To display the most relevant entries to you in priority,
vote for the stories you are interested in
()
and reject those that you are not interested in
()
pFiled under: a href="http://www.joystiq.com/category/culture/" rel="tag"Culture/a, a
href="http://www.joystiq.com/category/ds/" rel="tag"Nintendo DS/a, a
href="http://www.joystiq.com/category/ps2/" rel="tag"Sony PlayStation 2/a, a
href="http://www.joystiq.com/category/ps3/" rel="tag"Sony PlayStation 3/a, a
href="http://www.joystiq.com/category/psp/" rel="tag"Sony PSP/a, a
href="http://www.joystiq.com/category/wii/" rel="tag"Nintendo Wii/a, a
href="http://www.joystiq.com/category/xbox360/" rel="tag"Microsoft Xbox 360/a, a
href="http://www.joystiq.com/category/business/" rel="tag"Business/a/pdiv align="center"img
vspace="4" hspace="0" border="0"
src="http://www.blogcdn.com/www.joystiq.com/media/2008/12/no.wii.in.stock.jpg" alt="" //div Black
Friday 2008 will be a
href="http://www.bloomberg.com/apps/news?pid=20601087amp;sid=aLqPiB6k_l6Uamp;refer=home"remembered/a
as a slight, but pleasant bump in a rocky road for retail this holiday. Fitting, then, that Wii and
its equally scarce sidekick, a href="http://www.joystiq.com/tag/wii-fit/"emWii Fit/em/a, were the a
href="http://news.cnet.com/8301-1001_3-10109931-92.html?tag=rtcol;pop"top search/a items on the
day. As it turns out, folks wanted to shop (172 million to be exact!), they just couldn't always
buy what they were searching for. With Wii in short supply at retail, eBay merchants continued to
turn profits on resales of the console with an average selling price of $349. Overall, online
shopping a href="http://www.comscore.com/press/release.asp?press=2604"totals/a grew modestly
relative to last year.br / br /Meanwhile, a stack of Xbox 360s caused a a
href="http://www.xbox360fanboy.com/2008/11/29/video-black-friday-shoppers-brawl-over-last-360/"brawl/a
at Walmart, and an employee was a
href="http://www.nytimes.com/2008/11/29/business/29walmart.html?scp=1amp;sq=walmartamp;st=cse"trampled/a
to death by a frenzied mob at the Green Acres Mall in Valley Stream, New York. In California, two
men killed each other in a a
href="http://www.latimes.com/news/local/la-me-toysrus30-2008nov30,0,71300.story"gunfight/a that
erupted at the Palm Desert Toys R Us. All convincing examples of why we prefer to empay/em it safe
from our keyboards: ema
href="http://www.joystiq.com/2008/12/01/holidaze-2008-the-best-of-cyber-monday/"Hellooo Cyber
Monday/a!/embr /br /small[Image credit: a href="http://www.bruceongames.com/2007/12/"Bruce On
Games/a, Dec. 2007 -- same tune again this year, eh?]/smallp
style="padding:5px;background:#ddd;border:1px solid #ccc;clear:both;"a
href="http://www.joystiq.com/2008/12/01/black-friday-2008-wii-crowned-economy-still-down/"Black
Friday: Wii crowned, economy still down/a originally appeared on a
href="http://www.joystiq.com"Joystiq/a on Mon, 01 Dec 2008 14:58:00 EST. Please see our a
href="http://www.weblogsinc.com/feed-terms/"terms for use of feeds/a./pp style="clear: both;
padding: 8px 0 0 0; height: 2px; font-size: 1px; border: 0; margin: 0; padding: 0;"nbsp;/ppa
href="http://www.joystiq.com/2008/12/01/black-friday-2008-wii-crowned-economy-still-down/"
rel="bookmark" title="Permanent link to this entry"Permalink/anbsp;|nbsp;a
href="http://www.joystiq.com/forward/1387521/" title="Send this entry to a friend via email"Email
this/anbsp;|nbsp;a
href="http://www.joystiq.com/2008/12/01/black-friday-2008-wii-crowned-economy-still-down/#comments"
title="View reader comments on this entry"Comments/a/p pa
href="http://feedads.googleadservices.com/~at/z_IFPqt8qiHV709O4bLLHE-NFnk/a"img
src="http://feedads.googleadservices.com/~at/z_IFPqt8qiHV709O4bLLHE-NFnk/i" border="0"
