins University and Rice University revealed in June that any clever hacker could break into the Diebold system and vote numerous times. Many voters said they would feel more confident in the new system if the computer provided a paper receipt that matched their electronic ballot choices.
Click Here to View Full Article
(Access to this article is free; however, you will be asked to answer a few quick questions to proceed.)

To learn more about ACM's concerns over e-voting, visit http://www.acm.org/usacm/Issues/EVoting.htm.

A new paper by three French researchers focuses on the audio transmission of a quantum computer, and concludes that quantum computers can reliably identify and retrieve sound signals stored in quantum memory. The authors caution, however, that quantum signals defy classical audio analysis. Scientists speculate that a quantum computer could process sound and transfer data much faster than conventional computers through the use of qubits, which can exist in two states--0 and 1--simultaneously, unlike binary bits that can only exist as either 0 or 1. Dima Shepelyansky of the French Center of National Scientific Research, who co-wrote the quantum audio study with colleagues Alexei Chepelianskii and Jae Won Lee, believes that a quantum computer could be capable of storing far more information than all modern supercomputers by employing 50 qubits. And it would only take 18 qubits to encode the voice of HAL 9000, the autonomous computer from the film "2001: A Space Odyssey," in a quantum computer's wave function, according to the researchers. Chepelianskii explains that real-time audio communications require the reduction or compression of sound signals, and one form of audio compression, MP3, can quickly access the audio-signal spectrum using a mathematical approach called the Fast Fourier Transform. Audio signals could be transmitted even more rapidly through the Quantum Fourier Transform, the quantum equivalent of MP3. "Measurements of qubits are performed on the quantum register that allow us to extract the stored sound signal," notes Shepelyansky. "We performed numerical simulations of this process and developed an optimal strategy to restore the original sound."
Click Here to View Full Article

The growth of spam has nurtured an industry for hackers offering tools and services to thwart anti-spam measures and allow spammers to create Web sites that cannot be traced. A Polish group is promoting "invisible bulletproof hosting," a service that can defeat network sleuthing tools such as traceroute and whois, provided that spammers fork over the $1,500 monthly service fee. Invisible hosting can also add insult to injury for anti-spam proponents by allowing untraceable sites to reside even on servers run by fervently anti-spam ISPs, according to a representative of the Polish group who calls himself "Tubul." Tubul reports that his organization controls 450,000 hacked systems, mostly home PCs with Windows and high-speed connections; the systems contain software that directs traffic between Net users and customers' sites via thousands of compromised machines, and all customers have to do is configure their sites to employ any of several domain-name system servers controlled by the organization. "You're not going to have much success trying to follow IP addresses through hacked hosts," explains Lurhq security researcher Joe Stewart. "About all you can do is try to follow the money--sign up for whatever it is they're selling and try to figure out who's behind the whole thing." Pivx Solutions' Thor Larholm says the invisible hosting problem could be lessened if ISPs or domain registrars blacklist the DNS servers organizations such as the Polish group use, but Tubul claims his group circumvents such measures by frequently changing DNS servers. Spamhaus Project leader Steve Linford notes that hackers used to look down on spammers, but spamming's huge business opportunities led to a change of heart; he also says the spamming business is attracting out-of-work engineers and virus writers.
Click Here to View Full Article

The employment situation in the information technology industry is slowly getting better, according to industry observer Challenger, Gray & Christmas. The outplacement firm reports that from January through September layoffs in the IT industry were down 56 percent from a year ago. During the third quarter, IT companies eliminated 47,998 jobs, or 145,997 jobs so far this year, compared to slashing 334,650 jobs through the first nine months of 2002. The company cites telecommunications companies, which cut around 9,000 more jobs in the quarter than during the second quarter, as an IT sector that continues to struggle, but adds that wireless, broadband, security, and basic tech jobs are growing. "Small- and medium-sized companies have been pouring technology into their systems so there's a lot of demand for help desk people, database administrators, and network operations people," says Challenger, Gray CEO John Challenger. Challenger says the IT sector still needs considerable job creation, but he does not anticipate the industry duplicating the need to fill 1.6 million jobs, like in the late 1990s and 2000, anytime soon because of the growth of offshore outsourcing. The Information Technology Association of America projects that the industry will need to fill 493,400 positions by May 2004.
Click Here to View Full Article

