As we told you last week, Microsoft rolled out two new security programs, Microsoft Active Protections Program and Microsoft Exploitability Index, during the Black Hat USA 2008 Conference. Unfortunately for Microsoft, the same conference saw a presentation by security experts Mark Dowd and Alexander Sotirov that renders these and other protections for Windows Vista, including its much-touted Address Space Layout Randomization (ASLR) and Data Execution Protection (DEP) features, effectively null and void.
How did they do it? The full presentation (available here in PDF format) is quite technical, but here's the short version. according to SC Magazine:
In explaining the problem, the researchers said that most memory protection mechanisms are based on two things: detecting corruption and stopping common exploit patterns, and attempts to reinforce these are integral to Vista. But in many cases, some of the built-in protection mechanisms in Vista are not enabled by default for compatibility reasons.
“At the desktop level, compromises had to be made because of compatibility issues. Exploiters have a lot more control over browsers,” Sotirov said.
And in many cases, third-party applications are not compiled to use the Vista memory protections. For example, Java and Flash are not compiled using the critical protection called ASLR.
What can be done? My take: Microsoft needs to rethink the balance of compatibility versus protection, do a better job of informing users of what's protected and what's not, and get third-party application vendors to take advantage of the protection features in Vista. What about ordinary users like us? Watch out for compromised legitimate websites, and, as always, as our own Will Smith says, think before you click.
What's your take on Vista and other browser security issues? See us after the jump for your chance to sound off.
Power users know how critical it is to change their passwords often and to avoid using easily guessed characters. Creating a login for your bank account based on your first born's birth date is a good way to share your financial information with anyone who cares to look, and the best passwords are the ones that contain a random mixture of letters and numbers. But is it enough?
An article in the New York Times points out that all password-based log-ons are susceptible to being compromised in any number of ways, and they're right. We're constantly warning users against falling for phishing schemes, and new forms of malware have become so adept at sneaking past common security fronts that a host of vendors have begun looking at new ways of dealing with the latest threats (see Internet Security 2.0 in Maximum PC's February 2008 issue, or download the PDF).
Hit the jump to see why security experts are now saying we should abandon passwords altogether.
NZXT, the company best know for its lineup of flashy enclosures, looks to expand its horizon by getting into the gaming peripheral market with its new Avatar mouse. The uniquely shaped rodent comes ready for both left and right handed gamers and sports a rubber grip to prevent slippage. NZXT says the "small, light form factor allows for faster and quicker movements," and the company bills the new mouse as being ergonomic.
The Avatar also comes equipped with a 7-button configuration and boasts a high 2600 DPI. Other features include:
40 inches/second max speed
15g max acceleration
6469 max fps
5.8MP per second
Up to 1000 USB reports per second
One of the more interesting marketing bullets, NZXT claims the 7 buttons will last for 5 million clicks, which sounds like a really, really long time. Available now, the new Avatar has been given an MSRP of $60, which works out to about $.000012 per click.
Reminder: The survey and raffle ends tomorrow, so if you haven't filled it out yet, get to it! Fame and glory await.
Hello, Maximumpc.com readers. Since we relaunched the site a little over a month ago, you've had the chance to hear a lot from us in our myriad web posts. We think it's time for us to get to know you a little better, and at the same time, give out some sweet prizes. We want your input so we can make the site better, and we just happen to have a few Newegg gift certificates sitting in the lab. All you need to do for a chance to claim one is fill out our simple 15-question survey. It'll just take 5 minutes, and the questions are all multiple choice! Just click here for the survey.
The boys and girls at Berkeley are at it again, but this time they're working on an invisibility cloak, which could turn out to be one of the greatest inventions ever, right up there with X-ray goggles and other nifty gadgets we used to read about in the marketing section of yesteryear's comic books.
For the first time, researchers have demonstrated they were able to cloak 3D objects using artificially engineered materials that redirect light around the objects. Prior to the demonstrations, cloaking has been limited to thin 2D objects.
The technology works using materials known as metamaterials to deflect radar, light, and other waves around an object. These metamaterials consist of mixtures of metal and circuit board materials (ceramic, Teflon, or fiber composite), and scientists continue to try and find ways of using them to bend light around obstacles.
Uses for cloaking technology include the obvious military applications, and as such, the research was funded in part by the U.S. Army Research Office. But not only do scientists have to fine tune the concept, but manufacturing the required materials on a large scale also poses a problem.
