The era of operating system vulnerability is slowly drawing to a close, with more than nine out of 10 published software vulnerabilities now appearing in applications, Microsoft’s latest half-yearly report has suggested.

According to the company’s Security Intelligence Report for the first half of 2008, OS vulnerabilities are now stable at between 6 and 8 percent of those reported, a level they have been at since the first half of 2006. Vulnerabilities in Windows XP and Vista have shown a modest decrease in 2008, continuing a similar trend over the same period.

But the report paints a more complex picture in terms of which platforms are the ones most likely to run vulnerable applications. Vista scores well, with Microsoft-based software accounting for only 6 percent of vulnerabilities on that platform, with none of the top ten browser-based holes hitting the OS.

Over the period, the biggest Vista-based software vulnerabilities appeared to be in two ActiveX controls installed only in China, which would seem to confirm the relative obscurity of serious issues on the platform.

XP, by contrast, is still Microsoft’s biggest headache, with 42 percent of all app holes on that platform coming from Microsoft’s own software.

Using the number of PC’s cleaned per 1,000 executions of Microsoft’s own Malicious Software Removal Tools (MSRT), Visa SP1 scored 4.5, while the different updates of XP scored between 9.2 and 33.8. All of this confirms what has been well established in the past – XP and its applications are still relatively vulnerable, while the newer Vista and its applications do considerably better.

Across the industry as a whole, software vulnerabilities classified by the industry standard Common Vulnerability Scoring System v2 (CVSSv2) as ‘severe’ now account for 7.3 percent of those made public, with a startling 41 percent classified as ‘high’. More encouragingly, Microsoft reports, only 10.4 percent of holes had publically-available exploit code.

In truth, it is extremely hard to gauge from the report how Windows is stacking up against rival platforms such as Apple or Linux in terms of OS and app holes, but the overall message to take away appears to be that the OS is not the main worry. The big concern now is browsers on all platforms, including Windows.

Analyzing these by locale showed that China was the most likely place for browser-based exploits to hit, with 46.6 percent of them happening in that country across all platforms. The US came second on 23 percent, Russia third with 7 percent and the UK some way back with 2.4 percent.

An angry Chinese lawyer accused Microsoft of perpetrating the biggest ever hacker attack in response to the software giant’s controversial move to trigger hourly screen blackouts on computers using pirated copies of Windows XP.  [Cast your vote]

On October 20, Dong Zhengwei, a lawyer of Beijing Zhongyin Law Office, sent a complaint to China’s Ministry of Public Security, accusing Microsoft of invading personal computers without user permission or judicial authorization, the Beijing Times reported.

Dong said the judiciary should assign criminal responsibility for the Windows Genuine Advantage Program so called “Black Screen” scheme and halt this “illegal move”.

To fight software piracy Microsoft announced on October 15 that, starting October 21, Microsoft anti-piracy software would be automatically installed on users’ computers through the routine Internet-based update mechanism. If a computer fails a validation test, the desktop will change to a plain black background when the computer is restarted.

Users will be able to reset the black background to any wallpaper or another background color, but every 60 minutes the desktop will revert to black until a genuine copy of Windows is installed.

Microsoft’s plan has aroused huge controversy in China. According to a poll on Chinese portal QQ.com, out of 574,923 participants, 73.33 percent said they were using pirate versions of XP, 51.58 percent said they intend to continue using pirate versions, and 32.87 percent said they will ignore Microsoft’s “black screen” campaign. Only 15.55 percent said they intend to buy an authorized version. 77.23 percent said they oppose Microsoft’s action.

Microsoft’s anti-piracy campaign is also targeted at pirated versions of Office software, which includes the popular Word, Excel and Powerpoint applications.

Microsoft said their action was not particularly targeted at Chinese users and that it planned to extend the verification system to all Windows XP and Office users within two months. Microsoft also said that the “black screen” is just a “notification of piracy” and will not actually affect the normal operation of the computer. “And even if your XP or Office is pirated, we will not collect any information from you, so let’s hear less of the charge of ‘ infringing privacy ‘.”