Technology experts say personal digital assistants (PDAs) will continue to cut into the laptop market, but will never be able to completely replace laptops because of those machines greater usability. TechKNOW-HOW President Anthony Perez says PDAs still have lots of room to improve in terms of wireless connectivity and visibility. Laptops also offer greater flexibility in technology, with more accessories, memory, and networking options. AvantGo senior director Neil Versen says PDAs continue to gain new adherents, such as doctors that can use them while on the hospital floor and on-the-road workers who want convenient access to work. Interactive Business Systems' Angelo Tomasello predicts laptops will assume more of a business role while PDAs will be increasingly used for entertainment; though he says PDAs will benefit from virtual keyboards and display innovations that make the viewing area larger, they will always be limited by their size. Eventually, people will think about computing in entirely different terms than they do today, argues University of Alabama researcher George Marsh, who works at the school's Institute for Interactive Technology. As computing follows Moore's Law into the future, it will be embedded in clothing, jewelry, eyewear, and other objects where it proves useful. Marsh calls this immersion of computing technology "ultra tech" because of its new level of connectedness.
Click Here to View Full Article

The Defense Advanced Research Projects Agency (DARPA) will award $1 million to the team that designs and builds a robotic vehicle that can successfully complete the Grand Challenge by driving itself across roughly 200 miles of desert terrain between Los Angeles and Las Vegas without outside assistance. The U.S. military plans to employ the winning vehicle for reconnaissance, search-and-rescue missions, and battlefield operations. Competing vehicles will have to navigate and avoid obstacles by themselves, and the only outside guidance they will receive is from DARPA, which will disclose a series of Global Positioning System coordinates two hours before the race on March 13. Major obstacles include robots' difficulty in identifying "negative terrain" such as cliffs and ditches, which is prompting many teams to outfit their vehicles with sensors, lasers, and satellite maps; and segments of the race in which the robots must pass through 10-foot corridors at a particular speed. Grand Challenge project manager Col. Jose Negron says the purpose of the competition is to jump-start the development of next-generation military technology in order to fulfill a congressional mandate to make one-third of ground combat vehicles autonomous by 2015. Teams working on vehicles for the Grand Challenge include hobbyists as well as people from universities and small businesses. "We are inviting little mom-and-pop folks out there to help spur advancement and take us where we need to be," says Negron. Most competitors are in general agreement that no one will meet the Grand Challenge this year, but DARPA plans to hold successive races until a winner emerges, funding is exhausted, or people lose interest. Contestants' reasons for participating include a desire to gain credibility as robotics experts, and the lucrative business opportunity a victory would bring.
Click Here to View Full Article
(Access to this site is free; however, first-time visitors must register.)

A scientist in the Netherlands has developed a revolutionary system that allows the blind to get a glimpse of what is around via audio, helping users to trace out buildings, read graphs, and watch television. The vOICe (Oh I See) system consists of a head-mounted camera, stereo headphones, software, and a notebook PC, a wearable setup that costs about $2,500; the software can be downloaded for free. Moreover, a more portable but simplified version of vOICe has been developed for the Nokia 3650 camera phone. Dr. Peter Meijer of Philips Research Laboratories says the idea behind the system is to help the brain equate visual surroundings, considering everything has a unique sound. For example, the mobile camera phone is designed to translate images into a highly complex soundscape, then transmit them to the user over the headphones. Meijer believes vOICe is effective because information "content" is more important to the brain than the information "carrier" (here sound). "After all, the signals in the optic nerve of a normally sighted person are also 'just' neutral spiking patterns," Meijer explains. "What you think you 'see' is what your brain makes of all those firing patterns." Kevin O'Regan of the National Centre for Scientific Research says that a perfected version of the software could stimulate vision-like images in the blind, but he says vision's high-bandwidth needs could make it difficult to achieve.
Click Here to View Full Article

The illegal copying of video games could be curbed through the use of Fade, a safeguard system that causes unauthorized copies of games to degrade over time. Fade takes advantage of error correction systems that allow computers to play scratched CDs or DVDs. Fade-shielded software contains pieces of "subversive" code that resemble scratches set in a pattern that the game's master program is keyed to detect. If the pattern is detected, the game plays without any problems; but when a person attempts to copy the disc on a PC, the computer tries to correct the fake scratches, erasing the pattern that the master program is supposed to detect--so when the copied disc is played, the program is tipped off. The master program gradually disables the game, allowing the player to become addicted before the game becomes completely useless. "The beauty of this is that the degrading copy becomes a sales promotion tool," says Bruce Everiss of Codemasters, a British games developer that employs Fade. "People go out and buy an original version." Fade was created by Codemasters founder Richard Darling, and is now a component of Macrovision's SafeDisc anti-piracy system. Next year may see the release of Macrovision's SafeDVD, a DVD protection system which takes a similar approach to stopping DVD piracy. Independent copyright lawyer Alistair Kelman believes Fade adheres to the spirit and traditions of copyright.
Click Here to View Full Article

