forkb0mb.org

Much Ado About NULL: Exploiting a Kernel NULL Dereference

Last time, we took a brief look at virtual memory and what a NULL pointer really means, as well as how we can use the mmap(2) function to map the NULL page so that we can safely use a NULL pointer. We think that it’s important for developers and system administrators to be more knowledgeable about the attacks that black hats regularly use to take control of systems, and so, today, we’re going to start from where we left off and go all the way to a working exploit for a NULL pointer dereference in a toy kernel module.

/*
The article then goes on to provide a hand's on example of how to exploit a NULL pointer dereference to execute arbitrary code. Pretty good read.
*/

Secret Forum Reveals Oz Firewall Backroom Dealing

Circumvention legal, but you can't tell anyone how[.]

/*
Emphasis is theirs.

Now say what? It will be legal to circumvent (technical details at the bottom), but illegal to explain to someone else how to perform this perfectly legal configuration. I wonder how this might affect a corporate or ISP helpdesk perform VPN connectivity setup?
*/

Australia’s plans for a firewall to protect its population from smut on the internet are rapidly evolving from farce to total chaos. Weekly revelations on bulletin boards suggest that Stephen Conroy, the man behind the big idea, does not know what forthcoming legislation on the topic will say, when it will be introduced or how the firewall will work in practice.

/*
This time, emphasis is mine. I want to continue to point out how big of an asshat this particular Australian politician is. He is the "Minister for Broadband, Communications and the Digital Economy." He's the one that floated the idea of this nation-wide "firewall" (which is technically a proxy since it will be filtering at layer 7 - hence the technical problems) to "protect" citizens from illegal, immoral, or "dangerous" content. This is nearly the same thing the Chinese and Iranians are doing, just using layer 7 proxy devices instead of what's assumed to be basic layer 3 IP filtering of destination hosts. Skip to the very end of the post for the technical details behind this.

To say this whole thing began as a farce is hitting the nail right on the head.
*/

Meanwhile, it turns out that the Minister’s own Department of Broadband, Communications and the Digital Economy (DBCDE) has been hosting a secret forum for discussions with ISPs likely to be affected by proposals. Along the way it floated the idea of making it a crime to advise surfers on how to do things that are perfectly legal to do. Confused? You will be.

First up is the time scale for plans to introduce the new firewall. As already reported, the question of when legislation will be introduced has now been bouncing between the offices of Prime Minister Kevin Rudd and Communications Minister Stephen Conroy. Severe wriggling from Conroy’s office suggests that plans for an early introduction of legislation have been put on the back burner for now.

/*
Conroy wants to shelve the legislation until after the elections. He's technically incompetent, but he's smart enough to realize that this is going to be a screw-up of biblical proportions and it will likely cost him the election. It's "on the back burner for now," but it's by no means dead.
*/

Meanwhile further digging inside this forum revealed that departmental officials appear to have been discussing the possibility of making it a criminal offen[s]e to advise individuals of means that would enable them to circumvent the filter – even where the means themselves were perfectly legal.

/*
I would say that this equates to information being illegal. In a way, that's in the same league as banning books.
*/

As the EFA suggests, this answer raises more issues than it addresses, and relies on the degradation of the Australian network being gradual, rather than catastrophic. It does appear, however, that the government has no plans to deal with a possible overload of its firewall bringing the Australian internet to its knees – beyond setting up a review when such an event actually happens.

/*
Why should there be any degradation of bandwidth at all? I suspect that if this goes through, there's going to be a noticeable difference in download speeds and initial access to websites.
*/


/*
Details:

Circumvention:
Circumvention of these filters will be trivial; you can wrap your request in SSL (such as https:// if the website supports it), by using a VPN provider outside Australia (many more found on the link for the word "using"), by using Tor (which uses a technique known as Onion Routing), or even by viewing blocked pages via the Google cache.

Technical Considerations:
This filtering is to take place with proxies (at the Application [7] layer) as opposed to the traditional large-scale deployments of firewalls (at the Network [3] and Transport [4]) layers). The deeper you have to inspect a packet, the more CPU and memory required to process the filters. It costs - in many ways, from actual dollars for the hardware and software, to performance impact, to configuration complexity to man-hours of maintenance - considerably more to filter at layer 7 with a proxy than layers 3/4 with a firewall.

The one benefit to filtering at layer 7 is that you block only what is intended to be blocked. In today's world (where we've been running out of IPv4 space for a dacade now) a lot of websites are configured using virtual hosts. This allows web hosting providers to host a virtually unlimited number of websites on a single IP address. Let's say there are two websites, both hosted on the same virtual host IP address, where one is banned and the other is not:

www.bannedwebsite.co.au (banned)
www.momsrecipies.co.au (allowed)

With a layer 7 proxy, when the user attempts to reach a website, the proxy intercepts the request, checks the request (including hostname and URI), and then either blocks the request, or requests the page on behalf of the end-user and returns her the requested webpage. So your mom can still access www.momsrecipes.co.au while nobody can access www.bannedwebsite.co.au. With a proxy, you can return HTML to the end-user explaining why access to this particular website is blocked and possibly a method of contact to dispute the denial of access.

Pros:
() Finer-grained control of what's filtered
() Less "false positives"
Cons:
() Expensive in many aspects (mentioned above)
() Complex configuration
() Considerable service impact due to use of DPI at Application [7] layer
() Slightly easier to circumvent; using https is the only circumvention measure mentioned that does not tend to work with the firewall approach - the rest should work against both types

With a layer 3/4 firewall, access to the virtual host IP address (or even the subnet it's part of) will be blocked. When anyone tries to go to www.bannedwebsite.co.au, they are unable to, which is the intended result. They will get a different error; the browser will just report that website was unreachable. End of explanation. If anyone tries to go to www.momsrecipies.co.au, they will also be denied with the same uninformative unreachable error. Since both websites are on the same IP address, the firewall has no way of knowing which website you're looking for, so it blocks everything.

Pros:
() Cheaper to deploy
() Simpler configuration - hundreds of hosts/subnets vs. thousands of hostnames
() Can often be implemented on existing hardware - edge or core routers utilization IP ACLs
() Faster, more responsive access to allowed websites; less service impact
Cons:
() Collateral damage - legitimate sites on the same virtual host as banned site are also blocked
() Slightly more difficult to circumvent (a websites https site will likely be in the same blocked subnet)

Comparison with Other Instances of State-Controlled Internet Access:
I see three major differences in the Australian proposal as opposed to the other major regimes implementing state-wide filtering of websites (China and Iran). They are as follows:

The use of layer 7 proxies instead of layer 3/4 firewalls and route filtering

In China and Iran the responsibility of implementing and maintaining the filters rests on the tier-1 to tier-2 network providers who bring capacity into the country. By filtering at this level, you are enforcing that ISPs block these sites along with everyone else in the country. By placing the responsibility on the ISP, who provides the access to the end-user, you are going to find that ISPs (a) will add/remove entries from the blocked list to fit their own agendas; (b) will suffer varying performance impact and quality of service based on their investment in the filtering technology and correctness of the implementation; (c) will raise prices to pay for increased hardware/software components, man-hours maintaining the systems, and extra capacity required to maintain a reasonable quality of service; and (d) some will become popular with a certain customer base due to being lax in their filter list updates and tendency to allow some banned content.