But in his complaint, Dong Zhengwei said frequent compulsory validations will cause certain functions of PC to slow down and he maintains that computer users face potential information leakage. He characterized Microsoft’s behavior as a kind of “hacker attack”, because it infringes users’ privacy and has not been legally authorized.

Chinese laws stipulate that a party will be considered guilty of illegal intrusion if it disrupts the normal functioning of computers by altering their operating systems.

Dong Zhengwei further noted that although Microsoft’s action is understandable, its own failure to act for a long period had brought about a situation in which nearly 10 percent Chinese people use pirate software. Microsoft’s failure to act could be construed as abandonment of its copyright. Furthermore, he said, “the creators of pirate software are to blame for piracy.” Dong said, “Ordinary computers users should not be victimized.”

Jiang Qiping, of the Informatization Research Center of the China Academy of Social Sciences, also said that Microsoft is conducting a hacker-styled attack. First, he said Microsoft’s move to verify XP was an abuse of power and might infringe China’s anti-monopoly law; second, since users of pirated versions will suffer hourly screen blackouts, it resembles a classic hacker attack.

There was a similar case in 1997. To fight piracy, Jiangmin, one of China’s leading anti-virus software providers, released a logic bomb, a piece of code that would destroy all the data on a computer’s hard disk if it detected pirate software. At that time, the public security department ruled that Jiangmin had no right to punish ordinary computer users, and that its action violated Regulations of the People’s Republic of China for the Protection of Computer Information Systems. The company was fined 3,000 yuan (US$439).

According to article 23 of this regulation, whoever intentionally inputs computer viruses and other harmful data to endanger the safety of computer information systems shall be given a warning or fined an amount of not more than 5,000 yuan for an individual offender, or not more than 15,000 yuan for an organizational offender. If income is illegally obtained, further fines of up to three times the amount of income illegally obtained can be imposed.

The Chinese public is becoming increasingly concerned about privacy. Ms. Wu, an inexperienced computer user is terribly worried. “Is the information on my computer safe when software producers can do what they like over the Internet?” Ms Wu. does not know whether the operation system in her computer is genuine or not. She is afraid that she may be sued by Microsoft. Her worry is a reflection of the near-panic among a section of computer users in China.

A blogger wrote that Microsoft should not take the law into its own hands but should leave the fight against piracy to the proper authorities.

Microsoft has recently beefed up its anti-piracy efforts in China. In August, Chinese police cracked down on a famous domestic Website offering a pirate version of the Windows XP system, after being tipped off by Microsoft. Microsoft emphasizes that it hopes computer users will voluntarily renounce the use of pirate products.

Ironically, Microsoft’s crackdown may boost the sale of a new pirate version of its XP system. According to the Kunming City-based Chuncheng Evening Post, local software vendors told the paper that a new pirate version of XP software which cracks Microsoft’s code will arrive on the market, “within two days.” One of the underground peddlers said “The new version will sell well.”

Most Chinese computer users use pirated versions of Microsoft products because of the low price. Some said they would turn to Non-Microsoft replacements, such as the LINUX system or Kingsoft’s WPS Office if Microsoft’s new policy takes effect.

Many Chinese Internet users are relaxed about the whole affair. They point out that the WGA will be cracked, just like all the most complicated Windows operating systems have been in the past. Besides, there is an easy way to evade the WGA by turning off the “Automatic Updates” option in the operating system.

Internet users have even begun to mock Microsoft’s approach. Online forums advertise black computer wallpapers for download, tagged “support piracy, turn your screen black “. Some people say pure black wallpapers have suddenly become very fashionable.

(China.org.cn – October 21, 2008)

Source: http://source.android.com/

I am wondering what will happen with other mobile application stuff being used widely, now there’s Android which has been released by Google.  Will there be an end to those, like OpenMoko? Time will tell.

This will be good and fun way to start out! I hope I still have time to try this one though.

