Latest SP2 Flaw Bypasses IE Security Zone
source: eweek

Security researchers have discovered another vulnerability in Windows XP Service Pack 2, but it doesn't appear to be an immediate threat.

The researcher who uncovered the drag-and-drop flaw in Windows XP SP2 earlier in the week has reported that a new vulnerability exposes a hole in the lockdown of Internet Explorer's My Computer security zone.

The lockdown of the My Computer zone is one of the major security enhancements in SP2. Web pages in Internet Explorer run in one of several security "zones," each of which has different security rules. Prior to SP2, the My Computer zoneÂ?designed for Web pages stored on the computer itselfÂ?had extremely permissive rules. In order to take advantage of them, malware attacks frequently exploited vulnerabilities to get their Web-based pages to execute. Microsoft tightened the rules in SP2 to make it a less inviting target.

In the new attack, the use of an unconventional value in the "Content-Location:" field of an MHTML (MIME HTML) file causes the browser to execute the file in the Local Intranet zone, even though it is run from the local computer. This allows scripting operations that are not permitted in the local zone. MHTML files are a variant HTML format in which accessory files, such as images, can be stored as part of the file itself.

While this example does demonstrate a weakness in the local computer lockdown by Service Pack 2, the technique doesn't work in a standard HTML file delivered in a browser. Because the file must be downloaded by the user and executed locally, it is much harder to deliver to the user. It is, in a sense, no different from a threatening .exe file. It is possible that it could be blended in the future with other exploits of SP2 to create a true remote attack.

Citigroup Building In Midtown Reopens To The Public
Source: NY1

Yea for NYC2600!
Business owners who have space in the Citigroup building in Midtown Manhattan are breathing a sigh of relief, as the building's concourse was reopened to the public Friday.

The first floor was closed off for more than two and a half weeks. The Citigroup building was one of the buildings singled out by federal officials in their recent terror warning.

While the target appears to be the financial business in the tower, tight security has kept visitors out of the retail space and the building's atrium.

Visitors now should expect to show identification and have bags and packages screened before walking in through two secure entrances.

The decision to close and now reopen the atrium wasn't made by the police or the Department of Homeland Security, but by Boston Properties, the company that manages the Citigroup tower.

Â?We want the public to come back and enjoy this wonderful space,Â? said Robert Selsam of Boston Properties. Â?People can come and pick up a newspaper, drop off their film, buy a tennis racket, get a coffee or lunch at any number of wonderful places."

Shops and restaurants have been taking serious hits to their business, with some deciding to shut down temporarily.

At the buildingÂ?s photo shop, owners say they went from developing about 150 rolls of film a day to about 15. At MosheÂ?s cafe they say they went from making about 80 to 150 sandwiches a day to about a few dozen.

Â?We dropped about 75 to 80 percent,Â? said Andreas Pappandreous, the owner of Cucina. Â?A lot of our customers do come from the surrounding buildings.Â?

"I promised all my employees here that for the next five weeks they will get paid and they can have their jobs, but after that I don't know what I am going to do," said Dennis Liberatos, the owner of the Market Cafe.

When asked whether it would cut retailers a break on rent for the month of August, a spokesman for Boston Properties would only say that's a private matter between the managing company and the tenants who were affected for the last two and a half weeks.

Maxtor ships multimedia-friendly drive
source: CNET

The new DiamondMax 10 drives are designed to help people run multiple applications, such as games and music, without overwhelming their PC system.

Disk drive maker Maxtor on Monday said it is shipping a new desktop PC drive with up to 300 gigabytes of capacity. The drives include the relatively new serial-attached ATA interface and are designed to help consumers run multiple applications--such as games and music--at the same time without overwhelming their PC systems. Built to spin at 7,200 revolutions per minute, the DiamondMax 10 drives are ideal for storing high-resolution images, multimedia content, and personal and business information, Maxtor said. Seagate Technology and Western Digital also make desktop computer drives. Both Maxtor and Seagate posted losses for their most recent quarters.

Wal-Mart offers sub-$600 notebook
source: CNET

I am very curious about this one, I will probably buy
The retailer trots out a bargain portable PC that packs Wi-Fi. Is it getting ready for a laptop push for the holidays?

Wal-Mart Stores has begun selling a Wi-Fi notebook PC for less than $600, which analysts say could herald a laptop push by the retailer for the holiday season.

The retail giant began offering the wireless notebook, manufactured by Taiwan's Elitegroup Computer Systems, in late July for online sales only. It's listed at $598, without discounts or mail-in rebates.