Another side effect of this proposal, from an economic standpoint, is that it is likely to put smaller ISPs out of business. Instead of putting the smaller burden on the backbone providers, with considerably more capital, it will place a more expensive burden on ISPs with less resources at their disposal. If these filters become legally mandatory, this will likely put smaller ISPs out of business. A smaller provider may not have access to the resources (money, manpower, and know-how) to meet these requirements and will thus have to shut down operations.

The third difference is in the legality and enforcement of the filters. In the Australian proposal, it will be legal to circumvent the filters provided you know how. In China, they are known for randomly allowing then blocking then allowing access to certain websites and enforcement is relatively low. Occasionally they will decide to make an example of someone, and they will end up in prison. In Iran, enforcement is rather strong, with penalties ranging from prison time to possibly "disappearing".

Other Thoughts:
There is one other somewhat commonly used filtering technique involving DNS. The ISP or corporate gateway will transparently route all DNS requests by the end-user to DNS servers under their control. The DNS servers will be configured as authoritative for the blocked domains; typically configured to return an IP address that connects you to a website telling you that your access is blocked and possibly why. This is similar to the Walled Garden approach.

*/

GNU libnss_db Local Information Disclosure Vulnerability

/*
According to the "Discussion" tab:
*/

The GNU 'libnss_db' library is prone to a local information-disclosure vulnerability.

Local attackers can exploit this issue to read the first line of arbitrary local files. This may lead to further attacks.

libnss_db 2.2.3 is vulnerable; other versions may also be affected.

/*
I was not able to reproduce this on my machine as I did not already have the libnss-db package installed, and the package for my distro has already been fixed, so it does no good to install it.

The discussion shows this as an example:

sudo apt-get install libnss-db
sudo /etc/init.d/nscd stop (in case nscd is installed)
sudo ln -s /etc/shadow DB_CONFIG
$ sudo
line 1: root:*:14553:0:99999:7:::: incorrect name-value pair

Now if you already have sudo(8) privs to stop/start init.d services and use ln(1), I'm guessing there are probably easier ways of obtaining root. Every attack vector should be corrected, but this just seems a like the shooting fish in a barrel with sudo privs as such.
*/

Rough Justice for Terry Childs

A San Francisco jury found Terry Childs guilty of one count of felony denial of service yesterday. The count carries a maximum sentence of five years in prison. Considering that he's already served nearly two years to date, he may actually be released on parole at his June 14 sentencing hearing, or he may be facing another three years behind bars. His lawyers stated that they will appeal.

/*
This ruling brings a chill to my spine. While Childs could have handled the situation with a little more grace, I don't believe that any crime was actually committed. I've worked under some pretty shoddy conditions before - lack of procedures, lack of accountability - but this sets precedent for criminal prosecution.

Knowing firsthand how difficult this would be, I'd have just let the lackluster-at-best management sink. I would have turned over the passwords along with my resignation. Anyone with a CCIE can find another job, even in this economy. If it comes down to risking my freedom and clean criminal record because my boss is a moron, then it's time to move on. I can't imagine how painful it would have to be to create such a complex, intricate system, only to have to turn it over to inept cretins who will undoubtedly destroy it.
*/

RIM Buys QNX to Tie Phones to Cars

Research in Motion said Friday (04/09/2010) that it had signed a deal with Harman International to acquire its QNX Software Systems unit to help tie its BlackBerry smartphones to car navigation systems.

Terms of the deal were not announced. It is expected to close within 30 to 45 days if it passes regulatory approvals.

...

QNX designs a real-time embedded OS, that it has tied to ARM, MIPS, PowerPC and other processors and embedded designs.

"The car is going to become the first-class citizen of the cloud, where inside the car you're going to have access to all the connected media, all the social services that are out there, and it will truly revolutionize the driving experience, the experience of the automotive makers making those cars, the ecosystem of people that are going to make applications for those cars," said Dan Dodge, the chief executive of QNX, in a recent video made with Alcatel-Lucent to retrofit a Toyota car with a cloud-connected entertainment system networked via the wireless LTE standard. "It's probably one of the most exciting times in automotive history."

/*
I wouldn't have named QNX as the software to buy if you're looking to get into car navigation systems, but they're certainly a good choice. I've used QNX here and there, but it's been quite a few years back. The software was always really neat looking (Photon is a beautiful GUI), was blazing fast, tiny footprint, and as stable as anything I've ever encountered.

For those unfamiliar, QNX is a Real-Time Operating System (RTOS) that's a perfect example of a microkernel architecture.
*/

Cisco's New Router: Trouble for Hollywood

Cisco's CRS-3 router made a bit of a splash when it was announced on March 9, but the power of this new device hasn't yet sunk in. Consider: The CRS-3, a network routing system, is able to stream every film ever made, from Hollywood to Bombay, in under four minutes. That's right — the whole universe of films digested in less time than it takes to boil an egg. That may sound like good news for consumers, but it could be the business equivalent of an earthquake for the likes of Universal Studios and Paramount Pictures.

/*
I'm not sure that the comparison of streaming the entire Hollywood movie collection in less than 4 minutes is completely accurate; I'd like to know how many movies they're estimating, how big each DVD image is (4.7GB vs. 9.4GB, for instance), and what Layer 1/2 technologies they're talking about (is this ethernet over fiber?). If you're just talking about passing the data across the 322 Tb/sec backplane, then it might be possible; but if you're talking about carrying all that data across multiple hops, each connected by, say, a 10 Gbps ethernet-over-fiber link, it's just not doable. The 10 Gbps link would definitely be a bottleneck.

I also have my doubts as to the likelihood of a piece of networking equipment meaning the end of the world for any sector of business. Sure, as internet connections get faster more people will start downloading/streaming their content; so, unless the people running the MPAA and RIAA are complete morons (which I'm not ruling out), all they have to do is change their business model to incorporate downloads. That's not exactly an overnight change, but it's entirely possible.
*/

But routers are not the only cause of bottlenecks, and Cisco is not alone in working to maximize the Internet's full potential. Google is also concerned about the speed limitations imposed by wires that run to the home. Last month, Google, best known for its search engine, announced plans to test ultra-high-speed broadband networks that would deliver Internet content to residential subscribers at speeds of 1 gigabit per second — 100 times as fast as the top speed available today. This would allow consumers to complete a PC download of a Hollywood blockbuster like Avatar in about 72 seconds.