1. Press Ctrl+Alt+F1-F6 (F1 used) to go to the terminal
2. michaelm$ sudo apt-get install -y gnome-panel
3. michaelm$ sudo apt-get update && sudo apt-get upgrade
4. After that I rebooted my laptop.  Bingo!  My panel is back!

Now checking, I also removed this component: evolution-data-server-common

Anyway, its there already, and using it!

Investigators say the two suspects of Congolese nationality – described as “small time crooks” – were seized in the Paris area and remanded in custody.

“They no doubt were unaware that it was the president’s account,” said an investigator.

Mr Sarkozy complained to police in September after noticing “small amounts” had been stolen from his account, but the scam was only made public this week.

At first it was thought the fraudsters had siphoned money out of the president’s bank account via the internet after obtaining his user name and password. This led to calls for more internet banking security.

But police now believe they randomly obtained his account number to create a fake identity kit including false names and addresses. This they used in a store to obtain a mobile phone subscription.

In all, the thieves had drained less than £200 from the president’s personal account before the scam was detected, sparking a manhunt involving France’s top financial fraud experts.

Police said financial thieves regularly make lots of small illegal withdrawals as a means of trying to keep their crimes undetected.

Source: http://www.telegraph.co.uk/news/worldnews/europe/france/3235762/Two-arrested-over-Sarkozy-bank-account-raid.html

“An inquiry is underway, the President of the Republic has filed a complaint,” government spokesman Luc Chatel told Radio J.

“We will see if there was fraud in a way in which the perpetrators can be sanctioned,” he added.

News that thieves had managed to take out money from Sarkozy’s bank account after obtaining his account number was first reported by the Sunday newspaper, Le Journal du Dimanche.

The thieves pirating the account likely “did not know that it was the president’s account,” a source close to the inquiry told AFP.

“This was a classic case of data piracy, likely by one or several low-level swindlers,” the source added.

The president’s office confirmed Sarkozy had filed complaints last month concerning the theft, which the newspaper quoted sources as saying involved only small amounts.

It “is not excluded” that Sarkozy’s bank might face some penalty over “misuse of personal data,” Chatel said.

“When one gives personal information to one’s bank, it is not so the information is used for marketing or recruiting purposes, or that it should be divulged here or there,” he added.

Source: http://www.news.com.au/heraldsun/story/0,21985,24525437-663,00.html

REDMOND, Wash. — In a windowless room on Microsoft’s campus here, T. J. Campana, a cybercrime investigator, connects an unprotected computer running an early version of Windows XP to the Internet. In about 30 seconds the computer is “owned.”

An automated program lurking on the Internet has remotely taken over the PC and turned it into a “zombie.” That computer and other zombie machines are then assembled into systems called “botnets” — home and business PCs that are hooked together into a vast chain of cyber-robots that do the bidding of automated programs to send the majority of e-mail spam, to illegally seek financial information and to install malicious software on still more PCs.

Botnets remain an Internet scourge. Active zombie networks created by a growing criminal underground peaked last month at more than half a million computers, according to shadowserver.org, an organization that tracks botnets. Even though security experts have diminished the botnets to about 300,000 computers, that is still twice the number detected a year ago.

The actual numbers may be far larger; Microsoft investigators, who say they are tracking about 1,000 botnets at any given time, say the largest network still controls several million PCs.

“The mean time to infection is less than five minutes,” said Richie Lai, who is part of Microsoft’s Internet Safety Enforcement Team, a group of about 20 researchers and investigators. The team is tackling a menace that in the last five years has grown from a computer hacker pastime to a dark business that is threatening the commercial viability of the Internet.

Any computer connected to the Internet can be vulnerable. Computer security executives recommend that PC owners run a variety of commercial malware detection programs, like Microsoft’s Malicious Software Removal Tool, to find infections of their computers. They should also protect the PCs behind a firewall and install security patches for operating systems and applications.

Even these steps are not a sure thing. Last week Secunia, a computer security firm, said it had tested a dozen leading PC security suites and found that the best one detected only 64 out of 300 software vulnerabilities that make it possible to install malware on a computer.

