Email and Forum Profiles in IT: Jeff Hawkins Vista Service Pack 1 (SP1) Update Observations by Microsoft Security Advisor Software Award Scams April Fool's Jokes CanSecWest Hacking Contest Nvidia Responsible for Most Vista Crashes TPMS Can Be Track Your Car
Email from Tom: Dear Dr. Shurtz, China is going to control the weather for the 2008 Olympics in Beijing? That’s one of the best April Fool jokes I’ve heard in a long time! Tom
Tech Talk Answers: Tom, this weather control is real. I checked a number of sources in China, including the China Daily. I also checked with my neighbor who runs the CSC office in Beijing. They have been using cloud seeding for over a decade to end droughts in certain regions of China.
Email from Peter: Dear Tech Talk, I would like to set up a dual or triple boot system at home. I would like to Run Windows XP and Mac OS and Linux. What are my options? What do you recommend? What about using virtualization software like VMWare? Love the show. Peter
Tech Talk Answers: Each operating system needs to be installed on a different partition. Then use a boot manager to select which partition you want to boot to. Partition Boot Manage 1.08 is a good choice. You can create Partitions using Partition Magic 8.0. It is easy to use and my favorite.
If you have an Apple Mac with an Intel chip you can use Apple Boot Camp to dual boot to either MacOS or Windows.
There are more options now with VMWare where you can allow each operating system to be a virtual machine. They can actually operating at the same time. You can download a free copy of VMPlayer (http://www.vmware.com/products/player/). This is your best learning opportunity. Virtualization is the future of scalable computing.
Profiles in IT: Jeff Hawkins
He is co- founder of Palm Computer and Handspring.
Jeff Hawkins was June 1, 1957 in Huntington, NY.
Hawkins grew up with an inventive family on the north shore of Long Island. They developed a floating air cushion platform that was used for waterfront concerts.
He received a BSEE degree from Cornell in 1979.
He went to work for Intel and then moved to GRiD Systems in 1982 where he developed Rapid Application Development (RAD) software.
Hawkin’s interest in pattern recognition for speech and text input to computers led him to enroll in the biophysics program at the UC Berkeley in 1986.
He patented a "pattern classifier" for hand written text.
His PhD proposal was rejected because none of the professors interested.
He went back to GRiD where he developed a pen-based computer called GRiDPad.
Hawkins wanted to develop of a smaller, hand-held device.
GRiD executives were reluctant to take the risk.
Tandy was willing to support Hawkins in a new venture company.
Palm Computing was founded in January, 1992 (first product Zoomer)
Zoomer failed due to poor character recognition software.
Hawkins developed with Graffiti, a pattern program program that ran on both the Zoomer and the Newton. He also developed HotSync synchronization.
He brought the Palm Pilot to market in 1996 (with U.S. Robotics backing)
Hawkins left Palm to start Handspring in 1998.
Their first product was Handspring Visor in September 1999.
Handspring merged with Palm in March 2000.
His true interest was actually brain theory.
In June 1979 he read a special issue of Scientific American on the brain. Francis Crick lamented the lack of a grand theory explaining how the brain functions.
He attempted to start a new department on the subject Intel, but was refused.
He also unsuccessfully attempted to join the MIT AI Lab.
He eventually decided he would try to find success in the computer industry.
In 2002, Hawkins founded the Redwood Neuroscience Institute. This Institute was moved to UC Berkeley and renamed Redwood Center for Theoretical Neuroscience.
In 2004, Hawkins published On Intelligence laying out his "memory-prediction framework" of how the brain works.
His unified theory of the brain argues that the key to the brain and intelligence is the ability to make predictions about the world by seeing patterns.
In 2005 Jeff Hawkins, (with Donna Dubinsky and Dileep George) founded Numenta.
Numenta is developing pattern recognition software and hardware for Hierarchical Temporal Memory.
Application exploits, Web 2.0, and virtualization security are big concerns
One trend that pops out is that attackers are increasingly laying off operating systems and exploiting applications instead.
The reason for this is that vendors like Microsoft, Apple and Red Hat have done a good job in recent years securing the IP stack and operating system.
The first operating system hardening guide Microsoft wrote for Windows 2000 came 18 months after shipment of the product.
XP Service Pack 2 was released within 90 days of product shipment.
With Vista and other new products, Microsoft ships the hardening guide along with the product.
Microsoft has made fixes to older products, such as Office 2003, but that it’s a lot harder to retrofit an old product for a new environment than it is to build a newer product, say Office 2007, more securely.
Another thing that worries Arsenault: security issues surrounding Web 2.0, Web services and software as a service. ?They all rely on deeper trust at the client level and a smarter client to do that trust model.?