/*
I don't understand the phrase, "100 times as fast as the top speed available today." That would seem to indicate that a 10Mb/sec connection is the fastest available today. I'm currently on a 15 Mb/sec connection as I write this, and my ISP offers at least 20 Mb/sec.

Downloading a movie at full-speed on a 1 Gbps connection, over 72 seconds, results in 8,640 MB of data. That's almost a full double-layer DVD. We'll assume 120 MB/sec (bytes) over the 1 Gbps link, which is right about the theoretically maximum without figuring in the overhead and framing (for brevity); times 72 seconds = 8,640MB.
*/

The ability to download albums and films in a matter of seconds is a harbinger of deep trouble for the Motion Picture Association of America (MPAA) and the Recording Industry Association of America (RIAA), which would prefer to turn the clock back, way back.

Consider that the MPAA, whose members include Disney and Universal, attacked the VCR in congressional hearings in the 1980s with a Darth Vader–like zeal, predicting box-office receipts would collapse if consumers were allowed to freely share and copy VHS tapes of Hollywood movies. A decade later, the MPAA fought to block the DVD revolution, mainly because digital media could be copied and distributed even more easily than videocassettes.

/*
"Fair Use" has held up in court many times that as a consumer we are allowed to make 1 archival copy in case our normal store-bought copy gets scratched/lost/stolen. It's also been proven in several instances where customers are more likely to pay, and pay more, for DRM-free movies and music and more likely to pirate any "restricted" content. If I pay for a CD, I damn well expect to be able to listen to it at home in my stereo, in my car's CD player, and to be able to rip the tracks to my iPod. If I'm not allowed to do those things, there's no point in me buying the music...it's not like any new music has come out in the last 10 - 15 years worth raising a stink about, anyway. The more difficult it is for someone like me to rip their store-bought copy of an album onto their iPod, the more likely they are to go out and pirate a "cracked" copy that will let them transfer it with relative ease.

To quote the Borg: "Resistance is futile."
*/

The hard fact is that the latest developments at Cisco, Google and elsewhere may do more than kill the DVD and CD and further upset entertainment-business models that have changed little since the Mesozoic Era. With superfast streaming and downloading, indie filmmakers will soon be able to effectively distribute feature films online and promote them using social media such as Facebook and Twitter.

/*
This is probably the best part of the article. The idea of taking the RIAA out of the picture just makes me smile. The sooner they're gone, the sooner we can stop being spoon-fed this pop-formula Nickelback type shit. If independents can start their own online market and promote/sell their music without the need for a label, then music might actually be worth saving. As it stands, I say let the music industry dry up and never press or sell a single CD again. Sure, we'd be losing some of the greats, but there is so much crap out there that those rare gems make up a tiny fraction of 1% of the albums out there. Now if music is readily available from the independents, there might actually be some music not only worth listening to, but worth buying. I know there are bands out there much better than Nickelback, but they haven't been "discovered" or "signed" -- that's why they're still playing the local dive bar. But if they could market themselves, this might drastically change the landscape of the music industry, and for the better.
*/

FCC to Propose Faster Broadband Speeds

The U.S. Federal Communications Commission unveiled a plan on Tuesday that would require Internet providers to offer minimum home connection speeds by 2020, a proposal that some telecommunications companies panned as unrealistic.

/*
It's "unrealistic" if they wish to keep their huge profit margins. With the average broadband speed in the U.S. being under 4 mbit (mentioned later in the article), they will be receiving approximately 1/25th the amount of profit per megabit that they're currently making. Internet providers in Asia and other parts of the world that are subject to more regulation, or even state-run, have been providing 100Mbps - 1Gbps for several years. It's more than technical possible, and financially feasible; you just have to be in a market where the monopolistic telecoms aren't allowed to gouge you at-will.
*/

The FCC wants service providers to offer home Internet data transmission speeds of 100 megabits per second (Mbps) to 100 million homes by a decade from now, Commission Chairman Julius Genachowski said.

Industry estimates generally put average U.S. Internet speeds at below 4 Mbps.

/*
I suppose I've been fortunate; I've had access to somewhat reasonably priced connectivity at 10Mbps - 15Mbps. I do, however, know several people with connectivity well below the 4Mbps mark.
*/

The proposal is part of the FCC's National Broadband Plan, due next month. It comes a week after Google Inc rattled Internet service providers with its plan to build a super-fast Internet network.

/*
I've already nominated the city I live in. With the high population density, diversity of professionals represented, and easy access to large amounts of bandwidth nearby, I think there's a fair chance that my city may be one of the chosen.
*/

"A 100 meg is just a dream," Qwest Communications International Inc Chief Executive Edward Mueller told Reuters. "We couldn't afford it."

"First, we don't think the customer wants that. Secondly, if (Google has) invented some technology, we'd love to partner with them," Mueller added.

/*
"...we don't think the customer wants that." Excuse me? That is the most ridiculous argument I've ever heard. Bandwidth is like RAM, you can never have too much. If you've got a connection faster than you're using at this very moment, you haven't lost anything. If you don't have enough bandwidth for what you're planning on doing, then your experience will suffer.

Google has not "invented" any new technology for what they plan to roll out, they're simply willing to spend the capital to build-out a fiber-to-the-home network (at least in select markets, initially). As far as Qwest being willing to "partner" with Google on such projects, I'm sure they'll be happy to let Google spend the capital to build out the fiber network and then try to make money through advertising or other avenues, not requiring them to spend a dime on the infrastructure side.
*/

Verizon, the third-largest provider, and one that has a more advanced network than many competitors, said it has completed successful trials of 100 Mbps and higher through its fiber-optic FiOS network.

"(One gigabit per second) as discussed in current news reports is a lot of signal; typically enough for many massive business operations," Verizon said in a statement that referred to Google's plan to test a network with those speeds. "But we could make it happen over the FiOS network without much trouble, should a market for it develop."

...

One analyst questioned whether the FCC's proposal could lead to a sustainable business model.

"In order to earn a return for investors, you have to be conscious of what consumers will pay. I don't know this is something consumers will pay for," Piper Jaffray analyst Christopher Larsen said. "It's a nice goal, but it's a little on the over ambitious side."

/*
It's been proven to be a sustainable business model in many parts of the world. Nobody is more starved for bandwidth, as far as users go, than the U.S.