Botnet attacks now come with their own antivirus software, permitting the programs to take over a computer and then effectively remove other malware competitors. Mr. Campana said the Microsoft investigators were amazed recently to find a botnet that turned on the Microsoft Windows Update feature after taking over a computer, to defend its host from an invasion of competing infections.

Botnets have evolved quickly to make detection more difficult. During the last year botnets began using a technique called fast-flux, which involved generating a rapidly changing set of Internet addresses to make the botnet more difficult to locate and disrupt.

Companies have realized that the only way to combat the menace of botnets and modern computer crime is to build a global alliance that crosses corporate and national boundaries. On Tuesday, Microsoft, the world’s largest software company, will convene a gathering of the International Botnet Taskforce in Arlington, Va. At the conference, which is held twice a year, more than 175 members of government and law enforcement agencies, computer security companies and academics will discuss the latest strategies, including legal efforts.

Although the Microsoft team has filed more than 300 civil lawsuits against botnet operators, the company also relies on enforcement agencies like the F.B.I. and Interpol-related organizations for criminal prosecution.

Last month the alliance received support from new federal legislation, which for the first time specifically criminalized the use of botnets. Many of the bots are based in other countries, however, and Mr. Campana said there were many nations with no similar laws.

“It’s really a sort of cat-and-mouse situation with the underground,” said David Dittrich, a senior security engineer at the University of Washington Applied Physics Laboratory and a member of the International Botnet Taskforce. “Now there’s profit motive, and the people doing stuff for profit are doing unique and interesting things.”

Microsoft’s botnet hunters, who have kept a low profile until now, are led by Richard Boscovich, who until six months ago served as a federal prosecutor in Miami. Mr. Boscovich, a federal prosecutor for 18 years, said he was optimistic that despite the growing number of botnets, progress was being made against computer crime. Recent successes have led to arrests.

“Every time we have a story that says bot-herders get locked up, that helps,” said Mr. Boscovich, who in 2000 helped convict Jonathan James, a teenage computer hacker who had gained access to Defense Department and National Air and Space Administration computers.

To aid in its investigations, the Microsoft team has built elaborate software tools including traps called “honeypots” that are used to detect malware and a system called the Botnet Monitoring and Analysis Tool. The software is installed in several refrigerated server rooms on the Microsoft campus that are directly connected to the open Internet, both to mask its location and to make it possible to deploy software sensors around the globe.

The door to the room simply reads “the lab.” Inside are racks of hundreds of processors and terabytes of disk drives needed to capture the digital evidence that must be logged as carefully as evidence is maintained by crime scene investigators.

Detecting and disrupting botnets is a particularly delicate challenge that Microsoft will talk about only in vague terms. Their challenge parallels the traditional one of law enforcement’s placing informers inside criminal gangs.

Just as gangs will often force a recruit to commit a crime as a test of loyalty, in cyberspace, bot-herders will test recruits in an effort to weed out spies. Microsoft investigators would not discuss their solution to this problem, but said they avoided doing anything illegal with their software.

One possible approach would be to create sensors that would fool the bot-herders by appearing to do malicious things, but in fact not perform the actions.

In 2003 and 2004 Microsoft was deeply shaken by a succession of malicious software worm programs with names like “Blaster” and “Sasser,” that raced through the Internet, sowing chaos within corporations and among home computer users. Blaster was a personal affront to the software firm that has long prided itself on its technology prowess. The program contained a hidden message mocking Microsoft’s co-founder: “billy gates why do you make this possible? Stop making money and fix your software!!”

The company maintains that its current software is less vulnerable, but even as it fixed some problems, the threat to the world’s computers has become far greater. Mr. Campana said that there had been ups and downs in the fight against a new kind of criminal who could hide virtually anywhere in the world and strike with devilish cleverness.

“I come in every morning, and I think we’re making progress,” he said. At the same time, he said, botnets are not going to go away any time soon.

“There are a lot of very smart people doing very bad things,” he said.