The Debian Security Advisory posted up DSA-1571-1 openssl — predictable random number generator issue today and strongly advised its users to take steps to avoid possible compromising of any systems running on Debian, such as Ubuntu.

The researcher Luciano Bello discovered a security flaw in Debian's random number generator that allows to predict a random generated number. This is caused by an incorrect Debian change to the openssl package. As a result, cryptographic key material may be guessable.

This problem not only affects Debian, but also all its derivatives, such as Ubuntu.

It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on affected systems is recreated from scratch. Furthermore, all DSA keys ever used on affected systems for signing or authentication purposes should be considered compromised.

News Source: Debian Security Advisory DSA-1571-1

Repost from http://absolutevista.com/blogs/absolutevista/default.aspx check out his blog

Red RHAT gives up on desktop Linux! Film at 11!

Really, though, who didn't see this coming?

Who?

The unwashed mob that is known as freetards collectively by the rest of the human race (and affectionately as the Linux-heads by the open source proletariat), really, truly, wanted this to work.

However, between what they wanted, and what works is something known as the wishes of the customer.

AKA, reality.

Too bad those clowns almost never seem to move out of the reality distortion field that is the echo chamber of their communities.

Lesson #1: The customer (however dumb-seeming) is ALWAYS right. Always!

Lesson #2: Ease of use matters. Segueing from #1 above, it does not matter if Linux distros are the most powerful things since fried bread, if Average John Joe cannot use it. Listen, the International CXT is the real man's pickup truck. However, since the Real Man cannot drive that monstrosity, a mere Silverado will have to do.

Lesson #3: Technical merits do not matter in day-to-day work. Microsoft learned this the hard way, and is still battling to reach the sweet spot at the intersection of ease-of-use and power. However, to hear these freetards put it, Linux is the most powerful OS out there. Zzzzzzzzzzz!

Lesson #4: Get out of your grannies' basements echo chambers of L-head communities and into the real world, and ask what people really want. What is also very problematic is the gang-tackling people get whenever they try to ask for help from the 'experts' in those communities: they get shouted away. Which is sooo helpful, right? While it is not unlike the Mactards, at least those Mactards have the elegance of OS X and the snob appeal that comes with it. These yobs do not. And do not realize that!

Lesson #5: No one wants to go trolling in your communities for drivers. "Anytime you want a driver, just go to the <insert URL/name here> to get it. That might be fine for hobbyists, but real-world it, and that precept falls down. Yeah, like I would do so in a consumer or business environment.

Lesson #6: No one (in his or her right mind) wants to recompile ***, OK? No one! Like #5 above, feel free to assume that Average Joe ain't gonna recompile jack. Ever!

Lesson #7: If it is so 'free', why charge more than commercial programs for service? You need to see the way these yum-yums are selling this to companies, especially in this recessionary period in the US of A, and to the Third World less-developed countries. It is free. No need to pay for anything? Well, unless you count our services as an expense. However, that little nugget of information is never explicit, just subdulously added to the contract. When it comes time to pay, and scales have fallen from the eyes of stunned buyers, do the ramifications of their signed contracts come into play. If not, how else do you explain the non-orders the OLPC received from numerous countries? After due diligence, they found out it would be far cheaper to pay more for a Microsoft Windows-based system initially than get a 'free' system for which it would cost them more over the long run for 'service' or 'maintenance' or whatever those yum-yums class their fleecing in their invoices.

Lesson #8: Open source is the ultimate lock-in. With the supposedly free entry, you are locked into this netherworld of incompatible file format hell. Like a drug addict, you can only move your data between shadowy niche products and vendors, always wondering when your supplier would be nabbed by the bankruptcy or irrelevancy constabulary. However, you 'helpful' open source professional would constantly tell you it is OK, regaling you with tales of how you are helping the planet or some similar BS. Don't drink the Kool-aid!

So far, Linux has fed off the UNIX ecosystem.

Correction, it has fed off the low-hanging fruit in that ecosystem.

The big dogs there have held their own. Look at the flat-lining growth curve for Linux, and extrapolate that to the real world.

The apologists for Linux would have you believe that each downloaded copy is recopied severally amongst systems.

Yeah.

Whatever!

A great American leader once said, "Trust, but verify."

Verify. Sounds simple, but something the freetards only want to happen when it comes to sales of Windows Vista. Just like their moronic attacks on the standardization of Open XML. It is good for the goose, but not for them, eh?

Red RHAT gives up on desktop Linux?

Like I give a (Red) RHAT's ass!

Like I have said time and time again, there will be no Linux revolution.

Believe that!

My setup: I have a Dell Precision 690,  Windows Vista Ultimate, 64-bit.

After a day of being pissed off at Outlook 2007 because it wont stop auto starting and showing up in Task Manager even after a hard kill task.

 Issue: Outlook 2007 gets closed by (End Task, Office Start Exit, X Close) goes away on screen but pops up in Task Manager after seconds. I am trying to setup Outlook Anywhere 2007 to test a remote Exchange 2007 server but I can't because every time I try to run the Outlook 2007 Exchange setup it says Outlook must be closed. I close it but it comes back in task manager!!! This is frustrating, I've had problems with Outlook 2007 not closing out of processes but never where it comes back a few seconds later.

Make your guesses what do you think it is?

I found out after some words with the computer that my Sidebar Outlook Widget was at fault, even when closing outlook the Widget auto starts Outlook 2007 backup in the background in second for you. How nice. Turn off this widget and it's all better.