I doubt that the FCC proposal requires that the providers provide no less than 100Mbps to every customers, just that it's an affordable (to the majority of people) option. If a customer doesn't want to pay, say, $80/month for a 100Mbps connection, then offer a 50Mbps option at $50/month. That's incentive for the customer to pay the less than double price for the double bandwidth, and you're still meeting your obligation of providing 100Mbps service to those who want it. I don't know of any network technology that will carry 100Mbps that won't let you throttle it back to 30, 50, 75 Mbps or any other arbitrary speed.
*/

The United States ranked 19th in broadband speed, trailing Japan, Korea and France, according to a 2008 study by the Organization for Economic Co-operation and Development.

Data shows that about 64 percent of U.S. households used a high-speed Internet service in 2009, the Commerce Department said on Tuesday. That is a 25 percent increase from 51 percent two years earlier.

/*
This is truly sad. We're the world leader in technological development, but due largely to greed, we're 19th in the world in terms of broadband speed.
*/

20 Years of Adobe Photoshop

One of the most impressive things about the company is the fact that one gifted family, consisting of an engineering prof, a PHD engineering student, and a talented special effects whiz working at Industrial Light and Magic came up with the core idea of Photoshop.

Thomas Knoll, the PHD student, is still heavily involved with Photoshop years later.

Glen Knoll was a college professor with two sons and two hobbies; computers and photography.

He had a darkroom in his basement, and an Apple II Plus that he was allowed to bring home from work.

Thomas Knoll adopted his father’s photography habit throughout high school, while his brother, John Knoll, purchased one of the first Macs available to the public.

Fast forward to 1987: Thomas Knoll was a PHD student studying Engineering at the University of Michigan. His brother was working at Industrial Light and Magic.

Thomas Knoll wrote a subroutine for a program to translate monochrome images on his monitor to grayscale.

The successful subroutine led Knoll to create more and very soon he had a number of processes for achieving photographic effects on digital images.

After his brother John saw what Thomas was doing, he recommended that Thomas turn what he was doing into a full-featured image editor.

/*
And lo, the world's most powerful - and likely most used - image editing software was born.

It's hard to believe it's been 20 years. I started tinkering with Photoshop 3.0, around 1995. I've had access to versions 3.0, 4.0, 5.0, 5.5, 6.0 and 7.0 over the years. I definitely do not have the eye for graphics design, but it's fun tinkering around.
*/

1994 – Photoshop 3.0

The big story for Adobe Photoshop 3.0 was layers. Layers were and are a lifesaver for any marginally complex design.

Prior to their introduction, designers would save different versions of designs so that they could go back and grab them if needed; layers made this practice redundant.

Layers are individual slices of the image that go together to make the final “sandwich” of the image. Different images, such as those used in the image above in the 3.0 splash screen, are assigned their own layers, making it easy to work on those images without tampering with other areas of the image.

/*
This is the first version I tried. The layers feature is a life-saver.
*/

Thomas Knoll, the original creator of the program, was responsible for their development. Other engineers made improvements in the program’s performance with Power Mac chips and bringing the Windows version up to the same level as the Mac version. Tabbed palettes also had their debut in 3.0.

Adobe engineers included Adobe Transient Witticisms (ATW) with this version. They were little Easter Egg funny one-liners that would appear only when you pressed obscure combinations of keys.

/*
Here is a small list of known "Easter Eggs" contained within Photoshop. They're a huge waste of code, CPU, and memory, but usually worth checking out.
*/

European Swift Bank Data Ban Angers U.S.

The European Parliament has blocked a key agreement that allows the United States to monitor Europeans' bank transactions - angering Washington.

/*
I'm sure the nanotech engineers are currently working on the world's tiniest violin.
*/

The US started accessing Swift data after the 11 September 2001 terror attacks on New York and Washington.

But the fact that the US was secretly accessing such data did not come to light until 2006.

/*
My fear is not that this data mining was used to track terrorists; far from it. I'm inclined to believe that this monitoring was used for other purposes. Purposes such as finding and prosecuting tax cheats. That, in itself, isn't a bad thing either. My belief is that the only tax cheats that will be prosecuted will be the ones who failed to line the campaign coffers of our elected officials; the ones who've paid off the right people will continue to get away with whatever it is they're getting away with.
*/

Swift handles millions of transactions daily between banks and other financial institutions worldwide. It holds the data of some 8,000 banks and operates in 200 countries.

'Aurora' Attacks Still Under Way, Investigators Closing In On Malware Creators

Researchers find 'markers' associated with authors of Aurora malware used in attacks against Google, others

The targeted attacks that hit Google, Adobe, and other U.S. organizations are still ongoing and have affected many more companies than the original 20 to 30 or so reported by Google and others.

Security experts who have worked on forensics investigations and cleanup of the victim organizations from the attacks that originated out of China say they are also getting closer to identifying the author or authors of the malware used to breach Google and others.

...

He and other forensics firms say they have no direct evidence implicating the Chinese government in the Aurora attacks, but that doesn't mean other investigators or officials have it and just aren't sharing it publicly, Hoglund says. HBGary has found trails left behind in the Aurora code by its creators that are "very specific to the developer who compiled the malware," Hoglund says, and it has Chinese language ties.

HBGary has identified registry keys, IP addresses, suspicious runtime behavior, and other data about the Aurora malware and its origins using the firm's latest analysis tool, he says.

/*
Call me cynical, but it sounds to me like HBG is using this whole 'Aurora' thing to try to sell copies of it's latest product.
*/

Hoglund says HBGary was able to identify "markers" specific to the way the Aurora developer wrote the malware. But he says his firm did not include this in its new report. "This is not in the report because we don't want him to know what we know about his coding," he says. "[It] is algorithmic in nature."

/*
Assuming they did find distinct characteristics about the programmer('s) code, that's like having a partial fingerprint and no database of fingerprints to compare it to. Do they expect to get every person in the world that can write code to submit samples for comparison?
*/

Kevin Mandia, CEO of forensics firm Mandiant, also says his firm's investigators are getting close to exposing the creators of the Operation Aurora malware. "We feel like we know a couple of them in their coding -- we recognize their trademarks ... down to the person."

/*
I also find this hard to believe. In working with people over extended periods of time, a decent programmer can generally figure out which of his coworkers wrote a piece of code based on things such as commonly-used variable names, snippets of syntax, tab-width, 1TBS vs. Allman bracing style and comments. Most or all of this information is lost when the code is compiled and debugging symbols removed.
*/

He says attacks that steal intellectual property typically funnel the goods via IP addresses based in China. But Mandia says he doesn't know if the Chinese government is involved in the recent attacks or other APT attacks, though some trends with these attacks raise questions. "We see patterns that just make us curious. If you're doing merger and acquisition work in China, you're targeted," Mandia says. "We've seen when we respond to client sites [that were attacked] a lot of legal counsel, external counsel, and C-level executives [targeted] in M&A with China."