Wal-Mart has traditionally sold only a limited number of notebook models, including laptops from Hewlett-Packard and Toshiba. Instead, it has concentrated its marketing efforts on desktop PCs, but it also sells lower-priced machines based on the Linux operating system.

The move suggests that Wal-Mart is evaluating new strategies to pump up notebook sales during the 2004 holiday season and possibly beyond, said Sam Bhavnani, an analyst with Current Analysis, a San Diego firm that tracks retail sales.
"It's a very entry-level configuration," Bhavnani said. "But it does have wireless, which makes it a very compelling offer. That's where this system will pose a threat (to brand-name PC makers) once it hits the shelf. The Wal-Mart customer is going to see it there, see the price and just buy it."
In addition to wireless, the ECS notebook comes loaded with a 14.1-inch display, an AMD Athlon XP 1600+ processor, 128MB of RAM, a 40GB hard drive, a DVD-drive, Wi-Fi 802.11b and Microsoft's Windows XP Home Edition operating system. It also carries a one-year warranty, according to Wal-Mart's Web site.

Although it's fairly common for stores to sell notebooks for as low as $500, the Wal-Mart offer stands out because it does not require customers to use discounts and mail-in rebates to get the PC for the $598 price.
Moreover, the ECS machine offered by Wal-Mart includes Wi-Fi, a feature that's become very popular on notebooks in general, but which many rock-bottom-priced systems still lack, Bhavnani said.
One potential shortcoming is that the Wal-Mart/ECS model has only 128MB of RAM, as opposed to the 256MB more common in competing systems. But first-time or budget buyers might be willing to overlook that, given the machine's price.

But in general, technology progression has lowered prices on PC components, which means that today's cheap notebook is much more capable and less costly than yesterday's budget machine. Most low-price notebooks can now burn CDs and can usually connect to wireless networks--features that were once reserved for high-end models that cost thousands of dollars.

Just two years ago, it took almost $1,000 to buy a machine such as Gateway's Solo 1450SE, which in June 2002 offered a 1.3GHz Intel Celeron chip, a 14.1-inch screen, 128MB of RAM, a 20GB hard drive and a DVD drive for $999 after a $100 mail-in rebate.

Lower prices have helped notebooks see a recent rise in popularity, and their sales are expected to grow faster than the overall PC market. Research firm IDC forecast that laptop computers will make up nearly half of all PC shipments in the United States and almost 40 percent of such shipments worldwide by 2007.

So it's no surprise that Wal-Mart, which sells sub-$300 desktops loaded with Linux, might want to explore the lower reaches of the notebook market, Bhavnani said. "At $600Ã?Â?you can basically guarantee they're going to sell all of those (ECS machines)," he said.

Although it's early to say whether laptop sellers should be worried--Wal-Mart carries a lot of weight with its nearly 2,900 stores and so-called supercenters--competition at the lower reaches of the notebook market is already quite stiff.

Retailer CompUSA, for one, is advertising a nicely loaded Hewlett-Packard Pavilion ze4805us notebook for $849, after $250 in instant and mail-in rebates. It comes with a 15-inch screen, Athlon XP 2800+ chip, 256MB of RAM, 60GB hard drive, Wi-Fi 802.11g and combination CD-burner/DVD drive. The offer is good through Aug. 21, according to the store's Web site.
Wal-Mart's retail site lists a nearly identical Pavilion ze4805WM-B model, which appears to lack Wi-Fi, for $928.

Even Dell has gotten into the low-price game. Its Inspiron 1000 notebook, introduced earlier this summer, starts at $899 before rebates. The most basic Inspiron 1000 configuration includes a 2.2GHz Intel Celeron processor, a 14.1-inch display, 256MB of RAM, a 30GB hard drive and a combination CD-burner/DVD-ROM. It does not include wireless (a $39 upgrade) and it offers a standard 90-day warranty (a one-year warranty is a $29 upgrade). However, Dell offered the machine with a $100 mail-in rebate and a free printer through Wednesday.

