AT&T reverses FaceTime blocking decision

AT&T has reversed its decision to allow Apple iPhone and iPad owners to use Apple's FaceTime videoconferencing application only on the carrier's most expensive data plans or if they are connected to Wi-Fi.

AT&T on Thursday announced it would allow customers with Apple devices to use FaceTime on other LTE plans in addition to its Mobile Share data plan. The carrier's decision comes after three advocacy groups said in September they planned to file a net neutrality complaint against AT&T at the U.S. Federal Communications Commission.

Free Press, Public Knowledge and New America Foundation's Open Technology Institute will move forward with the net neutrality complaint if AT&T does not make FaceTime available to its customers in a timely manner, Free Press said in a press release.

"The law is clear," Free Press policy director Matt Wood said in an email. "AT&T simply can't justify blocking an app that competes with its voice and texting services unless customers purchase a more expensive monthly plan that includes an unlimited amount of those very same services."

The FCC approved net neutrality regulations in late 2010.

AT&T made the original decision to limit FaceTime use because the carrier has so many iPhone owners on its network, said Jim Cicconi, the carrier's senior executive vice president for external and legislative affairs. "When Apple rolls out new services or changes, as it did in iOS 6, it can have a much greater, and more immediate, impact on AT&T's network than is the case with carriers who have far fewer iPhone users," he wrote in a blog post.

With FaceTime preloaded on "tens of millions of iPhones, AT&T engineers could not predict how much the app would be used and how much it would affect AT&T's network, Cicconi wrote. "It is for this reason that we took a more cautious approach toward the app."

But the decision "raised questions and some concerns," Cicconi added.

AT&T will roll out FaceTime for data users over eight to 10 weeks, he said. Starting on Oct. 26, the carrier began offering new billing plans designed to help deaf and hard-of-hearing customers use FaceTime, he added.

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is grant_gross@idg.com.

Read more »

Facebook boosts Hadoop with scheduling muscle

Facebook has beaten some of the limitations of the Apache Hadoop data processing platform, its engineers assert.

Facebook has released source code for scheduling workloads on the Apache Hadoop data processing platform. Engineers at the social networking company claim this program, called Corona, is superior to Hadoop's own scheduler in MapReduce.

In tests, the Corona scheduler was able to put more than 95 percent of a cluster to work on jobs, whereas MapReduce could utilize, at the most, 70 percent of a cluster, Facebook said.

By using the clusters more efficiently, Facebook is able to analyze more information with existing hardware. Corona offers a number of additional benefits as well, including faster loading of workloads and a more flexible way of upgrading the software.

Facebook announced the release of Corona in a posting by a number of Facebook engineers who contributed to the software, including Avery Ching, Ravi Murthy, Dmytro, Ramkumar Vadali and Paul Yang.

Facebook's operations and users generate more than half a petabyte of data each day, which is analyzed by more than 1,000 Facebook personnel, mostly by using the Apache Hive query engine.

Typically, analysis jobs running on Hadoop are scheduled through the MapReduce framework, which breaks jobs into multiple parts so they can be executed across many computers in parallel.

Facebook ran into issues using MapReduce, however. The scheduler could not keep all the computers supplied with work. "At peak load, cluster utilization would drop precipitously due to scheduling overhead," the blog stated.

Another issue with MapReduce is that the software typically delayed jobs before executing them, the Facebook team said. In addition, the framework offered no easy way of scheduling non-MapReduce jobs on the same cluster, and software upgrades required system downtime, which necessitated stopping jobs that are then being executed.

Facebook engineers developed the Corona scheduler so it would not have these limitations. The software would scale more easily and make better use of clusters. It would offer lower latency for smaller jobs and could be upgraded without disrupting the system.

Facebook is now in the process of moving MapReduce workloads onto clusters equipped with Corona. Initially, the social networking company deployed the software on 500 nodes. Once Corona proved effective, it was then tasked with all non-mission critical workloads, including larger workloads involving 1,000 or more servers. Now, the company is deploying Corona for all Hadoop workloads.

In tests, Corona has shown itself to be more effective than MapReduce across a number of metrics, Facebook asserted. In performance tests, Corona took around 55 seconds to fill an empty workspace, whereas MapReduce took 66 seconds -- which constitutes a 17 percent improvement. Job are started more quickly now, as well, within 25 seconds, down from 50 seconds with MapReduce.

Corona is not the only alternative to MapReduce. Facebook also looked at Yarn, which is Apache's overhaul of MapReduce, planned for release as MapReduce 2.0. Facebook engineers were unsure Yarn could execute jobs as large as those of the social networking site, however.

Joab Jackson covers enterprise software and general technology breaking news for The IDG News Service. Follow Joab on Twitter at @Joab_Jackson. Joab's e-mail address is Joab_Jackson@idg.com

Read more »

How to Secure Big Data in Hadoop

The potential is enormous-as businesses transform into data-driven machines, the data held by your enterprise is likely to become the key to your competitive advantage. As a result, security for both your data and your infrastructure becomes more important than ever before.