Danger signs are also emerging when it comes to securing virtualized systems.
Trojans are on the rise.
Rootkits are raising their ugly heads, but fortunately, they’re so hard to write that they probably won’t get too much worse.
Where do the attacks originate?
Just over half of all attacks originated from the .edu domain. That’s a fundamental problem. We’ve got to do a better job with the university systems to stop that.
As for geographically where attacks are coming from, all eyes are on China, the source of 380% more attacks than a year ago.
Software Award Scams
Fake software product wins 23 awards at latest count
The program was a text files with the words: ?this program does nothing at all? repeated a few times and then renamed as an .exe.
The PAD file that described the software contains the description ?This program does nothing at all?.
Even the name of the software, ?awardmestars?, was a bit of a giveaway.
The obvious explanation is that some download sites give an award to every piece of software submitted to them. In return they hope that the author will display the award with a link back to them.
This practice is blatantly misleading and dishonest.
April Fool’s Jokes
Google Australia announced gDay, a feature which can access web pages before they are created.
Google also introduced a new feature called "Gmail Custom Time."
Google, along with Sir Richard Branson announced ‘Project Virgle’, with the goal of creating a permanent human settlement on Mars.
Google introduces a scratch-and-sniff feature for certain books on Google books
The HackThisSite and RootThisBox websites changed their sites to make users think that they had been hacked, by adding a false PHP script that emulated system() or passthru() execution of a GET variable. After the execution of a ‘command’ there was a comment in the HTML source pointing them to another PHP page which set a cookie that allowed them to access the real pages.
Microsoft’s Vista hacked on third day using Adobe Flash vulnerability.
Apple MacBook hacked the second day using Safari browser vulnerability
Contest rules
Limit one laptop per contestant.
You can’t use the same vulnerability to claim more than one box, if it is a cross-platform issue.
Thirty minute attack slots given to contestants at each box.
Major web browsers (IE, Safari, Konqueror, Firefox), widely used and deployed plugin frameworks (AIR, Silverlight), IM clients (MSN, Adium, Skype, Pigdin, AOL, Yahoo), Mail readers (Outlook, Mail.app, Thunderbird, kmail) are all in scope.
The first day of the contest, hackers were only allowed to hack into the computers over a network. No one was able to claim the prizes.
On the second day, the rules changed. Contestants were allowed to use the machines to visit Web sites and open e-mail messages.
That rule change made it possible for Charlie Miller, a researcher at Independent Security Evaluators, to hack the MacBook Air using the Safari browser within two minutes.
But the Vista and Ubuntu laptops seemingly remained airtight. On the third day of the contest, the judges again broadened the rules, opening up the scope beyond just default installed applications on those laptops to any popular third-party application, such as Adobe’s Acrobat Reader, the Firefox browser, and voice-over-IP program Skype.
Macaulay installed Adobe Flash on the laptops and proceeded to compromise it.
Nvidia Responsible for Most Vista Crashes
Data provided by Microsoft has revealed that NVIDIA was responsible for 28.8% Windows Vista falls during an unspecified period in 2007 – more than any other company.
Microsoft itself was the next worst offender, to the 17.9% of the crashes.
AMD and Intel were much lower at 9.3% and 8.8% respectively.
The cause of 17% of the crashes is unknown, while other companies accounted for 18.5% of total crashes.
The data were collected from Microsoft, and was ordered to be made available to the public by a judge in relation to the ongoing ?Vista Capable? court case.
TPMS Can Be Track Your Car
Tire Pressure Monitory Systems (TPMS) lets on-board vehicle computers measure air pressure in the tires.
In April 2005, National Highway Traffic Safety Administration issued a rule requiring automakers to install TPMS sensors in all new passenger cars and trucks starting in September 2007.
In a typical TPMS, each wheel of the vehicle contains a device (TPMS sensor) – usually attached to the inflation valve – that measures air pressure and, optionally, temperature, vehicle state (moving or not), and the health of the sensor’s battery.
To differentiate between its own wheels and wheels of the vehicle in the next lane, each TPMS sensor contains a unique id.
The vast majority of TPMS sensors transmit information in clear text using one of the assigned radio frequencies (typically, 315MHz or 433MHz).
Each wheel of the vehicle transmits a unique ID, easily readable using off-the-shelf receiver. TPMS cannot be turned off.
With minor limitations, TPMS can be used for the very purpose of tracking your vehicle in real time with no substantial investments!
A high-school kid with passion for electronics can assemble a device that will trigger the detonator when the right vehicle passes by.
If they add functionality to encrypt the communication channel, the problem will go away. Note the similarity to the keyless entry remote controllers.