/*
As usual, I'm going to apply Occam's Razor here and guess that if it walks like a duck, and quacks like a duck, it's probably going to be served with packets of duck sauce. :)
*/

New Russian Botnet Tries to Kill Rival

An upstart Trojan horse program has decided to take on its much-larger rival by stealing data and then removing the malicious program from infected computers.

Security researchers say that the relatively unknown Spy Eye toolkit added this functionality just a few days ago in a bid to displace its larger rival, known as Zeus.

The feature, called "Kill Zeus," apparently removes the Zeus software from the victim's PC, giving Spy Eye exclusive access to usernames and passwords.

...

Trojans such as Zeus and Spy Eye steal online banking credentials. This information is then used to empty bank accounts by transferring funds to so-called money mules -- U.S. residents with bank accounts -- who then move the cash out of the country.

/*
Most of these "money mules" are people who take "work from home" jobs they find on the internet. From the stories I've read, they'll get an official-looking email from their "boss" stating that money will be wired into their bank account, they keep around 10%, and then are instructed to wire the remainder to another account outside of the country.

First, I find it odd that these criminals aren't swindled by their "employees." I'm surprised more people don't just keep the large sums of money deposited into their accounts.

Second, I have a hard time believing that these "employees" don't find it suspicious that their boss is telling them that large sums of money will be deposited into their account, and that they are then to wire most of it to another account. I'd certainly be questioning their methods and intentions. Any legitimate business that needed to move money around would have their own billing/accounting department to handle all of that; and that my pay, for whatever work performed, would be given to me in whole. I've never had a job where I'd be given 10 times my pay with the understanding that I'm to keep what I'm entitled to and then "give back" the rest.
*/

With its "Kill Zeus" option, Spy Eye is the most aggressive crimeware, however. The software can also steal data as it is transferred back to a Zeus command-and-control server, said Kevin Stevens, a researcher with SecureWorks. "This author knows that Zeus has a pretty good market, and he's looking to cut in," he said.

/*
I think this is the genius part of this new botnet. New botnets seem to spring up every couple weeks at most; but this one is intelligent enough to not only gather it's own data (via keyloggers, HTTP POSTs, etc), but to also steal data already captured by a market-leading botnet. Let the others do all of the work collecting the data, and then just swipe the data as they report back to their C&C servers.
*/

Turf wars are nothing new to cybercriminals. Two years ago a malicious program called Storm Worm began attacking servers controlled by a rival known as Srizbi. And a few years before that, the authors of the Netsky worm programmed their software to remove rival programs Bagle and MyDoom.

/*
Such behavior is definitely not new. I recall a worm that spread using the same vulnerability as SQL Slammer that would remove Slammer and download/install the patch for the vulnerability they both used to obtain access. Viruses have used similar tactics in the past, as well.
*/

Spy Eye sells for about $500 on the black market, about one-fifth the price of premium versions of Zeus. To date, it has not been spotted on many PCs, however.

/*
$500 - $2500 is a small investment considering the enormous potential it could buy you. If you only manage to obtain $250 per stolen bank account, it would only take you 10 compromised accounts to see a return on investment.
*/

'Aurora' Code Circulated for Years on English Sites

Updated An error-checking algorithm found in software used to attack Google and other large companies circulated for years on English-speakinglanguage books and websites, casting doubt on claims it provided strong evidence that the malware was written by someone inside the People's Republic of China.

The smoking gun said to tie Chinese-speaking programmers to the Hydraq trojan that penetrated Google's defenses was a cyclic redundancy check routine that used a table of only 16 constants. Security researcher Joe Stewart said the algorithm "seems to be virtually unknown outside of China," a finding he used to conclude that the code behind the attacks dubbed Aurora "originated with someone who is comfortable reading simplified Chinese."

/*
Doubt is now being cast upon the assumption that someone within China was behind the attacks. I still have my suspicions.
*/

In fact, the implementation is common among English-speaking programmers of microcontrollers and other devices where memory is limited. In 2007, hardware designer Michael Karas discussed an almost identical algorithm here. Undated source code published here also bears more than a striking resemblance.

...

"Digging this a little deeper though, the algorithm is a variation of calculating CRC using a nibble (4 bits) instead of a byte," programmer and Reg reader Steve L. wrote in an email. "This is widely used in single-chip computers in the embedded world, as it seems. I'd hardly call this a new algorithm, or [an] obscure one, either."

/*
Gee, where are nearly all microchips/microcontrollers fabricated these days? China.
*/

Two weeks ago, Google said it was the victim of highly sophisticated attacks originating from China that targeted intellectual property and the Gmail accounts of human rights advocates. The company said similar attacks hit 20 other companies in the internet, finance, technology, media and chemical industries. Independent security researchers quickly raised the number of compromised companies to 34.

/*
Targeting the human-rights advocates kind of seals-the-deal in my mind. We've got three major parts of the world where the vast majority of malware originates; eastern Europe, Russia, and China. Let's see, who has the most atrocious human-rights abuses of the three? China.
*/

One of the only other reported links between China and the attacks is that they were launched from at least six internet addresses located in Taiwan, which James Mulvenenon, the director of the Center for Intelligence Research and Analysis at Defense Group, told The Wall Street Journal is a common strategy used by Chinese hackers to mask their origin. But it just as easily could be the strategy of those trying to make the attacks appear to have originated in China.

/*
This is a valid point; it could be someone wishing to make it appear that the Chinese were behind the attack. I'd have to admit, the Chinese hackers and malware authors are generally smart enough to cover their tracks, so for the attacks to originate in a favored part of the world for the Chinese does seem a little short-sighted.
*/

The lack of evidence is important. Google's accusations have already had a dramatic effect on US-China relations. If proof beyond a reasonable doubt is good enough in courts of law, shouldn't it be good enough for relations between two of the world's most powerful countries?

/*
I would like to see something a little more definitive before saying I'm certain that the Chinese were behind the attacks; but so far, we've got a "smoking gun" (the exploit code contained in the targeted phishing attacks), but have yet to identify any "fingerprints." Applying "Occam's razor," as I'm wont to do, it would appear that someone in China was behind this.