Big Data Could Be Toxic Data If Lost

In many cases, organizations will wind up with what Forrester Research calls "toxic data." For instance, imagine a wireless company that is collecting machine data-who's logged onto which towers, how long they're online, how much data they're using, whether they're moving or staying still-that can be used to provide insight to user behavior.

That same wireless company may have lots of user-generated data as well: credit card numbers, social security numbers, data on buying habits and patterns of usage-any information that a human has volunteered about their experience. The capability to correlate that data and draw inferences from it could be valuable, but it is also toxic because if that correlated data were to go outside the organization and wind up in someone else's hands, it could be devastating both to the individual and the organization.

With Big Data, Don't Forget Compliance and Controls

9 Tips for Securing Big Data

1. Think about security before you start your big data project. You don't lock your doors after you've already been robbed, and you shouldn't wait for a data breach incident before you secure your data. Your IT security team and others involved in your big data project should have a serious data security discussion before installing and feeding data into your Hadoop cluster.

2. Consider what data may get stored. If you're planning to use Hadoop to store and run analytics against data subject to regulation, you will likely need to comply with specific security requirements. Even if the data you're storing doesn't fall under regulatory jurisdiction, assess your risks--including loss of good will and potential loss of revenue--if data like personally identifiable information (PII) is lost.

3. Centralize accountability. Right now, your data probably resides in diverse organizational silos and data sets. Centralizing the accountability for data security ensures consistent policy enforcement and access control across these silos.

4. Encrypt data both at rest and in motion. Add transparent data encryption at the file layer. SSL encryption can protect big data as it moves between nodes and applications. "File encryption addresses two attacker methods for circumventing normal application security controls," says Adrian Lane, analyst and CTO of security research and advisory firm Securosis. "Encryption protects in case malicious users or administrators gain access to data nodes and directly inspect files, and it also renders stolen files or disk images unreadable. It is transparent to both Hadoop and calling applications and scales out as the cluster grows. This is a cost-effective way to address several data security threats."

5. Separate your keys and your encrypted data. Storing your encryption keys on the same server as your encrypted data is similar to locking your front door and then leaving the keys dangling from the lock. A key management system allows you to store your encryption keys safely and separately from the data you're trying to protect.

6. Use the Kerberos network authentication protocol. You need to be able to govern which people and processes can access data stored within Hadoop. "This is an effective method for keeping rogue nodes and applications off your cluster," Lane says. "And it can help protect web console access, making administrative functions harder to compromise. We know Kerberos is a pain to set up, and (re-)validation of new nodes and applications take work. But without bi-directional trust establishment, it is too easy to fool Hadoop into letting malicious applications into the cluster, or into accepting the introduction of malicious nodes---which can then add, alter or extract data. Kerberos is one of the most effective security controls at your disposal, and it's built into the Hadoop infrastructure, so use it."

7. Use secure automation. You're dealing with a multi-node environment, so deployment consistency can be difficult to ensure. Automation tools like Chef and Puppet can help you stay on top of patching, application configuration, updating the Hadoop stack, collecting trusted machine images, certificates and platform discrepancies. "Building the scripts takes some time up front but pays for itself in reduced management time later, and additionally ensures that each node comes up with baseline security in place."

8. Add logging to your cluster. "Big data is a natural fit for collecting and managing log data," Lane says. "Many web companies started with big data specifically to manage log files. Why not add logging onto your existing cluster? It gives you a place to look when something fails, or if someone thinks perhaps you've been hacked. Without an event trace you are blind. Logging MR requests and other cluster activity is easy to do and increases storage and processing demands by a small fraction, but the data is indispensable when you need it."

9. Implement secure communication between nodes and between nodes and applications. To do this, you'll need an SSL/TLS implementation that protects all network communications rather than just a subset. Some Hadoop providers, like Cloudera, already do this, as do many cloud providers. If your setup doesn't have this capability, you'll need to integrate the services into your application stack.

Thor Olavsrud covers IT Security, Big Data, Open Source, Microsoft Tools and Servers for CIO.com. Follow Thor on Twitter @ThorOlavsrud. Follow everything from CIO.com on Twitter @CIOonline and on Facebook. Email Thor at tolavsrud@cio.com

Read more about business intelligence (bi) in CIO's Business Intelligence (BI) Drilldown.

Read more »

Priceline to buy travel research site Kayak for $1.8 billion

Online hotel-booking giant Priceline.com plans to acquire Kayak, another Internet-based travel company, for US$1.8 billion in cash and stock, the companies announced on Thursday.

Priceline will pay about $500 million in cash and $1.3 billion in stock and stock options for Kayak. The deal has been approved by both companies' boards of directors but still needs approval by regulators and Kayak shareholders. It should close late in the first quarter of 2013.