Peer-to-Peer Companies Win in Court
souurce: PC World

A U.S. federal appeals court ruled in favor of peer-to-peer software makers this week, stating that the companies behind the Grokster and Morpheus services are not liable for copyright infringement due to the actions of their users.
A three-judge panel of the 9th U.S. Circuit Court of Appeals unanimously backed a lower court ruling that Grokster, Streamcast Networks (maker of the Morpheus service (http://www.pcworld.com/news/article/0,aid,108762,00.asp) ), and Musiccity.com are not responsible for users who illegally copy or share content such as music and movies over their services.
"The peer-to-peer file-sharing technology at issue is not simply a tool engineered to get around" previous rulings against the Napster file-sharing service, wrote Judge Sidney R. Thomas in a ruling for the panel. "The technology has numerous other uses, significantly reducing the distribution costs of public domain and permissively shared art and speech, as well as reducing the centralized control of that distribution."
Latest Setback
The ruling is a further setback for the plaintiffs, including the Motion Picture Association of America, the National Music Publisher's Association of America, and the Recording Industry Association of America, which were appealing an April 2003 ruling (http://www.pcworld.com/news/article/0,aid,110444,00.asp) by U.S. District Court Judge Stephen Wilson.
The MPAA and RIAA both say in separate statements that they are reviewing the next legal steps to take, and they are widely expected to appeal the ruling to either the full 9th Circuit Court or to the U.S. Supreme Court.
Groups supporting the P-to-P networks (http://www.pcworld.com/resource/browse/0,cat,1711,sortIdx,1,00.asp) , such as Electronic Frontier Foundation and Public Knowledge, hailed the decision.
"This is a victory for innovators of all stripes," says EFF Senior Intellectual Property Attorney Fred von Lohmann in a statement from the group, which had argued on behalf of Streamcast. "The court's ruling makes it clear that innovators need not beg permission from record labels and Hollywood before they deploy exciting new technologies."

NYPD Closing Its Anti-Graffiti Unit
Source: NY1

I just thought this was funny
The NYPD is closing down its anti-graffiti unit.

A spokesperson says the unit will be merged with the Transit Bureau's Vandals Squad. The department says the consolidation will free up resources it can use elsewhere.

Police Commissioner Ray Kelly discussed the idea two weeks ago with top police officials.

Critics fear the move will allow graffiti to become prominent around the city like it was in the 1980s. Graffiti on subway cars has completely dropped off, but street graffiti is making a comeback in some areas.

Check your wait time with this new Web site
Source: USA TODAY

not sure to call this a blessing
Airline passengers trying to answer that $64,000 question Â? what time should I arrive at the airport? Â? have a new online tool, courtesy of the Transportation Security Administration.

The Web site (waittime.tsa.dhs.gov) lets travelers check average and maximum security checkpoint waits at any U.S. commercial airport for any day of the week, based on data collected by TSA over the previous month.

At the nation's top 40 airports Â? which account for 80% of passengers Â? peak wait times have been averaging about 10 minutes. But actual times can vary widely, even from one airport checkpoint to another.

From the privacy news:
E-passports to put new face on old documents
Source: CNET

Countries begin test programs--get ready for a facial scan the next time you take an overseas flight.

One of the basic forms of personal identification, the passport, is on the verge of taking on a new, high-tech identity.
A number of countries are about to launch trials of passports and visas that incorporate basic biometric information about the document holder alongside the traditional photo and passport number--data such as a digital image of the citizen's face that will be compared to a facial scan taken at the airport.

News.context
What's new:
Countries from Belgium to the United States are moving toward trials of passports that incorporate basic biometric data.

Bottom line:
Critics worry about identity theft and government surveillance, but proponents say the technology guards against those dangers and provides better protection against fraud and other crimes.

Hackers crashing GOP websites
Source: wired

Online protests targeting GOP websites could turn out to be more than symbolic during this month's Republican National Convention, possibly blocking a critical communications tool for the party.

In the past, activists have been able to shut down the website of, say, the World Economic Forum for a few hours. But the impact of such a takedown was nebulous at best: It's hard to argue the organization really suffered from a few-hour lag in posting its press releases online.

In this year's presidential race, however, campaign websites have moved beyond the margins. During John Kerry's acceptance speech in Boston last month, for example, his website was visited by 50,000 people an hour, according to comScore Networks, the online traffic-measuring firm. That's a droplet compared to the millions who'll watch the convention on TV. But taking down a campaign website would nevertheless remove a critical tool for reaching the public -- and likely generate a slew of stories in the mainstream media about the crash.