I whole-heartedly support Google on their threat to pull out of China. With Wal-Mart already selling this country out from under us every day, I don't like to see any U.S.-based company doing business with China. Unfortunately, in this situation, it appears that the Chinese citizens will really be the ones that lose.
*/

IPv4 Free Pool Drops Below 10%, 1.0.0.0/8 Allocated

"A total of 16,777,216 IP address numbers were just allocated to the Asian Pacific Network Information Centre IP address registry for assignment to users. Some venerable IP addresses such as 1.1.1.1 and 1.2.3.4 have been officially assigned to the registry itself temporarily, for testing as part of the DEBOGON project. The major address blocks 1.0.0.0/8 and 27.0.0.0/8, are chosen accordance with a decision by ICANN to assign the least-desirable remaining IP address ranges to the largest regional registries first, reserving most more desirable blocks of addresses for the African and Latin American internet users, instead of North America, Europe, or Asia. In other words: of the 256 major networks in IPv4, only 24 network blocks remain unallocated in the global free pool, and many of the remaining networks have been tainted or made less desirable by unofficial users who attempted an end-run around the registration process, and treated 'RESERVED' IP addresses as 'freely available' for their own internal use. This allocation is right on target with projected IPv4 consumption and was predicted by the IPv4 report, which has continuously and reliably estimated global pool IP address exhaustion for late 2011 and regional registry exhaustion by late 2012. So, does your enterprise intranet use any unofficial address ranges for private networks?"

/*
The content of this post was shamelessly ripped from the front page of Slashdot.
*/

/*
The IANA still shows 1.0.0.0/8 and 27.0.0.0/8 as being RESERVED and registered to them.

What burns my ass like 3 foot flames is that we're giving these dwindling IP blocks to countries that shouldn't even be allowed to participate in the global internet! As I've stated before, on my own private network, for my own protection, I null-route all blocks allocated to APNIC, whether they've been sub-allocated out yet or not.

I say we pull all of China's IP space. With their "Great Firewall of China," they've made it clear that they don't want their citizens participating in the global Internet, anyway. I say that we pull all of their routable IP space, give them -- let's be generous here -- a /20 to NAT behind, and let them use RFC1918-space for every machine in their god-forsaken country. If they use RFC1918-space (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16), that gives them a total of:
16,777,216 + 1,048,576 + 65,536 = 17,891,328 IP addresses to use.

Under this scenario, those of us who wish to rid ourselves of the useless packets (i.e., botnets and spam) spewing forth from this country, we can simply firewall or null-route a /20 and protect ourselves with better than 95% certainty. Sure, a few users will manage to VPN out to somewhere else in the world (*cough*Russia*cough) and wreak havoc from there, but it still keeps the vast majority off our Internet. I am sure that you could convince management to allow you to block a /20, even in the enterprise, a lot easier that wide swaths of /8s.
*/

/*
In regards to corporations "borrowing" publicly routable IP space; I've seen it first-hand. I worked for a fairly large company in the financial sector, whose network was probably designed around the time I was born. They decided they were going to use 88.0.0.0/8 for their internal addressing scheme. Why not 10.0.0.0/8 you ask? It has the same amount of IP addresses; but the answer eluded me. With hundreds of branch locations all routing into their internal network, then through proxy servers, and finally out to the real Internet, this got to be quite a mess. We had to create a special route on the proxy pairs that linked directly to the ingress routers so that when a user needed to access a site whose IP just so happened to reside in 88.0.0.0/8, we'd have a special allow rule for that host/domain name that bypassed the traditional routing. I guess it's a good thing that they were bought out and their services either integrated or deprecated.
*/

Law Firm Suing China Hit By Cyber Attack

Last week, Santa Barbara, Calif.-based CYBERsitter sued the People's Republic of China, the two Chinese software makers, and seven computer manufacturers for distributing Web filtering software known as Green Dam with allegedly stolen code.

This week, the law firm representing the company said that it had been targeted in a cyber attack from China.

In a phone interview, Elliot B. Gipson of Gipson Hoffman & Pancione described what amounts to a spear-phishing attack -- the same technique used against Google in China. "They were e-mails targeted at individuals in our law firm that were made to appears as if they were coming from other individuals at our law firm," he said. "They attempted to get the target to click on a link or attachment."

/*
It looks like China is at it again. When will our government say "enough is enough?"

Given that we've "outsourced" essentially all of our manufacturing jobs to China, India, and Mexico, all we have left to power our economy is our ingenuity; our intellectual property. The Chinese government has made little effort to hide the fact that they are behind these attacks.

I'm really starting to favor a new "Cold War," this time against China. We toppled the Soviet Union without firing a single shot; there's no reason we couldn't do the same to China. With carefully coordinated electronic attacks, we could cripple their booming economy and leave them in ruins without risking one single American life.

For those who have no reason to receive email, or other network traffic, from China and the other "problem children" in APNIC, here is a list of subnets that are managed by APNIC. You may wish to null-route all of them, or fine-tune the list to your needs.

*/

Researchers Identify Command Servers Behind Google Attack

VeriSign's iDefense security lab has published a report with technical details about the recent cyberattack that hit Google and over 30 other companies. The iDefense researchers traced the attack back to its origin and also identified the command-and-control servers that were used to manage the malware.

The cyber-assault came to light on Tuesday when Google disclosed to the public that the Gmail Web service was targeted in a highly-organized attack in late December. Google said that the intrusion attempt originated from China and was executed with the goal of obtaining information about political dissidents, but the company declined to speculate about the identity of the perpetrator.

/*
Emphasis is my own, but I wanted to ensure that those reading this immediately saw that it was China behind these attacks.
*/

Citing sources in the defense contracting and intelligence consulting community, the iDefense report unambiguously declares that the Chinese government was, in fact, behind the effort. The report also says that the malicious code was deployed in PDF files that were crafted to exploit a vulnerability in Adobe's software.

"The source IPs and drop server of the attack correspond to a single foreign entity consisting either of agents of the Chinese state or proxies thereof," the report says.

/*
In other words, these attacks weren't carried out by people who just-so-happened to be Chinese citizens; but were carried out by, or at least encouraged by, the Chinese government.

Later in the article, there's an update stating that it appears the attacks did not use specially crafted PDFs but most likely an unpatched vulnerability in Microsoft Internet Explorer.

I'd bet that there's probably a 0day exploit floating around for every 10 lines of code in IE. It's just pathetic. The single biggest recommendation that I offer all of my friends and family is to not use IE if they value their computer and it's data. I tell them that by using Firefox -- which is not without it's own security issues -- instead of IE, that it's the single most effective action they can take to avoid malware on their systems.
*/

"The servers used in both attacks employ the HomeLinux DynamicDNS provider, and both are currently pointing to IP addresses owned by Linode, a US-based company that offers Virtual Private Server hosting. The IP addresses in question are within the same subnet, and they are six IP addresses apart from each other," the report says. "Considering this proximity, it is possible that the two attacks are one and the same, and that the organizations targeted in the Silicon Valley attacks have been compromised since July."