Priceline says it offers online bookings at more than 270,000 hotels around the world. In addition to the Priceline.com site, it operates the Booking.com, Agoda.com and Rentalcars.com brands within its Priceline Group of companies. Kayak is a travel research site that consolidates information about flights, hotels and rental cars for comparison shopping. It links to multiple other sites, including Priceline's services, where users can complete a booking.

Kayak processes more than 100 million queries per month, according to a press release. Priceline said the acquisition would help Kayak to build a global brand. The Priceline Group operates in more than 180 countries, Priceline said. Priceline will pay $40 per share for Kayak, a significant premium on the company's closing stock price of $31.04 on Thursday. Kayak went public in July. However, Kayak's stock on the Nasdaq (KYAK) was down $0.50 in after-hours trading late Thursday. Priceline (PCLN) was down $6.74 at $627.87.

Kayak's current management team will remain in place and run the company independently within the Priceline Group, the companies said. Both companies are based in Norwalk, Connecticut.

Stephen Lawson covers mobile, storage and networking technologies for The IDG News Service. Follow Stephen on Twitter at @sdlawsonmedia. Stephen's e-mail address is stephen_lawson@idg.com

Read more »

Michigan man charged with selling counterfeit Microsoft software

A man from Michigan was arraigned in a U.S. federal court on Thursday on charges of mail fraud and selling counterfeit software worth over US$1.2 million that he purchased from China and Singapore, the U.S Department of Justice said Thursday.

Bruce Alan Edward, 48, of Atlanta, Michigan, was charged in an indictment returned on Oct. 24 and unsealed on Nov. 1 by the federal grand jury in Bay City, Michigan, DOJ said in a statement. He was arraigned on Thursday in U.S. District Court for the Eastern District of Michigan.

Edward allegedly distributed counterfeit copies of Office 2003 Professional and Windows XP Professional by selling copyrighted works on eBay and then using the U.S. Postal Service to deliver the counterfeit software, according to the indictment which charges Edward with five counts of criminal copyright infringement and one count of mail fraud.

The indictment charges Edward with making more than $140,000 between May 2008 and September 2010 by selling more than 2,500 copies of counterfeit Microsoft software that had a retail value of over $1.2 million.

If convicted of all counts in the indictment, Edward faces a maximum of 45 years in prison and $1.5 million in fines, DOJ said. He could also have to forfeit all criminal proceeds and counterfeit items and any property used to commit the alleged criminal activity, if convicted.

Software piracy has been on the decline in the U.S., but the commercial value of software piracy in the country still adds up to almost $10 billion, with 31 percent of computer users admitting to pirating software, Business Software Alliance, an antipiracy industry group, said in August. Since January, BSA settled a number of cases of unlicensed software including eight cases representing a value of more than $2.5 million, it said. 

John Ribeiro covers outsourcing and general technology breaking news from India for The IDG News Service. Follow John on Twitter at @Johnribeiro. John's e-mail address is john_ribeiro@idg.com

Read more »

Iranian minister faces US sanctions for Internet censorship

The U.S. on Thursday said it ordered sanctions against Iran's Minister of Communication and Information Technology, Reza Taghipour, and other entities and persons responsible for engaging in censorship in their country.

Taghipour is blamed by the U.S. for ordering the jamming of satellite television broadcasts and restricting Internet connectivity, according to a statement from the U.S. Department of State.

Iran has for some time considered separating its own internal networks from the global Internet describing it as unsafe. Earlier this year, the Iranian Students' News Agency quoted Taghipour as saying that the Internet is an "unsafe network," and that Iran would use local software to create a national grid.

The Iranian government has also put restrictions on Internet users, according to civil rights groups.

Others sanctioned by the U.S. are Iran's Ministry of Culture and Islamic Guidance and its Press Supervisory Board, which are said by the U.S. to have limited freedom of expression through their censorship and closure of newspapers and the detention of journalists. The Department of State said it is also designating key individuals and entities "responsible for assisting the regime in its crackdown on and censorship of the Iranian people."

The actions were taken under Section 403 of the Iran Threat Reduction and Syria Human Rights Act of 2012, signed by U.S. President Barack Obama in August, and executive order 13628, which Obama signed into effect on Oct. 9.

As a result of the action, "U.S. persons are prohibited from engaging in transactions involving the designated individuals or entities, and all designated individuals and members of designated entities are subject to a ban on travel to the United States," the Department of State said. The action also blocks, or freezes, the property and interests in property of the designated individuals or entities.

The U.S. has already imposed a number of sanctions on Iran in connection with its nuclear program, which Iran insists is for peaceful purposes, but the U.S. holds may lead to Iran building a nuclear bomb.

The sanctions on Thursday which target "individuals and entities who have engaged in censorship or other activities with respect to Iran on or after June 12, 2009" was included in one of three orders sanctioning a total of 17 individuals and entities, including those charged with terrorism and with proliferation of weapons of mass destruction.