Do you think we'll ever see a full-fledged invisibility cloak in our lifetime?
You might feel compelled to toss a dollar or two at an amateur musician laying down some groovy riffs on his keyboard while enjoying a night out on the town, but would you feel the same urge to compensate a blogger who mashed out an insightful commentary on his 101-key plank? News media outlet Salon.com thinks so, and the suits behind the idea are so confident in their newest endeavor, they're giving new signees to their Open Salon user-generated content community $10 to start tipping their favorite bloggers.
In order to send or receive tips, users must register with Revolution MoneyExchange, a peer-to-peer payment service that allows for the transfer of money with no fees between account holders.Open Salon members who register for the service will receive a complimentary $10 stipend to start tipping.
"Open Salon eliminates the gatekeepers, "editor-in-chief Joan Walsh said in a statement. "It makes our smart,creative audience full partners in Salon's publishing future."
But what happens when the money runs out - will members still be inclined to tip their favorite bloggers out of their own pocket? That's the question the public beta hopes to answer before it officially launches later this year, right around the same time Maximum PC has promised all of its bloggers a company sponsored sports car and a four week paid vacation on the Hawaiian islands.
Rumors don't always turn out to be true, particularly in the tech wolrd, but that's not the case with last week's chatter regarding Nehalem's name change. Intel has since made it official, formerly branding the new architecture "Intel Core processor." Also true to rumor, the first products to come out of Santa Clara on the new silicon will be dubbed Core i7, which the company says is the first of several new identifiers to come as different products launch over the next year.
"The Core name is and will be our flagship PC processor going forward," said Sean Maloney, Intel's general manager, Sales and Marketing Group. "Expect Intel to focus even more marketing resources around that name and the Core i7 products starting now."
Antsy upgraders can look for the new processors in the fourth quarter of this year, with Extreme Edition variants identifiable by a separate black logo.
Any thoughts on Intel's decision to keep the Core nomenclature?
It’s hard to imagine Windows, or some other rich operating system not being at the center of my digital word. But then again, 10 years ago it was hard to imagine having a digital world at all. Intense speculation over the future cloud computing and the explosion of platform agnostic web applications has lead Microsoft to officially kick off the new R&D project, code named Midori. Midori would be a cut back operating system that would be capable of keeping up with the pace of rapid innovation in a post Windows world.The biggest shift for Midori would be the move away from operating systems tied to a single PC. By contrast, the Windows platform is traditionally locked down to a particular set of hardware and trying to keep consistency across multiple PC’s or electronic devices is already proving to be a burden. Midori would free users from these shackles and recognizes that users of the future will be increasingly mobile. Midori is widely seen as an ambitious attempt by Microsoft to catch up in the field of virtualization, an emerging trend in the computer industry. Users of the future will want a small, lightweight operating system they can take with them and use as a virtual client. The biggest challenge for Microsoft will be how it would cope financially without Windows. Michael A. Silver, a distinguished analyst at Gartner is quoted as saying “If Windows ends up being less important over time as applications become more OS agnostic where will Microsoft make its money?". Though it has yet to be officially confirmed, rumor has it that Midori will be the successor to Singularity, which is the OS following Windows 7. Though, with predictions this far into the future, I would recommend a consultation with your magic 8 ball before you place any bets.
Just how rich are you? The answer is; pretty darn rich if you can drop nearly $1000 on a useless application.
The application called ‘I Am Rich’ was available for purchase from the iPhone's App Store for the highest amount a developer can charge through the digital retailer, $999.99. The program’s developer, Armin Heinrich, said that once downloaded, it does not do much; a red icon sits on the iPhone home screen like any other application, with the subtext "I Am Rich." Once activated, it treats the user to a large, glowing gem. (which, for the money, must be way better than the screen shot below)
Make the jump to see how many people bought 'I Am Rich'.
Microsoft has always been an ardent proponent of digital distribution and now it’s this long held belief that is reflected in its recent decision to pull Microsoft Money off store shelves. It has decided that the financial software only be sold as an online download from here on. But the company isn’t in any hurry to renounce boxed software and realizes that an absolute transition to digital distribution will take some time.
A MS employee, Chris Jolley, told Cnet about MS Money sales trends that instigated the current move. About half of the total sales of the financial software in the last one year have been generated through the internet, according to Jolley.