/*
"six IP addresses apart" is probably within the same /28 or /29.

On my home network, I typically block all subnets handled by APNIC; using either Linux netfilter on the firewall, or regex pattern matching via Squid proxy. This is using a cannon to kill a mosquito, and would definitely not work in the enterprise, but it works fine for my own personal protection. I have no need to visit any sites hosted on APNIC addresses as I cannot read any language other than English.

Unfortunately, my tendency to block wide swaths of IP space would not have protected my home computers from becoming zombies in this attack. It appears that the C&C servers were hosted in the U.S.
*/

Google Switching to ext4

Google is currently in the middle of upgrading from ext2 to a more up
to date file system. We ended up choosing ext4. This thread touches
upon many of the issues we wrestled with, so I thought it would be
interesting to share. We should be sending out more details soon.

/*
I caught this story on Slashdot today. The link to the mailing-list post is very sparse on details. Actually, it provides no details whatsoever.

I find it odd that Google would be using ext2, as opposed to ext3. I would have figured that the journaling would more than out-weigh the small performance hit.
*/

For our workloads we saw ext4 and xfs as "close enough" in performance
in the areas we cared about. The fact that we had a much smoother
upgrade path with ext4 clinched the deal. The only upgrade option we
have is online. ext4 is already moving the bottleneck away from the
storage stack for some of our most intensive applications.

/*
I find it odd that XFS and ext4 are "close enough" in performance. I've been a long time fan of XFS; been using it since it was a patch available at oss.sgi.com for early 2.4.x kernels. XFS, having many excellent features in the way of integrity, managing large files, etc, it has always been significantly slower than the ext[23] filesystems. So, either XFS has made huge strides in performance, or ext4 is considerably slower than ext3.
*/

/*
It's hard to believe, but it's been 40 years since the Unix epoch. Calling time(2) returns the number of seconds since the epoch, January 1, 1970. As of 00:00:00 January 1st, 2010, it has been 1,261,440,000 seconds since "the beginning of time."
*/

TSA Withdraws Subpoenas Against Bloggers

In the wake of public outcry against the Transportation Security Administration for serving civil subpoenas on two bloggers, the government agency has canceled the legal action and apologized for the strong-arm tactics agents used.

Travel writer and photographer Steven Frischling, who was served with a subpoena by two TSA agents on Tuesday, told Threat Level that he received a phone call Thursday evening from John Drennan, deputy chief counsel for enforcement at TSA, telling him the administration was withdrawing its subpoena.

/*
"Strong-arm tactics;" couldn't have said it better myself. I'm glad to hear that, given the publicity, they decided that they didn't want the negative PR and would do The Right Thing(tm). If only every case of over-reaching abuse of power could get this level of publicity. Sadly, people's privacy rights are trampled nearly every day, it just doesn't get the press that this case did.

In case you missed it, Slashdot linked to an article on the New York Times regarding the TSA subpoenas entitled "TSA Subpoenas Bloggers, Demands Names of Sources". You may want to read it first to familiarize yourself with the issue before reading the article about the TSA withdrawing the subpoenas.
*/

...

A second blogger who was also served a subpoena on Tuesday, Christopher Elliott, was also told his subpoena was being withdrawn. Elliott had refused to cooperate with the agent who served him the subpoena and had indicated to the TSA that he would be challenging the subpoena in federal court next week.

..

Frischling said the two agents who visited him arrived around 7 p.m. Tuesday, were armed and threatened him with a criminal search warrant if he didn’t provide the name of his source. They also indicated they could get him designated a security risk, which would make it difficult for him to travel and do his job.

"They came to the door and immediately were asking, 'Who gave you this document?, Why did you publish the document?' and 'I don’t think you know how much trouble you’re in.' It was very much a hardball tactic," he told Threat Level.

/*
So much for the First Amendment which includes freedom of the press. Granted, he was not obligated under any law to turn over the name(s) of his source(s), but they made it clear that if he did not cooperate, they would make his life unnecessarily difficult.
*/

The agents searched through Frischling’s BlackBerry and iPhone and questioned him about a number of phone numbers and messages in the devices.

The agents then tried to image his hard drive, but were unable to do so.

/*
There goes the Fourth Amendment, as well. The Fourth Amendment states, and I quote: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, ..."
*/

/*
I have the utmost respect for those who protect us from would-be attackers; I just feel that they go about it in the wrong way and overstep their boundaries. The TSA, CIA, NSA, FBI, and ATF have to be right every single time; while an attacker only needs to be right 1 time to be effective. That certainly makes the job of those who protect us very difficult.

"An ounce of prevention is worth a pound of cure" is most certainly true; but it also doesn't make sense to use a cannon to kill a mosquito.

If I were to be traveling, I would use the internet to transfer all files to before heading to the airport, and use strong encryption on my hard drive. That way, I am not entering the airport with any data on my computer, and anything left on the hard drive for the operating system and applications would be inaccessible due to the strong encryption. Unfortunately, if they cannot access the data easily, I believe the TSA has the ability (but I don't think the right) to confiscate your laptop indefinitely. If it takes them a thousand years to break your encryption and search your data - only to find nothing of use - you may never get your equipment back. Might I recommend GPG (for files) and the Linux cryptoloop driver (for file-systems - I recommend at least AES-256, if not AES-384, AES-512, or Twofish - all of which available in the Linux kernel)? It appears that FreeBSD also supports encrypted partitions. A Google search reveals several options for protecting your privacy on Windows; one appears to be a feature built into Windows XP, though I'm not sure I'd trust it to be free of back-doors. If you're looking for free, you might look into TrueCrypt. DISCLAIMER: I've never used TrueCrypt myself, so I cannot comment on it's features.
*/

Graphical Network Simulator 3

/*
This simulator is absolutely awesome. It requires that you have the Cisco IOS images as it comes with a MIPS emulator and actually emulates a real Cisco router, switch, or PIX firewall. It's so realistic that you can design a network, configure the routers and switches, and then drop the running configurations onto real network gear.

It certainly helps to have plenty of RAM available to run this. 1 GB or more is almost a necessity.
*/

ldd Arbitrary Code Execution

/*
This article explores a documented, though largely unknown, feature of the Linux dynamic linker. It also appears that BSD, Solaris, and HP-UX might also fall victim to this "trick."

I'm hesitant to call it a vulnerability since it's a documented feature, and requires some social engineering to succeed. It is, however, behavior that many experienced Unix admins may not be familiar with.
*/

Shellcode Collection

/*
This site contains hundreds of shellcodes ranging from the standard execve(/bin/sh) to bindshells; from Linux to IRIX to Cisco IOS. Pretty neat collection!
*/

Netflix Streaming Coming to PS3

Netflix online streaming is coming to the PlayStation 3.