Symantec's comprehensive security report on the malware industry from July 1 to December 31, 2007, is now avaible in its 100+ page glory. Symantec broke down information on patch development time by operating system and by the type of vulnerability encountered. Surprisingly, Microsoft had the shortest time-to-patch over both halves of 2007. In the first part of the year, Microsoft released 38 patches (two of which involved third-party applications) with an average deployment time of 18 days. From July to December, Microsoft released 22 patches with an average patch time of six days.

Red Hat came in second, at 32 days for the second half of the year and 36 days in the first half. That's quite a bit higher than Microsoft's average, but of the 227 vulnerabilities Red Hat patched in 2007, 226 of them involved third-party applications. Apple, Sun, and HP all lag well behind Microsoft and Red Hat, though the gap for each company differs significantly between the first and second halves of last year.

News Source: Symantec

White hat hackers infiltrate a power grid in one day

By Tim Conneally, BetaNews

April 10, 2008, 3:31 PM

A team of experts headed by security guru Ira Winkler was hired by an anonymous power company to test the security of a power grid's network. The door was practically held open for them.

In a matter of hours, the team infiltrated the grid's supervisory, control and data acquisition (SCADA) networks using simple phishing tools: social engineering and browser exploits.

Social Engineering is seen by many as a glamorized confidence trick. The penetration team checked distribution lists for SCADA user groups, harvested appropriate email addresses, and then employed a simple trick to gain the targeted user's access. Employees were sent an e-mail about a plan to cut their benefits which included a link to a Web site with "more information." The address linked to a malware that granted the hackers remote access. The trick was effective within minutes.

What could be done given the level of access these white hats obtained would not be limited to simply shutting down a grid, like a group of hackers managed to do for 17 days to a "practice network" in California in 2001. In comments to CNN last year regarding a leaked video of a staged hack that resulted in the self-destruction of a power generator, Joe Weiss of Applied Control Solutions said, "What people had assumed in the past is the worst thing you can do is shut things down. And that's not necessarily the case. A lot of times the worst thing you can do, for example, is open a valve — have bad things spew out of a valve."

Winkler says that these SCADA systems suffer the same vulnerabilities any system does that runs on the same standard operating system and server hardware. Companies have perpetuated the weakness of these systems by not performing important software upgrades because they would force downtime.

But a scheduled downtime is no doubt preferable to suffering the consequences of an exploit. Winkler stressed the seriousness of security in these systems while maintaining a lighthearted air to his job, "We had to shut down within hours," Winkler says, "because it was working too well. We more than proved that they were royally screwed."

Ten years ago Wired published an article called Hacking the Power Grid, which included the following: "With deregulation, there is an increasing interest in energy futures trades at the commodities exchange on Wall Street. [IBM senior consultant Nick] Simicich said hackers might use social engineering techniques to obtain passwords to computers with access to the networks containing sensitive information from these sources."

Apparently little has changed in a decade.

Microsoft and Yahoo! sites compared: a quick look at the numbers

from http://www.liveside.net/

I've been searching for days why our server with 200GB of space just running DC and SQL is out of space. I found 98GB log file with a 9GB data file. Where is the setting in SQL to fix this. I checked WSS3 and it's set to Error's and unexplained only.

Changed to simple and the file went from 97GB to 500KB.

Apple's teasing commercials that imply its software is safer than Microsoft's may not quite match the facts, according to new research revealed at the Black Hat conference on Thursday.

Researchers from the Swiss Federal Institute of Technology looked at how many times over the past six years the two vendors were able to have a patch available on the day a vulnerability became publicly known, which they call the 0-day patch rate.

They analyzed 658 vulnerabilities affecting Microsoft products and 738 affecting Apple. They looked at only high- and medium-risk bugs, according to the classification used by the National Vulnerability Database, said Stefan Frei, one of the researchers involved in the study.

What they found is that, contrary to popular belief that Apple makes more secure products, Apple lags behind in patching.

"Apple was below 20 [unpatched vulnerabilities at disclosure] consistently before 2005," Frei said. "Since then, they are very often above. So if you have Apple and compare it to Microsoft, the number of unpatched vulnerabilities are higher at Apple."

It's generally good for vendors to have a software fix available when a vulnerability is disclosed, since hackers often try to find out where the problem is in order to write malicious software to hack a machine.

For a vendor to have a patch ready when the bug is detailed in public, it needs to get prior information from either its security analysts or external ones. Otherwise the vendor has to hurry to create a patch, but that process can be lengthy, given the rigorous testing needed to test the patch to ensure it does not conflict with other software.

Apple only started patching 0-day vulnerabilities in late 2003, Frei said.

"We think that Apple had fewer vulnerabilities early on, and they were just surprised or not as ready or not as attentive," Frei said. "It looks like Microsoft had good relationships earlier with the security community."

Over the past few years, Microsoft has tried to cultivate a closer relationship with the security community in order to encourage researchers to give it a heads-up about software problems. Apple, however, doesn't appear to have that same sort of engagement yet, and, "based on our findings, this is hurting them," Frei said.

Curiously, both vendors' abilities to have 0-day patches ready at disclosure seemed to dip in the six months before a major product release. That trend was most pronounced in 2004 and 2005. Frei theorized that the buildup to big software releases took away software engineering resources.

Andrew Cushman, director of Microsoft's Security and Research, said he couldn't pinpoint what might cause that trend. But in 2004 and 2005, Microsoft had a rash of vulnerabilities pop up in its Office products that it did not get advance notice of, which may have contributed to a higher percentage of unpatched publicly disclosed bugs.

However, the study proved to be such a glowing affirmation of Microsoft's increased focus on security in the past few years that it prompted Cushman to ask Frei, "Did Microsoft fund this research?"

"This is independent academic research," Frei replied.

This is a great tool and saved me a great deal of time.