Purdue University researchers have developed a method to deposit and uncoil DNA strands on a silicon chip in order to more clearly read their encoded information, a breakthrough that may help pave the way for new computers with greater speed, energy efficiency, and memory capacity than current electronics for solving sophisticated problems. Purdue's Albena Ivanisevic and Dorjderem Nyamjav employed a process known as dip-pen nanolithography to lay down positively charged lines of commercially available polymer on the chip, so that the negatively charged DNA strands would automatically bind to the template. Once this was done, the strands were uncoiled with a syringe. The Purdue researchers' technique can be easily analyzed by industry and other scientists thanks to the commercial availability of the polymer. Ivanisevic's achievement demonstrates the feasibility of stretching out DNA on templates with nanoscale features, which could one day allow DNA molecules to be laid out in specific areas on electronic chips so that future computers can tap into DNA's vast storage capacity. Another goal for researchers is to position DNA molecules between a pair of electrodes to carry out consistent, precise measurements and ascertain the electronic properties of genetic material. "If you can actually demonstrate that you can do that, then you can think about making real molecular devices where DNA is used as a construction material, Ivanisevic notes.
Click Here to View Full Article

The effort to promote adoption of IPv6 is based largely on the assumption that IPv4 will not have enough address space once devices that are IP-enabled and continuously operating become the norm, but some members of the Internet community such as Telstra's Geoff Huston have questioned that perception. Huston released findings in 2002 showing that the unused v4 address field would not be saturated for two decades or longer, although he also acknowledged that that prediction could change. Still, supporters of v6 have lashed out against the results. North American IPv6 Task Force and IPv6 Forum Technical Directorate Chairman Jim Bound argues that Huston's metrics did not consider factors such as the H-ratio base, which states that unallocated v4 address space will become unusable before the protocol actually has no number combinations remaining, because networks do not actually utilize all possible addresses. Huston questioned the technical benefits v6 would introduce but Bound argues v6 would improve applications and offer other benefits. Latif Ladid, the president of the IPv6 Forum, contends, "Huston's figures are just numerical, not considering changes in applications, trends, policy, deployment of 3G, etc."
Click Here to View Full Article

Kostis Vezerides of the American College of Thessaloniki and Athanasios Kehagias of the Aristotle University of Thessaloniki have authored a paper demonstrating that "fuzzy logic" can be used to solve nearly all cases involving paradoxes, such as the famous Liar's paradox--"this sentence is false"--that defy conventional logic systems' attempts to untangle them. Fuzzy logic--a system positing that things are half-true--was conceived in the 1960s by Lofti Zadeh of the University of California at Berkeley, and Vezerides and Kehagias tasked themselves with finding consistent solutions to fuzzy truth equations without giving rise to mathematical chaos, a danger stemming from the nonlinear nature of equation systems that must be solved to uncover the truth-values. The authors proved that at least one solution could be arrived at by employing Brower's Fixed-Point Theorem, and then proceeded to test several numerical algorithms for getting that solution. The optimum technique is adopted from "control theory," which governs the operation of complex systems. Kehagias sees two avenues for further study: The first involves analyzing various fuzzy-logic algorithms for psychological authenticity. Because a problem may have more than one logically consistent answer, a computer could be designed to reach the same truth value that a person would through similar deduction. The second choice is to develop a type of logic that is midway between fuzzy logic and true-or-false binary logic--one that could yield true, untrue, sort of true, sort of false, and half-true answers to a problem.

Rep. Zoe Lofgren (D-Calif.) reported last week that anti-spam legislation has hit a roadblock in the Commerce Committee mere weeks before Congress is scheduled to adjourn for the year. The congresswoman told attendees at the Computer & Communications Industry's annual Washington caucus that Rep. Heather Wilson's (R-N.M.) Anti-Spam Act of 2003 has a majority of committee votes, but lacks the support of committee chairman Rep. Billy Tauzin (R-La.). Lofgren's own proposal, the Reduce Spam Act of 2003, would penalize marketers that fail to label commercial email and include a legitimate return address, permit recipients to opt out of receiving further email, and reward people who identify violators; but Lofgren is looking into other anti-spam measures that target advertisers as well. She also told IT industry representatives at the Washington caucus that lawmakers are divided over the issue of digital copyright protection, and insisted that the Digital Millennium Copyright Act is not supposed to be used by copyright owners as a tool to control consumer use of legally acquired digital material. Back in March, Lofgren proposed the Benefit Authors without Limiting Advancement or Net Consumer Expectations (BALANCE) Act, a bill allowing lawful digital content consumers to copy or store that content for archival purposes or perform or display it privately; BALANCE shares some similarities with Rep. Rick Boucher's (R-Va.) Digital Media Consumer Rights Act, but neither measure is expected to generate any solid results before year's end. Lofgren is also doubtful that the Database and Collections of Information Misappropriation Act of 2003 will survive judicial review. There is little hope that the Senate will pass anti-spam legislation before it breaks for the year, though a measure to impose fines and prison sentences on spammers who hijack computers was one of two anti-spam measures to clear the Senate Judiciary Committee.
Click Here to View Full Article

