Test the latest Internet Explorer Bug

Impressive, eh? What you’re experiencing is the latest Security bug (as reported by ZDNet and many others). This is very severe, as it would be easy to direct you anywhere, when you think you’re accessing, say, PayPal or your online banking account

This Exploitation takes advantage of the fact that a username and password may preceed the domain name for http authentication. The following URL, for example, would authenticate the user foo with the password secret on the site barnesandnoble.com:

 http://foo:[email protected] 

Still, you would see all that information in the URL. But you may ommit the password; and the username may look like a URL:

 http://[email protected] 

May still look confusing, and may actually mislead users, but still, the information is there. However, if right before the “@” you’d insert an ASCII 1 followed by an ASCII 0, everything after (and including) the “@” will be ommitted. Of course this happens only if you use IE. So go ahead on download Mozilla today!

Virus on Windows-based ATM

Running Windows XP on an ATM strikes me as a pretty stupid idea! What’s even scarier than that is the company behind all this – Diebold. They’re the ones who are supposed to deliver the e-voting machines for the next election. They already had a number of issues with their voting machines. Fortunately, advocates are paying attention, and there is a strong push for more security. Check Slashdot for the latest scandal.

Munich decides for Linux

Well, initially both offers where very similar, but the Linux offer made strategicly more sense. And then Microsoft lowered their price twice, and Microsoft CEO Steve Balmer even showed up in person! No luck, the council voted 50:30 for Linux.

Philadelphia!

Philadelphia! My employer decided to establish the headquarters there (when I joined, there was still hope that it would be Cambridge/Boston), and I chose to move. So far, so good. I still have to get used to using the car to get places (rather than bicycle or public transportation), and the city certainly doesn’t have the intellect of Boston or the charme of San Francisco, but New York City is just over an hour away, and they have some decent coffee houses here. So I’ll be fine for a while.

SCO vs. Linux

Personally I think this lawsuit, like so many others, won’t go anywhere. It seems to me like one of those cases where the lawyers of a dying company desperately try to leach off someone else’s intellectual property. Considering the coverage it gets (on Slashdot, through Eric Raymond, etc.), I am sure that they will eventually back off and die quietly.

Acquisitions – the never ending story…

YesMail got now acquired by infoUSA, which is a big Direct Marketing player with many brands, inclduing Donnelly Marketing, Walter Karl and ClickAction. I wonder how much of the original technology is still there.

Where is Concurrent today?

To sum it up, we have money in the bank, we have a management team, and we have a huge space to fill with people. I am one of the few people still working in the Cambridge office. Considering how the economy is doing, Concurrent seems to do rather well.

Can you secure Windows for Internet Cafes?

Guess what: It usually took me less than ten minutes to run Putty. I am not a hacker, I am a power user at best. It’s just that Windows doesn’t provide a mechanism to control execute access. I recall three instances where I ran Putty:

  • At Kinko’s I could run Putty after renaming it into “notepad.exe”.
  • At an Airport Internet Terminal, I could doubleclick the file I downloaded to the desktop. Before I could get to the file, I had to disable active desktop, which previously kept it out of sight.
  • At EasyInternet in Times Square in New York, I saved the file, saved it a second time, and when the “Save as…” dialog popped up, I could right-click the previously saved copy of Putty and select “Open”, which executed it.

Ask yourself whether you consider executing any application a security risk (even if other resources like the hard drive are secured). I think it is, as this really allows anybody to launch truly untrackable attacks.

Halloween VII

The title is “Attitudes Towards Shared Source and Open Source Research Study”, and the memo discusses Microsoft’s strategy towards Linux and OSS. The study looks at the effectiveness of past Microsoft strategies: (1) they discover that bad-mouthing OSS doesn’t work; (2) they discover that their Shared Source model could be effective, but few people know about it.

Second, they explored the reasons why people use OSS. The top two reasons were (1) for lower TCO (Total Cost of Ownership), and (2) as an alternative to Microsoft.

This puts Microsoft in a tough position. It’s not easy to offer a lower TCO – especially for the more successful OSS projects (like Linux or Apache). If this memo can be taken seriously, I would expect to see more talk about Shared Source in the future. It will be interesting to observe the next moves from Redmond.

The $200 AOL Computer running Lindows

It is nice to see this transformation of the software industry. Finally something is happening that should have happened a long time ago: Operating systems are becomming a commodity.