ismap="true"/img/a/pdiv class="feedflare" a
href="http://feedproxy.google.com/~f/weblogsinc/joystiq?a=xcsetJh7"img
src="http://feedproxy.google.com/~f/weblogsinc/joystiq?i=xcsetJh7" border="0"/img/a a
href="http://feedproxy.google.com/~f/weblogsinc/joystiq?a=G4kTDTyb"img
src="http://feedproxy.google.com/~f/weblogsinc/joystiq?i=G4kTDTyb" border="0"/img/a /divimg
src="http://feedproxy.google.com/~r/weblogsinc/joystiq/~4/LcdG2NrcZSs" height="1" width="1"/
pFiled under: a href="http://www.joystiq.com/category/ds/" rel="tag"Nintendo DS/a, a
href="http://www.joystiq.com/category/pc/" rel="tag"PC/a, a
href="http://www.joystiq.com/category/ps2/" rel="tag"Sony PlayStation 2/a, a
href="http://www.joystiq.com/category/ps3/" rel="tag"Sony PlayStation 3/a, a
href="http://www.joystiq.com/category/psp/" rel="tag"Sony PSP/a, a
href="http://www.joystiq.com/category/wii/" rel="tag"Nintendo Wii/a, a
href="http://www.joystiq.com/category/xbox360/" rel="tag"Microsoft Xbox 360/a/pbr / div
align="center"a href="http://www.joystiq.com/2008/12/01/holidaze-2008-the-best-of-cyber-monday/"img
vspace="4" hspace="0" border="0"
src="http://www.blogcdn.com/www.joystiq.com/media/2008/12/cyber-monday-490.jpg" alt="" //abr //div
a name="the-top"/aspan style="float: right; margin-left: 10px; margin-top: 7px;" script var
digg_url = 'http://digg.com/gaming_news/The_Best_Video_Game_Deals_of_Cyber_Monday_2008'; /script
script src="http://digg.com/api/diggthis.js"/script/span Nothing quite like being packed into a
frenzied shopping mob, is there? It's why we wait for hours in the cold dark with nothing more than
the lingering memory of ... wait a second, it's a
href="http://en.wikipedia.org/wiki/Cyber_Monday"Cyber Monday/a! Now we can spend money on
reduced-price games without leaving the comforts of our keyboard! Here's our picks for the best
deals out there today.br /br / center div align="center" /div table cellspacing="2" cellpadding="5"
border="0" tbody tr td align="right"a
href="http://www.joystiq.com/2008/12/01/holidaze-2008-the-best-of-cyber-monday/#amazon"Amazon/aa
href="http://www.joystiq.com/2008/12/01/holidaze-2008-the-best-of-cyber-monday/#amazon"br //a/td td
align="center"a
href="http://www.joystiq.com/2008/12/01/holidaze-2008-the-best-of-cyber-monday/#toysrus"Toys 'R'
Us/a/td td align="center" a
href="http://www.joystiq.com/2008/12/01/holidaze-2008-the-best-of-cyber-monday/#gamestop"GameStop/abr
//td td align="center"a
href="http://www.joystiq.com/2008/12/01/holidaze-2008-the-best-of-cyber-monday/#walmart"Wal-Mart/a
br //td /tr tr td align="right" a
href="http://www.joystiq.com/2008/12/01/holidaze-2008-the-best-of-cyber-monday/#bestbuy"Best
Buy/abr //td td align="center" a
href="http://www.joystiq.com/2008/12/01/holidaze-2008-the-best-of-cyber-monday/#newegg"Newegg/a/td
td align="center"a
href="http://www.joystiq.com/2008/12/01/holidaze-2008-the-best-of-cyber-monday/#target"Target/a /td
td align="center" a
href="http://www.joystiq.com/2008/12/01/holidaze-2008-the-best-of-cyber-monday/#misc"Dell/a/td /tr
tr td /td td align="center" a
href="http://www.joystiq.com/2008/12/01/holidaze-2008-the-best-of-cyber-monday/#misc"Sears/a/td td
align="center" a
href="http://www.joystiq.com/2008/12/01/holidaze-2008-the-best-of-cyber-monday/#misc"Buy.com/a/td
td /td /tr /tbody /table /centerpa
href="http://www.joystiq.com/2008/12/01/holidaze-2008-the-best-of-cyber-monday/"
rel="bookmark"Continue reading emHolidaze 2008: The Best of Cyber Monday/em/a/pp
style="padding:5px;background:#ddd;border:1px solid #ccc;clear:both;"a
href="http://www.joystiq.com/2008/12/01/holidaze-2008-the-best-of-cyber-monday/"Holidaze 2008: The
Best of Cyber Monday/a originally appeared on a href="http://www.joystiq.com"Joystiq/a on Mon, 01