Digital security experts such as @Stake's Ollie Whitehouse warn that it is only a matter of time--16 to 18 months, by his estimation--before smart mobile phones are assaulted by worms and viruses. The same capabilities and technology that make smart phones so smart and versatile makes them vulnerable to infection and hacker hijacking, and this could lead to abuses far worse than merely deleting a phone's address book or calendar. Such abuses include unauthorized monitoring of phone users, compromised security of stored information, and the spoofing of GSM mobile phones so hackers can avail themselves of premium-rate online services that victims are charged for. Smart cell phones could be targeted by the same hackers that target personal digital assistants (PDAs), and the likelihood of this happening is even greater because smart phones boast an always-on Internet connection, while PDAs only link to the Internet for a brief period. The majority of the mobile phone industry is lax when it comes to bolstering their products' security--Symbian product strategist Craig Heath claims that the risk of attack is a tradeoff for the advantages of an open architecture. Nevertheless, some companies have started designing and implementing phone security measures such as firewalls and antivirus software. GSM Association Chairman Charles Brookson insists that "We have to start treating mobile phones of this sort exactly as if they are terminals connected to the Internet."
Click Here to View Full Article

Smaller, more compact blade servers may devour less space than traditional rack-mounted servers, but they generate more heat, which could lead to severe data center slowdowns, malfunctions, and failures if not managed properly. Complicating the problem is the fact that each data center follows a unique design, and the lack of a unified industry design standard for data center cooling systems that can deal with 15 to 20 kilowatts per rack. Problems associated with heat may start to manifest themselves when rack-top temperatures surpass 75 degrees Fahrenheit; many high-end processors lower clock speed in response to rising temperatures in order to shield components, but Uptime Institute executive director Kenneth Brill says less vigilant administrators may misread the performance slowdown and install more blades, thus compounding the heat problem. Ron Richardson of Qualcomm's IT operations center opted to redesign its design center with a hot aisle/cold aisle architecture in which rows of racks are positioned so that the racks face each other, while cooled air from the cold-aisle floor passes through each rack and exits into hot-air aisles, where it is removed and re-chilled. American Power Conversion CTO Neil Rasmussen notes that additional cooling capacity can lead to serious overheating if air is pushed under the floors too rapidly. IBM, Sun Microsystems, and Hewlett-Packard anticipate the continued shrinkage and growing power of blades, and Jeff Benck of IBM predicts that water-based cooling systems will be a standard feature by 2005. Jack Dale Associates PC President Edward Koplin reports that current thermal guidelines from the American Society of Heating, Refrigerating and Air-Conditioning Engineers (ASHRAE) are behind the times, and Don Beaty of ASHRAE expects the completion of new guidelines by 2004.
Click Here to View Full Article

Industry is frustrated that speech technology, whose benefits have been clearly and inarguably demonstrated, is taking so long to penetrate the enterprise because it is so difficult to deploy and fine-tune, but packaged applications that have the potential to dramatically reduce cost, complexity, and time-to-market could help facilitate the widespread adoption of the technology. Observers believe the speech industry is on the verge of an explosion related to the "hidden application backlog," a hoarding of applications that users deny themselves until less complex and more rapidly deployable systems come along. Developments that could be driving this upsurge include the emergence of multiple platforms and popular standards such as SALT and VoiceXML; the appearance of versatile packaged speech applications that apply to multiple industries and business operations; and a rough parity between the number of speech self-service systems currently being contracted out and the number of Web self-service systems that are either bought as applications or developed in-house. Packaged speech applications offer lower cost of ownership and faster deployment than custom solutions, allow contact centers to take advantage of their financial benefits more rapidly, reduce risk by enabling businesses to assess and comprehend what they are getting prior to purchase, and nurture the development of complete, quality products. Packaged solutions currently on the market include application solutions or components used to facilitate the delivery of customized solutions and that help lower time-to-market and initial costs; configurable applications that keep cost of ownership low and deployment cycles fast; shrink-wrapped applications that are best suited for non-self-service functions where flexibility is not vital; and applications-as-a-service that are provided as a hosted service offering, which scales back their configurability. The solution a company selects is ultimately a matter of inclination: Configurable solutions, for instance, may best serve enterprises that require a lot of control and flexibility, while all but the applications-as-a-service can run on-premise or as hosted solutions.
Click Here to View Full Article