Read more »

China Telecom aims to upgrade to LTE FDD, but authorities will decide

As China continues trials of its 4G networks using the government-backed LTE TDD technology, mobile operator China Telecom is aiming to go another route and deploy LTE FDD technology for its upcoming 4G networks.

The Chinese government has yet to issue 4G licenses to operators. But China Telecom, with 152 million mobile subscribers, wants to upgrade its existing 3G networks to LTE FDD technology, said Xu Fei a spokesman for China Telecom on Friday.

For the past year, the company has been running trials using an LTE FDD (Frequency-Division Duplex) network in the Chinese city of Guangzhou, Xu added.

LTE FDD is a variant of 4G LTE technology currently dominant in use among mobile operators across the world.

China, however, is pushing the development of LTE TDD (Time-Division Duplex), a variant which is based on the country's own 3G technology called TD-SCDMA (Time-Division Synchronous Code Division Multiple Access).

LTE TDD trials are already under way in the country and will be expanded to 100 cities in China next year. Rival operator China Mobile stands to benefit the most. The company currently uses the TD-SCDMA standard in its 3G networks, and is expected to upgrade them to 4G using LTE TDD technology.

China Telecom, on the other hand, uses CDMA2000 3G networks, a technology widely used outside the country. But no operators have yet to upgrade from a 3G CDMA network to 4G using solely LTE TDD, Xu said.

"The FDD-LTE technology is more mature," he said. "So we think this is the better road for us to take."

China Telecom, however, won't be the one to decide that. The Chinese government has the final say when it issues the 4G licenses, Xu said.

In September, a Chinese official signaled the government could issue those licenses near the end of next year.

Read more »

Judge to consider Samsung's questions about jury foreman

A court in California said Thursday that it would consider Samsung Electronics' concern that the foreman of the jury deciding a patent infringement lawsuit between Apple and Samsung had concealed information.

A jury in California decided in August that the South Korean company must pay Apple US$1.05 billion for infringing several of its patents in Samsung smartphones and tablets.

Samsung has, however, asked for a new trial of the case, alleging that the foreman of the jury, Velvin Hogan, was untruthful and biased. In the voir dire, a court procedure of questioning prospective jurors for potential bias, Hogan did not mention that he had been sued by his former employer, Seagate, for breach of contract after he failed to repay a promissory note in 1993 and filed for bankruptcy six months later, according to the filing on Oct. 2.

Samsung has a "substantial strategic relationship with Seagate," and is the single largest direct shareholder of the hard drive manufacturer after selling it a business division last year, it said in the filing.

On Oct. 30, Samsung filed a motion to compel Apple to disclose the circumstances and timing of Apple's discovery of certain information regarding the jury foreman.

Judge Lucy H. Koh of the District Court for the Northern District of California, San Jose division, wrote in her order on Thursday that the court will consider the questions "of whether the jury foreperson concealed information during voir dire, whether any concealed information was material, and whether any concealment constituted misconduct."

"An assessment of such issues is intertwined with the question of whether and when Apple had a duty to disclose the circumstances and timing of its discovery of information about the foreperson," Judge Koh wrote.

The court will address Samsung's motion to compel at a Dec. 6 hearing. If the court grants the motion, it will likely order supplemental briefing before ruling on Samsung's motion for judgment as a matter of law, Koh said.

Read more »

Get unlimited E-book

get unlimited e-books after signup and verifying your account. You can download books of many categories.
Visit the following link:
http://liberationbooks.com/vipmembers.html

Read more »

Benefits of giving thoughtful gifts to someone you love

Site review: http://messageonanecklace.com/gift_ideas.html

Site type: Gift related.

Contents: Gifts for all events.

Description/review: 'Message on a Necklace'.

If you want to buy a gift for someone, you will always try to buy the good one. Isn't it?

The important part to finding good gifts for someone lies in understanding if they have any secret wants, needs or desires.

Here is a list of some good gifts that you may want to consider:

• Treat them to an appointment at their favourite salon
• A gift card so that they can get whatever they want
• Buy them their favourite childhood book from a specialist book store
• Take the skiing
• Learn to surf classes
• personalised jewellery

You can use it for giving a good gift to your desire one such as present / gift ideas personalised jewellery.

The message is printed on a piece of paper at 1.5cm-4cm and inserted into a glass vial. The glass vial is attached to a sterling silver necklace. To ensure that the recipient can read the message, a large version of the message is mounted on a beautifully presented keepsake necklace box. With a Message on a Necklace , that special person is reminded of your meaningful message as they wear it close to their heart each day. 

Visit for your present /gift ideas personalised jewellery from http://messageonanecklace.co.nz/gift_ideas.html.