Dec 2008 11:59:00 EST. Please see our a href="http://www.weblogsinc.com/feed-terms/"terms for use
of feeds/a./pp style="clear: both; padding: 8px 0 0 0; height: 2px; font-size: 1px; border: 0;
margin: 0; padding: 0;"nbsp;/ppa
href=http://www.joystiq.com/2008/12/01/holidaze-2008-the-best-of-cyber-monday/Read/anbsp;|nbsp;a
href="http://www.joystiq.com/2008/12/01/holidaze-2008-the-best-of-cyber-monday/" rel="bookmark"
title="Permanent link to this entry"Permalink/anbsp;|nbsp;a
href="http://www.joystiq.com/forward/1387307/" title="Send this entry to a friend via email"Email
this/anbsp;|nbsp;a
href="http://www.joystiq.com/2008/12/01/holidaze-2008-the-best-of-cyber-monday/#comments"
title="View reader comments on this entry"Comments/a/p pa
href="http://feedads.googleadservices.com/~at/S_L-jAwWGZ9rgc0IDsN7sQdm6oA/a"img
src="http://feedads.googleadservices.com/~at/S_L-jAwWGZ9rgc0IDsN7sQdm6oA/i" border="0"
ismap="true"/img/a/pdiv class="feedflare" a
href="http://feedproxy.google.com/~f/weblogsinc/joystiq?a=8krhXL9m"img
src="http://feedproxy.google.com/~f/weblogsinc/joystiq?i=8krhXL9m" border="0"/img/a a
href="http://feedproxy.google.com/~f/weblogsinc/joystiq?a=NhEXTFHv"img
src="http://feedproxy.google.com/~f/weblogsinc/joystiq?i=NhEXTFHv" border="0"/img/a /divimg
src="http://feedproxy.google.com/~r/weblogsinc/joystiq/~4/T0LgxeeYbSQ" height="1" width="1"/
"In its profound wisdom, the FTC is allowing cell phone numbers to be released to
telemarketers today. Now you can have the pleasure of being annoyed by a pesky telemarketing when
you are just sitting down to dinner and have the pleasure of paying for it as well. Whatever
possessed a government agency that is supposed to safeguard citizens’ rights to release
private information to these vultures? In my opinion, telemarketers are the lowest life forms in
the food chain and should be hunted down and exterminated. There should be a bounty on
them."
I rarely receive telemarking calls on my mobile phone but I also have a habit of not answering
the phone when someone who is not in my address book calls me. I figure if it is important they
will leave me a voicemail and if they know me they will know to shoot me an email or SMS message
instead of calling in the first place. However this decision still annoys me. It was one thing
when telemarkers called you on your landline and you didn't have to pay for the call, but now
that any of these answered calls are going come out of your minute package I feel this is highly
inappropriate. I mean really, who still uses telemarketing nowadays? We live in the future. You
would think these people never heard of SPAM before. Come on people, get on the ball!
The good news is you can add your mobile number to the national Do Not Call list. To do so please
point your browser to http://www.ftc.gov/donotcall.
Some bit of not so bad news: Thailand’s tourism authorities have issued a list of hotels offering accommodation
for stranded passengers. A special flight was arranged for Thai Muslim pilgrims to their annual
Haj pilgrimage to Mecca. Foreign governments
are making extra efforts to help their citizens.
As of this writing, the airport crisis is still not over. Dozens of empty planes were allowed to
leave Bangkok, but protesters still control the two major airports in Thailand.
There are three protest centers in Thailand: The two airports and the Government House. The
People’s Alliance for Democracy (PAD), the organizer of the protests, has decided to leave
the Government House after a
grenade blast inside the complex injured scores of protesters last Saturday. PAD will now
focus in maintaining its control of the airports. Will police allow
PAD members to join their comrades in the two airports?