A Netflix press release spelled out the details of deal. The good news is that the streaming feature -- which enables Netflix subscribers to access thousands of movies and TV shows on-demand via the Internet -- is available at no extra charge beyond the monthly Netflix DVD-by-mail subscription, which can be as low as $9 a month.

/*
They go on to mention that the Xbox version requires access to Xbox Live for an additional $50/year.
*/

The bad news: PS3 owners will need to put a special Blu-ray disc in the game console, which will enable streaming via the Blu-ray's BD Live functionality. That's a departure from all other Netflix-enabled devices (including the Xbox 360 and other Blu-ray players), which just have the Netflix option as a built-in feature. [...] However, the press release specifies that the disc will be needed "initially," so perhaps a future software upgrade will add Netflix as a built-in feature on the PS3.

/*
With as often as my PS3 wants to download updates (basically every time I power it on), I imagine that built-in support for Netflix streaming will be added relatively soon.
*/

Still, the Netflix feature of the 360 has long been envied by PS3 owners, so its inclusion--even with the need to be launched from a disc--will be welcome news. The Netflix site says that the feature will be available before the end of the year, and Netflix subscribers who own a PS3 can reserve a copy of the Netflix disc as of now.

So, what do you guys think: does the addition of Netflix put the PS3 at the top of the game console heap, or is the Xbox 360 an all-around better deal?

/*
My thoughts on the current generation consoles still hold true. The Nintendo Wii got the most fun gameplay and a revolutionary new controller system; the PlayStation 3 got, by far, the best technology (see the Cell Broadband Engine processor); and the Xbox got, well, Halo.
*/

Say Farewell to GeoCities, the Vintage Web-hosting Site

The flashing banner ads, questionable color schemes and omnipresent "Under Construction" signs of GeoCities are no more.

The personal Web-hosting site, launched in 1995 and owned by Yahoo Inc. since 1999, was to be shut down by Tuesday.

It's a move that will scrub from the Web a significant, albeit dated, piece of Internet history and the pages where millions first tried their hands at coding and designing.

/*
This is truly a sad, momentous day. I remember my first GeoCities account; it came with a whopping 640 KB of allotted space. Back in the days when most webpages were contained entirely between two <center> tags, everyone used the <blink> tag, and tables were all you really had for controlling the layout of your "content."
*/

GeoCities, in its heyday, was an online hub for Internet communities, connecting related pages through "web rings" that predated the massive footprints of MySpace and Facebook by nearly a decade.

/*
Who remembers the "web rings?" That's a term I haven't thought of in years.
*/

For some, creating guest books, visitor counters and streaming HTML marquee tags on GeoCities was a stepping-off point into a new digital age.

/*
My very first Perl/CGI program was a guestbook for my personal webpage hosted on my ISP's servers. It used a flat text file to store the entries that people posted. GeoCities didn't allow Perl/CGI, for good reason; CPU time was much more costly than today, and the security implications were enormous. I had to email my ISP every time I'd upload a new version of the guestbook so they could review the code and chmod(1) the script to make it executable. Ahhh, memories...
*/

"It's humorous somewhat to go back and look at it -- it's so simple compared to what Web sites are now," she said. "It almost seems innocent."

/*
So true...
*/

GeoCities was the third most-visited site on the Web in December 1998, behind AOL and Yahoo!, with 19 million unique visitors, according to a CNNMoney report.

...

Yahoo will not be archiving user pages and has been encouraging GeoCities users to download content to their computers if they want to rebuild them on another site.

/*
Emphasis is my own, as usual.
*/

The online message notes that the Internet Archive, a nonprofit group trying to document as much of the public Web as possible, was working to record as many GeoCities pages as it could before the site went down.

While many Internet users have long abandoned GeoCities, the Web was filled with nostalgia on Monday. "RIP GeoCities" was a trending topic on Twitter, where one user summed up his feelings in a sub-140-word blast.

"If you're making fun of GeoCities dying," he wrote, "you're too young to understand."

/*
Doesn't this bring back memories? :)
*/

Government Informant is Called Kingpin of Largest U.S. Data Breaches

A government informant who helped put away nearly 30 fellow hackers five years ago is considered by U.S. law enforcement officials to be the kingpin of the biggest data breaches in U.S. history.

Albert Gonzalez, 28, of Miami was indicted yesterday for the third time in connection with the data breaches. Two Russian citizens were indicted along with Gonzalez by a grand jury in New Jersey yesterday on charges of running an international scheme to steal more than 130 million credit and debit card numbers as well as personally identifying information from five companies, including Heartland Payment Systems Inc., 7-Eleven Inc. and Hannaford Bros. Co.

/*
For those who do not remember, the Heartland breach was larger than even the TJX heist. In the TJX breach there were approximately 45,000,000 card numbers compromised; compared to potentially 100,000,000 cards at Heartland.
*/

Gonzalez became an informant for the U.S. Secret Service after his 2003 arrest in New Jersey on on charges of ATM and debit card fraud, according to an official at the U.S. Department of Justice, who asked not to be named.

In 2004, Gonzalez provided information that helped the U.S. Attorney's Office in Newark, N.J., bust up what at the time was one of the largest online centers for stolen identity and credit card information. The online underground marketplace, dubbed the Shadowcrew group, was charged with trafficking more than 1.5 million stolen credit and ATM card numbers.

Twenty-eight people were arrested and 27 pleaded guilty in connection with that incident. One man fled and became a fugitive.

[...]

The DOJ official did confirm that Gonzalez acted as an informant in the case. However, according to this week's indictment, Gonzalez was allegedly continuing to work as a criminal hacker at the same time he was cooperating with the government.

/*
Ooops. I guess that being a snitch doesn't buy you immunity from the crimes you commit.
*/

/*
It appears that Wired.com is also running this story. The Wired version seems to have a few more details and hard numbers.
*/

IBM: UNIX to Linux Migration Rate Growing

/*
Skipping a few paragraphs to get to the meat of the article...
*/

Inna Kuznetsova, Director, Linux Strategy, led the meeting attended by IT analysts and painted a telling picture of what IBM's Linux business has been in recent months: in short, strong and growing. To give an idea of this strength, Kuznetsova reported that in the past three years, over 1,800 customers have migrated from competitive platforms to IBM, and nearly 50 percent of those IBM wins included Linux.

IBM is also picking up a lot of business from Sun, having doubled their number of Sun customer wins between first quarter and second quarter 2009. Kuznetsova attributed these recent moves to customer uncertainly regarding Sun following the recent takeover bid from Oracle.