Read more »

Sharksucker Keyboard from JSXL Technology

Sharksucker Keyboard case is totally different kinds of keyboard case from other cases. You can use it in Apple Ipad 2 and Apple Ipad 3. This case is from JSXL Technology. This company is very well known Technology company. You dont have to woory about their product qwality. Because this Technology company has already earn the users or customers heart. This is not a simple case. THis thing will make you device better than before. It will improve your writting on your apple Ipad. Your typing will improve very much when you use it for typing email or anything. It will be proved when you use it. It has many features that yu can use. This kewboard will make your Ipad look like an awesome laptop. You can make Sleep or wake mode by closing and opening the lid. This aliminum case will feet parfectly to your new Ipad 3 or Ipad 2. It will amke your Ipad more stylist ever by standing up on it. No other keyboard case will match to you Ipad like Sharksucker Keyboard can match and fix to your Ipad ever. The price is not so high. You can buy it from your budget. A great offer is going on for you. The price is now very low for some time. This is the most latest bluetooth keyboard in 2012. And in 2013 it will not be the old model. Because this keyboard will always cool and fine. It is designed by very well qwality designer. Thats why Sharksucker Keyboard is different from any other normal bluetooth keyboard. It has built in high qwality and high capacity battery which can supply power to apple ipad when it is needed. It is very easy to bring one place to another. Cause the transform system is very good. You can easily make its folding close or open like a laptop. This is the parfect and best partner for you Ipad that no other keyboard will ever like that. It has ultra-thin design that is super cool for your ipad. It has very good sleep mode which will improve and save the battery for you ipad. You can adjust it to your Ipad by many ways. Cause it has multi-angle adjusmant system. You will get a very high qwality USB charging cable by it. You dont have to use any extra battery for it. So it will save your money also. Cause any other bluettoth keyboard need extra pencil battery in it. It cost so much. In this way you are totally tension free from it. If you are interested to buy a Sharksucker keyboard for you. Then you can but it from online also from that site. I dont think you will be sad with this bluetooth wireless keyboard. Because no one has become disappointed when the bought it and used it. Everybody feel so good about this keyboard. If you want to know more about this keyboard. Then visit the link. Your knowledge will improve more. I think you will be benefited very much.

Please visit the following link for more info:

http://www.jsxltech.com/collections/frontpage/products/sharksucker-keyboard-case-for-apple-ipad-2-3-from-jsxl-technology-m-r-p-169-99-on-sale-now-99-99

Read more »

Play Zwinky Games Here

Zwinky Games To Play: Chose a hair style, any hair style and pick an outfit that suits the hair. Come up with a crazy giant pink hair style to a calmer hair do, anything for you.

http://www.zwinkygames.org/

Read more »

online casino and casino games

Forms of online gambling

The Internet has made way for new types of gambling to form online. The recent improvements in technology have once again changed betting habits just as Video Lottery Terminal, keno and Scratchcards changed the gambling industry in the early 20th century.

Internet gambling has become one of the most popular and lucrative business present on the Internet. In 2007 the gambling commission stated that the gambling industry achieved a turnover of over £84 billion according to the UK Gambling Commission. This is partly due to the wide range of gambling options that are available to facilitate many different types of people.

Poker

Online poker tables commonly offer Texas hold 'em, Omaha, Seven-card stud, razz, HORSE and other game types in both tournament and ring game structures. Players play against each other rather than the "house", with the card room making its money through "rake" and through tournament fees.

Casinos

There are a large number of online casinos in which people can play casino games such as roulette, blackjack, pachinko, baccarat and many others. These games are played against the "house" which makes money due to the fact that the odds are in its favor.

Sports betting

Sports betting is the activity of predicting sports results and placing a wager on the outcome.

Bingo

Online bingo is the game of bingo (US|UK) played on the Internet.

Lotteries

Most lotteries are run by governments and are heavily protected from competition due to their ability to generate large taxable cash flows. The first online lotteries were run by private individuals or companies and licensed to operate by small countries. Most private online lotteries have stopped trading as governments have passed new laws giving themselves and their own lotteries greater protection. Government controlled lotteries now offer their games online.

Links:

casino en ligne fr

Read more »

Online slot machine

Slot machine is also called as slots, poker machine (pokies-slang) or just slot.

Online slot machine is a casino gambling machine played online in which three or more reels which spin when a button is pushed.

With microprocessors now ubiquitous, the computers inside modern slot machines allow manufacturers to assign a different probability to every symbol on every reel. To the player it might appear that a winning symbol was 'so close', whereas in fact the probability is much lower.

In modern slot machines, the reels and lever are for historical and entertainment reasons only.

machines a sous

Read more »

Oracle database flaw deemed serious, could expose data

CSO by Antone Gonsalves

Some Oracle databases have what experts say is a serious flaw in the login system that a hacker can use to retrieve and change stored data.

The flaw, in Oracle Database 11g Releases 1 and 2Ã'Â leaves the token that is provided by the server before authentication is completed open to a brute-force attack, said Esteban Martinez Fayo, the Application Security researcher that discovered the flaw. If successful, an attacker can gain access to the database.

"An authentication bypass is quite serious," Kevin Mitnick, a well-known white-hat hacker and founder of Mitnick Security Consulting, said in an email. "Basically, an attacker can get to the data stored in the database, and even change it."

