A team of computer scientists has published source code that can in some circumstances bypass encryption used in Microsoft's BitLocker and Apple's FileVault and be used to view the contents of supposedly secure files.
We reported in February on their research , which describes how the contents of a computer's memory could be dumped to a hard drive and the encryption keys forcibly extracted.
The source code includes tools for imaging the target computer's memory through USB and Netboot, and analyzing the memory image to extract AES and RSA encryption keys, even if they're partially degraded. It was published to coincide with the Last HOPE hacker conference over the weekend in New York, where research team member Jacob Appelbaum gave a presentation.
This collection of utilities will be of special interest to security researchers and computer forensics specialists in law enforcement or working for police. It allows police to seize a computer with an encrypted volume mounted that may be asleep or locked with a screensaver, plug in a UPS , and eventually extract its memory and encryption keys.
If you're worried about this threat or the possibility of nosy border guards rummaging through your files , unmount your encrypted volumes when you're not using them or, better yet, completely power down your computer.
As more people use encryption--FileVault is built into all recent versions of OS X--finding ways to respond to it will become more of a challenge for law enforcement. In December, a federal judge ruled a man charged with transporting illegal images could not be forced to turn over his PGP pass phrase.
Shopping sites are coming out of the woodwork these days--or, in the case of Pricefish.com , perhaps it's out of the aquarium.
Bad puns aside, we have to wonder about the wisdom behind this latest entry into the increasingly crowded consumerism field. According to a spokesperson, Pricefish "teaches consumers how to shop, how to succeed in the art of shopping." But while the site touts such features as video and audio tips, it apparently lacks any of the social-networking aspects that increasingly seem almost required components of modern shopping services.
But perhaps most questionable of all is the name itself: Pricefish. Given all the concerns about phishing scams , it strikes us as curious that a consumer company would choose to have the word "fish" in its name--no matter how it's spelled. The unsolicited e-mail pitch we received even bore this subject line: "Fishy shopping site advises consumers on how to buy smart."
Until we opened it, we thought it was a reader tip about another scam.
The chairman of the U.S. House Foreign Affairs Committee is summoning Yahoo Chief Executive Jerry Yang to Washington to talk about "how the Internet company gave false information to Congress about its role in a human rights case in China that sent a journalist to jail for a decade," according to a release from the committee chairman's office.
Chairman Tom Lantos has asked Yang and Yahoo General Counsel Michael Callahan to appear at a hearing on November 6.
"Our committee has established that Yahoo provided false information to Congress in early 2006," Lantos said in the statement.
A Yahoo spokeswoman released a statement saying that Callahan's testimony was accurate. The company has said that the testimony was accurate at the time it was given in February 2006 and that executives only learned what the investigations were related to after that time.
"The House Foreign Affairs Committee's decision to single out Yahoo and accuse the company of making misstatements is grossly unfair and mischaracterizes the nature and intent of our past testimony," the statement said.
"As we have made clear to Chairman Lantos and the Committee on Foreign Affairs, Yahoo has treated these issues with the gravity and attention they demand," the statement continued. "We are engaged in a multi-stakeholder process with other companies and the human rights community to develop a global code of conduct for operating in countries around the world, including China. We are also actively engaged with the Department of State to assist and encourage the government's efforts to deal with these issues on a diplomatic level."
Yahoo has been sued by several Chinese political dissidents who complained that Yahoo provided information to the Chinese government that led to their imprisonment for allegedly distributing state secrets over the Internet. One man, Shi Tao, was arrested in 2004 by Chinese officials after Yahoo cooperated with a request to provide information about the Yahoo Mail customer.
Callahan testified last year that Yahoo did not know the nature of the Chinese investigation when it provided information about Shi.
Lantos ordered a probe into the matter in August after the Dui Hua Foundation, a human rights group that focuses on China, released a document that it said shows that the Beijing State Security Bureau had told Yahoo in writing that Shi was suspected of "illegal provision of state secrets to foreign entities."
Microsoft is working on a new development language, called 'D,' which will make it easier to model applications, Mary Jo Foley at ZDNet reports.
Her post describes D as a "declarative language aimed at non-developers."
