Thursday, March 1, 2007

PC World - Vista's UAC Warnings Can't Be Trusted, Symantec Says Windows Vista's User Account Control (UAC), a system that Microsoft says makes the new operating system safer from attack, can be spoofed and shouldn't be completely trusted, a Symantec researcher said on Wednesday. Ollie Whitehouse, an architect at Symantec's advanced threats research team, first used a blog entry Tuesday to point out how a hacker could use a file included with Vista to disguise the UAC warning dialog in the color associated with alerts generated by Windows itself. 10:19:06 PM

Tricking Vista's UAC To Hide Malware. Tricking Vista's UAC To Hide Malware. Vista's User Account Control, love it or hate it, represents a barrier against unwanted software getting run on users' computers. A Symantec researcher has found a simple way to spoof UAC and says that it shouldn't be completely trusted. The trick is to disguise the UAC warning dialog in the color associated with alerts generated by Windows itself.  [Slashdot] 10:14:53 PM

Castrated RFID Talk at Black Hat. Castrated RFID Talk at Black Hat. Following a lawsuit threat, a security researcher goes ahead with a presentation on vulnerabilities in RFID access cards -- but doesn't demonstrate problems with HID Global's system. By Kim Zetter. [Wired News: Top Stories] 9:29:30 PM

Solaris Worm Blasts Way Through Operating System. Solaris Worm Blasts Way Through Operating System. "Hi, I'm Casper, I am a bored Sun developer and I wrote this piece of code." [GT: Security and Privacy] 9:02:48 PM

Malware Adopts Disguises in Attempt to Dupe IT Defenses. Malware Adopts Disguises in Attempt to Dupe IT Defenses. Top ten threats and hoaxes reported in February 2007. [GT: Security and Privacy] 8:55:38 PM

MPAA Fires Back at AACS Decryption Utility. MPAA Fires Back at AACS Decryption Utility. RulerOf writes  "The AACS Decryption utility released this past December known as BackupHDDVD originally authored by Muslix64 of the Doom9 forums has received its first official DMCA Takedown Notice. It has been widely speculated that the utility itself was not an infringing piece of software due to the fact that it is merely "a textbook implementation of AACS," written with the help of documents publicly available at the AACS LA's website, and that the AACS Volume Unique Keys that the end user isn't supposed to have access to are in fact the infringing content, but it appears that such is not the case." --- From the thread   "...you must input keys and then it will decrypt the encrypted content. If this is the case, than according to the language of the DMCA it does sound like it is infringing. Section 1201(a) says that it is an infringement to "circumvent a technological measure." The phrase, "circumvent a technological measure" is defined as "descramb(ling) a scrambled work or decrypt(ing) an encrypted work, ... without the authority of the copyright owner." If BackupHDDVD does in fact decrypt encrypted content than per the DMCA it needs a license to do that."  [Slashdot: Your Rights Online] 7:43:21 PM

Manipulating Reputation Systems. Manipulating Reputation Systems. BoingBoing points to a nice pair of articles by Annalee Newitz on how people manipulate online reputation systems like eBay[base ']s user ratings, Digg, and so on. There[base ']s a myth floating around that such systems distill an uncannily accurate folk judgment from the votes submitted by millions of ordinary citizens. The wisdom of crowds, and all that. In fact, reputation systems are fraught with problems, and the most important systems survive because companies expend great effort to supplement the algorithms by investigating abuse and trying to compensate for it. eBay, for example, reportedly works very hard to fight abuse of its reputation system. Why do people put more faith in reputation systems than the systems really deserve? One reason is the compelling but not entirely accurate analogy to the power of personal reputations in small town gossip networks. If a small-town merchant is accused of cheating a customer, everyone in town will find out quickly and [~] here[base ']s where the analogy goes off the rails [~] individual townspeople will make nuanced judgments based on the details of the story, the character of the participants, and their own personal experiences. The reason this works is that the merchant, the customer, and the person evaluating the story are embedded in a complex, densely interconnected network. When the network of participants gets much bigger and the interconnections much sparser, there is no guarantee that the same system will still work. Even if it does work, a large-scale system might succeed for different reasons than the small-town system. What we need is some kind of theory: some kind of explanation for why a reputation system can succeed. Our theory, whatever it is, will have to account for the desires and incentives of participants, the effect of relevant social norms, and so on. The incentive problem is especially challenging for recommendation services like Digg. Digg assumes that users will cast votes for the sites they like. If I vote for sites that I really do like, this will mostly benefit strangers (by helping them find something cool to read). But if I sell my votes or cast them for sites run by my friends and me, I will benefit more directly. In short, my incentive is to cheat. These sorts of problems seem likely to get worse as a service grows, because the stakes will grow and the sense of community may weaken. It seems to me that reputation systems are a fruitful area for technical, economic and social research. I know there is research going on already [~] and readers will probably chastise me in the comments for not citing it all [~] but we[base ']re still far from understanding online reputation. Share This [Freedom to Tinker] 7:25:59 PM

© Copyright 2007 Paul Hardwick. Last update: 3/4/07; 3:50:09 AM.