The vulnerability stems from the way the authentication protocol protects session keys. When a client connects to the database server, a session key is sent with a salt. Because this happens before the authentication process is finished, a hacker working remotely can link the key to a specific password hash.

"Once the attacker has a session key and a salt, the attacker can perform a brute-force attack on the session key by trying millions of passwords per second until the correct one is found," Fayo toldÃ'Â Kaspersky Lab'sÃ'Â Threatpost blog.Ã'Â

Because the hack occurs before authentication is done, no login failure is recorded in the server, so a person can gain access without triggering an abnormal event.

[See also: Database security - At rest, but not at risk]

Oracle, which did not respond to a request for comment, patched the flaw in the latest upgrade of the authentication protocol, version 12. However, the company is not planning a patch for the flawed version, 11.1, Fayo said. Even with the upgrade, database administrators have to configure the server to only allow the new version of the protocol.

Because the fix requires an upgrade, the vulnerability will hound some Oracle customers for years, said Justin Clarke, a security researcher at Cylance.

"There are many large companies and critical infrastructure agencies which cannot afford the time or risk to upgrade all their Oracle clients and servers," Clarke said. "I can say with near certainty that we will see this vulnerability as long as Oracle 11g remains in use."

Previous flaws in Oracle's authentication protocol have been a well-kept secret in the security industry, Clarke said. "It's great to see that issues like this are being discussed publicly, and I hope that this helps serve as a wake-up call for Oracle and its users to dig deeper and assess the actual strength of systems."

Brent Huston, chief executive of security testing company MicroSolved, said even if a company prevents Internet access to a vulnerable database, the data is still at risk of an attack from the inside.

"Oracle's choice to lock this patch to an upgrade really forces the hand of those organizations with longer technology refresh periods and puts a lot of strain on the trust relationships they have with Oracle as a vendor," Huston said in an email.

Because of the vulnerability, customers that haven't upgraded their databases will have to implement some form of protection, particularly if they are subject to oversight by regulators, Huston said.

Fayo discovered the vulnerability after noticing that the client and server handled logins with incorrect passwords differently. A closer examination led to the discovery.

Fayo discussed the vulnerability Thursday at the Ekoparty Security Conference.

Oracle has battled with database flaws in the past. In January, InfoWorld uncovered a manual method to change the system change number (SCN), which could break the database. The SCN is a kind of time stamp for every transaction. If a database reaches its transaction limit, it could stop working properly.

Read more about application security in CSOonline's Application Security section.

Read more »

Apple seeks another $707 million in damages from Samsung

Sep 22, 2012 11:24 am | IDG News Service

A California jury may have awarded Apple more than US$1 billion in damages in late August when it triumphed over Samsung in a hard-fought case over smartphone and tablet patents, but the iPhone maker is coming back for more: late on Friday it asked for additional damages of $707 million.

The request includes an enhanced award of $535 million for willful violation of Apple's designs and patents, as well as about $172 million in supplemental damages based on the fact that the original damages were calculated on Samsung's sales through June 30. Apple wants the supplemental amount to cover the periodfrom July 1 through the date when the case is resolved, which it estimated as December 31, 2012.

In its filing with the U.S. District Court for the Northern District of California Apple also said that if the court decides to review the damage award based on a challenge from Samsung, it also wants an additional $155.8 million for five infringing products where the jury awarded less than the minimum amount calculated by Samsung's damages expert.

Apple also wants either a new trial or amended judgments finding that the iPad and iPad2 design is protected and is infringed by Samsung's Galaxy Tab 10.1, and that a wide range of Samsung phonesinfringe on Apple patents or trade dress.

Read more »

Microsoft patches critical Flash bugs in Windows 8

Sep 22, 2012 09:51 am | Computerworld

Updates IE10's integrated Flash Player with fixes to block ongoing hacker attacks 

by Gregg Keizer

Microsoft on Friday updated Flash on Windows 8 to protect IE10 users from attacks that may have started months ago.

More than a week before, Microsoft had backed away from an earlier position that held it would not patch Flash until late October. Instead, the company promised to update the media player "shortly."

Microsoft, not Adobe, is responsible for patching Flash Player in Windows 8 because the company mimicked Google's Chrome by building the software into IE10, the new operating system's browser. Microsoft announced that move in late May, when its top IE executive, Dean Hachamovitch, said, "By updating Flash through Windows Update, like IE, we make security more convenient for customers."

But the Redmond, Wash. developer ran into trouble from the get-go. Although Adobe shipped a pair of security updates in August that patched eight vulnerabilities, Windows 8 RTM, the finished code that began reaching users that same month, lacked those fixes.

One of the eight Flash bugs has been exploited by hackers, perhaps for months. An elite hacker gangknown for finding and leveraging unpatched vulnerabilities has been among those hijacking Windows PCs with the flaw.