Modeling and end-user programming are big themes in Microsoft's development tools work.
By creating models of applications, developers can speed up their development time and make it easier to deploy and operate those applications once they are live.
End-user programming, a long-held idea, is getting more realistic in the days of mashups where people combine data from different Web feeds onto a single Web page.
Last year, Microsoft's developer group released Popfly which is a mash-up builder. It's a visual application creation tool, but it's also meant to introduce basic concepts of programming.
On Wednesday, as predicted, the rain came. I must say I don't think I've sported this much Gore-Tex outside of hiking trips. Thunderstorms had been on the horizon for New York, and despite rampant rumors that Steve Jobs can control the weather, they still came. Around the 5th Avenue Apple Store, drainage isn't too good, so parts of the stone courtyard outside the Early Show studios were half an inch deep in water.
But that didn't do anything to break up the line of enthusiasts waiting for the iPhone launch at 6 PM on Friday.
I hadn't dropped by the Apple Store this afternoon because I was busy talking into a box . So when I showed up again after dark in the rain, the line that had been six people long 24 hours ago had now lengthened to 14. The male-female ratio is about 4:1, and just about everyone is somewhere in their 20s. Everyone was huddled under umbrellas, and thankfully, it looks as though there was plenty of rain gear around.
I'm also hearing that one guy in line knows how to get access to a shower in an apartment nearby, so things haven't been quite as, uh, pungent as they could be.
Amazon.com has axed a number of features on its A9 search engine as part of a redesign of www.a9.com , an Amazon.com spokesman said on Monday.
Amazon.com has dropped support for the A9 toolbar, yellow pages, search history, diary and bookmarks tools, as well as its maps tools, including its street-level mapping feature .
Meanwhile, the new redesigned interface launched Friday offers new ways to search sources and a continuous scrolling feature that eliminates the need to hit "next" to see results on additional pages.
"A9 is shifting its priorities to areas where it can provide the greatest benefit for customers," Amazon.com spokesman Drew Herdener said in a statement.
The writing for A9 was on the wall when Google hired A9 Chief Executive Udi Manber in February.
Back in the 1990s when the original PCI I/O bus was getting a bit long in the tooth, two disparate groups of vendors proposed solutions to the problem. Compaq, IBM and Hewlett-Packard championed a standard called Future I/O, while Intel, Microsoft and Sun Microsystems pushed a competing technology called Next Generation I/O. In an unusual act of solidarity, the two groups got together, compromised on their differences, and came up with a jointly developed technology called Infiniband.
In simple terms, Infiniband is a switched I/O channel that connects processors to other processors and high-speed peripherals like disk drives. The best industry analogs are mainframe channel technologies ESCON and FICON.
When it was first proposed, Infiniband seemed like a much better solution than either Ethernet or Fibre Channel. Infiniband proponents claimed that Gigabit Ethernet was too slow and TCP/IP too processor-intensive for computer operations and I/O. As for Fibre Channel, the thought was that it would die because of pure economics. As companies like Cisco, HP and Nortel produced tons of Infiniband devices and millions of ports, Infiniband price/performance would leave Fibre channel in the dust.
Fast-forward to today and Infiniband has to be seen as a mere footnote in the annals of technology. Yes, I realize that the technology exists and is deployed in lots of high-performance computing environments, but rather than become an industry staple, Infiniband is an extremely esoteric technology. In the meantime, high-density 10Gb Ethernet switches from Extreme, Foundry, Force 10 and, of course, Cisco are becoming staples in today's virtual data centers serving SOA and Web 2.0 applications, while fast processors and TCP off-load chips eliminate all the fuss over chatty and slow IP packet processing.
I'm sure someone will respond to this blog by telling me that Infiniband is far more prevalent than this and that I am a moron for suggesting otherwise. Before someone does this however, I suggest that they scan through the past three months of CNET articles and see how many times they can find a reference to Infiniband. Few, if any.
I can't help but think that Infiniband may be the next ATM, Token Ring or Betamax--a superior technology that never gained broad market penetration. I just wish I had 5 percent of the money spent on Infiniband development, technology evangelism and industry hyperbole.