So it's no surprise that hardened electronic activists are planning to jam up the servers of GeorgeWBush.com, GOP.com and related websites, once the Republican National Convention gets underway Aug. 29.
"We want to bombard (the Republican sites) with so much traffic that nobody can get in," said CrimethInc, a member of the so-called Black Hat Hackers Bloc. It's one of several groups planning to distribute software tools to reload Republican sites over and over again. These FloodNet programs are similar to hackers' distributed denial-of-service attacks, which overwhelm a server with thousands and thousands of simultaneous requests for information.
But some activists are condemning the planned attacks, saying they violate the principles of free speech that protesters rely on for their demonstrations.

"If you feel that you must shut up someone through intimidation or false accusations or any other method -- you are not relying on the superiority of the truth," The Pull, co-founder of the online political action group Hacktivismo, wrote in an e-mail. "People can not condemn censorship and then embrace it."

The point of the electronic demonstrations isn't to take down a site, according to Ricardo Dominguez, co-founder of the Electronic Disturbance Theater, or EDT, which is releasing a FloodNet program of its own. Unlike hackers' denial-of-service attacks, which often hijack computers against their users' will, EDT's JavaScript-based software depends on how many people use the program. "It's a way to let people around the world gather and let their presence be felt," Dominguez said.

Not that he would mind if a Republican server just happened to crash along the way. In 2002, at the EDT's direction, 43,000 people flooded the site of the World Economic Forum during its meeting in New York. The organization's website went offline for several hours following the demonstration.
The Black Hat Hackers Bloc is hoping to cause a whole lot more trouble when the Republicans start to gather in New York. The groups will be targeting not only GOP computers, but "e-mail, faxes and phones, too," CrimethInc said, as well as unspecified "financial disruption."

Officials from the Republican Party and from Computer Horizons, the Mountain Lakes, New Jersey, firm responsible for network services at the GOP convention, did not respond to requests to comment for this article.
It's unclear exactly how effective these online actions will be. In an interview, CrimethInc boasted that his associates defaced the website for Drug Abuse Resistance Education, or DARE, with a pro-pot-legalization screed, and promised similar strikes against Republican sites. In the past, veteran online activists have called these tactics the "kind of stupidity that gives hacking a bad name."

The attacks during the Republican convention may be just the beginning, however. At the Hackers on Planet Earth gathering in New York City, one speaker promised attendees, "You will learn how to infiltrate organizations like the RNC, how to look for and find security holes, and how mischief and mayhem is achieved."

Microsoft releases list of applications known to be affected by SP2
Source: Anandtech

For those of you still teetering on the edge of wether or not to slap SP2 onto your PC, this article should help make the decision a bit easier. It appears that this list only shows a limited selection of programs so keep that in mind before putting SP2 onto a machine that contains important data or applications (or games) you just can't live without. Most of the 'compatability issues' seem to be network related and seem to simply require the end-user to add some exceptions to the new firewall. Search for the Microsoft Knowledge Base article 842242.

In an effort to head off support calls, Microsoft has published a list of about 50 programs from both the Redmond software giant and third-party software vendors that require tweaking in order to work properly with Windows XP Service Pack 2 (SP2).
Among the applications that are encountering problems are Web servers, remote desktops, file-sharing applications, FTP clients, multimedia streaming software and e-mail notifications. A number of systems-management applications and games also require manual modifications in order to work properly with SP2, according to Microsoft.

Calif. Assembly Backs E-Mail Monitoring Disclosure
source: Reuters

California's Assembly on Tuesday voted to require the state's employers to inform their workers in writing if e-mail and other Internet activity is monitored at work.

If it becomes law, supporters said the bill would place the state at the forefront of protecting employee privacy online and may serve as a model for similar bills in other states.

Critics said it would burden employers and is unnecessary because employees already assume online activities at work are monitored. Business groups also opposed the bill because any violation of it would be considered a misdemeanor.

The legislation, sponsored by Debra Bowen, a Democrat from Redondo Beach, California, was modeled on a state regulation requiring employers to disclose whether they monitor employee telephone calls.

The Assembly, which is the lower house of the California legislature, passed the bill with a 42-30 vote.

The bill must go to the state Senate for a final vote, and it requires Gov. Arnold Schwarzenegger's signature to become law. A spokeswoman for Schwarzenegger's office said he had not taken a position on the bill.

Connecticut has a law similar to Bowen's bill, but it requires employers who electronically monitor employees to put a notice in a conspicuous place where workers may read it.

Minnesota considered, but did not pass, a law that would have required notice before employers monitor workers electronically.

Massachusetts is considering a bill to require employers who engage in any electronic monitoring to provide prior written notice to all employees, customers or consumers who may be affected.