Friday's Flash update will be offered to Windows 8 RTM, and to the final public beta, Windows 8 Release Preview. That sneak peak, which users downloaded free of charge, does not expire until Jan. 31, 2013.

Computerworld confirmed that the update boosted IE10's Flash Player to version 11.3.374.7 on Windows 8 RTM. On Friday, Adobe confirmed that that edition contained the patches for the eight vulnerabilities it patched Aug. 14 and Aug. 21.

Yunsun Wee, director of Microsoft's Trustworthy Computing team, also clarified how the company will treat future Flash updates for IE10 in Windows 8.

"On a quarterly basis when Adobe normally issues Flash Player updates, we will coordinate on disclosure and release timing," pledged Wee.

Her reference to an Adobe quarterly Flash schedule was odd; although Adobe tries to adhere to an regular cadence for Adobe Reader -- not always successfully -- it has never set something similar for Flash Player.

Thus far during 2012, in fact, Adobe has issued seven Flash updates: One in February; two in March; one each in May and June; and two in August. If Adobe is adopting a quarterly patch process for Flash Player, it has kept that under wraps.

Wee also admitted that Microsoft will need to deliver "out-of-band" updates -- those outside its usual monthly Patch Tuesday -- to keep IE10's and Windows 8's Flash in sync with the Flash plug-ins Adobe maintains for other browsers.

"When the threat landscape requires action outside of Adobe's normal update cadence, ...we will issue updates outside of our regular monthly security bulletin release," Wee said in a Friday post to the Microsoft Security Response Center's blog.

Those out-of-band Flash updates could quickly pile up. If Windows 8 had been available from the start of 2012, in the best circumstances Microsoft would still have had to deliver emergency Flash updates in February, March and August.

Even then, Microsoft would have had to hustle to work the other four Flash updates into its next Patch Tuesday: In one instance, Flash was updated on Patch Tuesday, while in two others, Microsoft would have had just four days to prepare. The fourth Flash update was released eight days before the next Patch Tuesday.

More information on the Flash Update to IE10 and Windows 8 can be found in Microsoft's security advisory.

Windows 8 users can obtain the Flash update via the Windows Update service, as well as through the enterprise-grade WSUS (Windows Server Update Services).

Microsoft's made good on a Sept. 11 promise to patch Windows 8's baked-in Flash Player.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

Read more »

Anonymous spokesman's YouTube meltdown led to arrest

Sep 21, 2012 09:24 am | CSO

by Taylor Armerding

If anybody was surprised at the arrest in Dallas last week of Barrett Brown, self-described sometimespokesman for the hacktivist group Anonymous, it should not have been Brown himself.

He practically invited it. A three-part, 43-plus minute rant posted on YouTube on Sept. 11 and 12 included a threat to "shoot ... and kill" any armed government officials who sought to arrest him -- "especially the FBI."

"Dallas Sheriff's Department spokeswoman Carmen Castro told The Dallas Morning News Brown was arrested Wednesday night and 'released over to the FBI' in the morning," UPI.com reported last week.

Very few in the security community would comment on the arrest for the record, most saying they did not want the headache of becoming a target of Anonymous.

One of the few who did was Robert Stacy McCain, who wrote on his website, The Other McCain, that "a lot of the Anonymous people never trusted Barrett Brown, regarding him as an untrustworthy egomaniacal fame-seeker trying to cash in."

[See also: Anonymous had bad month, but no less 'reliable']

"He did a TV interview with Michael Isikoff of NBC and announced a book deal with Gregg Housh, and did all of this while promoting himself as the official spokesman for Anonymous, whose members are ... well, anonymous, and with good reason, because the cops would very much like to put a lot of them in prison," McCain wrote.

McCain wrote that after the FBI raided Brown in March, but did not arrest him, other members of Anonymous suspected he might be cooperating with the agency. Of the latest video, he wrote: "Being a paranoid conspiracy theorist is not illegal, and Brown's tinfoil-hat rantings about (various enemies) were just so much noise. But his threats to 'destroy' FBI agent Robert Smith? Yeah, the feds don't take that kind of talk lightly."

Joel Harding, a retired military intelligence officer and information operations expert, would say only that, "Anyone who threatens the FBI, I question their judgment."

And their desire to avoid that possibility was validated by last week's posting by Anonymous offshoot Anti-Sec of a text file on Pastie containing the names, street addresses, credit card numbers and other information of what appears to be a random series of 13 government employees around the country, ranging from military service personnel to a Department of Justice employee.

TPM reported that it had "verified that several of the phone numbers and other information contained in the text file were authentic and spoke with several victims of the hack, who were not previously aware that their information had been posted online and were confused as to why they were being targeted, having no knowledge of Brown or his arrest."

But behind the relative anonymity of comments on the YouTube video page were some critics who were a bit more outspoken. Noting Brown's semi-coherent monologue, sometimes featuring manic, table-pounding obscenities and other times uncontrollable giggling, a viewer called "Vicious Latina" observed, "This is your brain on drugs."

Brown acknowledged several times during the video his addiction to opiates, including heroin, and at one point called himself a "weird junkie."

But his major theme was that he was a victim of criminal actions by the FBI and various collaborators, and was going to take revenge in kind. He catalogued a list of grievances against the agency and various alleged informants who he claimed have been involved in a "criminal conspiracy" that has put his and members of his family's lives in danger.

Then, in an escalating series of threats, Brown first said of FBI agent Robert Smith that he would "ruin his life and look into his [expletive] kids." Brown said it would all be legal because, "Aaron Barr did the same thing [to me] and he didn't get raided for it."

Barr is a former CEO of HBGary Federal, a now-defunct firm whose email account was hacked by Anonymous in February.

Brown said he had worked with "several Mexican Anons" about a year ago in an operation called OpCartel, which he said led to speculation that he might be killed by Los Zetas, a violent criminal drug syndicate in Mexico.

After Los Zetas kidnapped a member of Anonymous, Brown claimed he had the names of 75 Zeta collaborators, which he threatened to release to the press unless the Anonymous member was set free.

In the video, Brown accused FBI informants, some of whom he said were ex-military, or military contractors, of posting pictures and the addresses of houses where he used to live, with taglines saying, "this is for the Zetas."

Jay Leiderman, an attorney at the Ventura, Calif. Law firm Leiderman Devine LLP, who has represented Brown in the past, said while he had not seen the images of Brown's residences, his understanding was that they were "out there," thanks to FBI collaborators including the former LulzSec leader "Sabu," whose name is Hector Xavier Monsegur, and who had reportedly been cooperating with the FBI after his arrest in the summer of 2011.

At some point, Brown said, his actual address was posted, again with the suggestion that it was to help Los Zetas find him. In response, he said he was concerned that Los Zetas might show up at his house posing as U.S. government or FBI officials.

"As such," he said, "any armed officials of the U.S. government, particularly the FBI, will be regarded as Zeta assassin squads. They know that I'm armed, that I come from a military family, that I was taught to shoot ... I will shoot all of them and kill them if they come, because they are involved in a criminal conspiracy and I have reason to fear for my life."

Some viewers in the comments section treated that claim with scorn. "Adrian Katterfelto" wrote, "Los Zetas have no interest in Barrett Brown. He's not a threat to them. He's not even a blip on their radar. If they had wanted him dead, we wouldn't be watching this video. Or it would be a very different kind of video. And they wouldn't need to send someone up from Mexico either, because they're already here."

But Brown had supporters as well. "Asilentfire" wrote, "What's [expletive] is how these comments try to make him look like the enemy, when we need to WAKE UP and see that he is on our side fighting for our freedoms. Can't you people see that our last line of defense against a total NWO takeover is being silenced?"

Anti-Sec, in its retaliatory posting, led with: "Barrett Brown, our controversial hated/loved friend (doesnt matter what kind of [expletive] he does, he's still one of us) seems to have been v&'d ... again."

"Hhahahaha. then try to come and convince us that FBI is not mad as hell at us. remember there's always another behind behind the behind. if u dont want to trust us, it's ok, you shouldn't. but dont be dumb and at least to not realise something here is kinda fishy currently. (tip: prepare yourself to hear anonymous is linked to al-qaeda or something). so well, we think Barrett deserves at least we bring some kind of retaliation for this FBI (expletive) against him," Anti-Sec wrote.

[See also: SOPA, PIPA, Anonymous - Can I have a little hope?]

Brown also issued an ultimatum to the FBI to return a laptop and other property taken from him during the raid in early March, in which the agency searched both his apartment and his mother's home, where he was staying at the time. Brown said the FBI also took his mother's laptop.

Brown was not charged in connection with that raid, and he demanded that his property be returned within two weeks or he would "release some stuff that's on there, and they don't know what I have access to that I have copies of that's on there."

Jay Leiderman said that since the laptop had been seized pursuant to a warrant, it would take approval by the court to have it released. Leiderman said Brown is still in custody since his arrest last week, pending trial.

Brown also demanded an apology from Smith and an alleged informant, both for taking his property and for "threatening my [expletive] mother with obstruction of justice."

However, Brown's arrest last week was apparently without incident. That will crimp, or at least delay, another threat he made.

He said Agent Smith had referred to him during the March raid as "the bad guy." So, he said, he would prove it in the coming months, "using the court system, using the media, using my group Project PM which has always been, secretly to some extent, created for the purpose of wiping out this (expletive) government and certain media institutions, and through other means at my disposal, some of which are known, some of which are known to a few and some of which are still secret."

Leiderman, while he is not representing Brown in the current case, said he doesn't think the threats Brown made on the video were serious. He said it was "fair" to conclude that Brown may have been under the influence of some of his admitted addictions.

"I wish they had stepped back a bit and thought about it, before going in with guns blazing," he said.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Read more »