What is the solution to the crisis? A human rights group asks Parliament to convene an emergency session. There
are rumors that a court will
issue a decision which would not be favorable to the ruling party.
“Rumors abound that tomorrow (Tuesday) the court will dissolve the current majority
political party and therefore sack the PM. Then a coup will follow to mop up the mess, disperse
the airport crowd. Then an interim governement. Then election. The Red Shirts aren’t going
to like it but that’s the only way to solve the stand off, in my opinion.”
Tourists are able to leave the country through U-tapao airport. This is very far from Bangkok.
The situation there is chaotic:
“U-tapao is packed. Traffic is backed up. Tourists are spilled all over the parking lot,
lugging their luggage in from the streets. This 1960-built former U.S. airforce base during
Vietnam War has only one luggage scanner. A Thai-blog reader contacted me to said that he tried
to “drop in” on U-tapao and it was a total nightmare. Anyone heading out should allow
themselves a LOT of time to get there and to go through the maze of lines and put up with lots of
characters.”
Portable toilet in U-Tapao airport. See the crowded room inside the airport. Photos from
Falling Into
You
What is the situation inside the airport blockade? Apparently, passports
are no longer needed to enter the airport. Individuals only need to bring a yellow scarf (the
color of protest) or a PAD clapper (see video below this article). There was an American
tourist who spoke in the PAD program.
Protesters are preparing for a final showdown with the police. They claim they will use human shields to block
the police. Bangkok Pundit reports:
“I should note that there is a large number of children at the rallies. What responsible
parent would bring their children to a rally knowing there is a possibility of violence? Money is
certainly one reason.”
Pro-government rallies are also being held in central Bangkok. Red is the chosen color of
government supporters. ~Meaw & More~ visited the pro-government rally and
observes:
1. Music, was not as good as PAD
2. I have not seen anyone offered anyone’s money in return. We have been offered a meal in
plastic bag, which was not bad, some red banner.
Note
1. The crowd as we saw today are, according to external appearance and some chat, mainly
Bangkokians middle class. Some even bother to dress as Santa.
2. Foreign photographers and journalists did not wear bullet proof vests like at PAD.
“I can say that in all my visits to the PAD rallies, they are not a mob but a predominantly
peaceful and respectful group that wants to see a new dimension in Thai politics. While visiting
red shirt rallies, while most were genuine, I was approached twice by thugs carrying machetes and
steel pipes threatening to beat me if I take pictures.”
“Just don’t be too hasty to pass judgement on the PAD when the Western media states
they are against democracy, because, Thailand's democracy works differently to ours.”
The Prime Minister is trapped in northeast Thailand. Frogblog Thaidingswitnessed
a government rally in that part of the country”
“Spend a few hours in their presence and you soon end up with a completely different
impression. These are people that are genuinely worried about the possibility of their democratic
right to vote being taken away.
“They are disgusted by PAD's antics in Bangkok, and the occupation of the airports there in
particular. They appreciate the damage being done both to Thailand's reputation and to its
economy. Many of them live in borderline poverty, so the slightest set-back can leave them
struggling to survive on a day-to-day basis. They feel insulted and degraded by the suggestion
that they are simply too stupid and lacking in education to vote for the right reasons.”
He was referring to the proposal of PAD to modify the method of choosing the country’s
leaders since they think the poor do not vote wisely during elections.
The airport crisis in Thailand is affecting other countries too. A tourist decided to enter
Thailand by traveling from
Singapore by land. Bangkok Dazed adds:
“Obviously the Bangkok Airport situation is affecting
other countries in the region as well. If any tourists want to travel to Myanmar, for
example, the Bangkok airport is the main gateway. Over in Siem Reap, Cambodia, several of my
friends have sent e-mails this week; concerned about my safety in Bangkok, and also worried about
a dropoff in tourism over there. My friend Rong works at the airport in Siem Reap and tells me
there hasn’t been much to do all week.”
Wired's Joshua A Davis has a great profile of my pal Dan Kaminsky's work on discovering and then
helping to fix a net-crashing DNS bug earlier this year. Davis really captures the excitement of
discovering a major security flaw and the complex web of personal, professional and technical
complications that come to bear when you're trying to disclose the research in a way that minimizes
harm to the net. Dan does a lot of fun security-related stuff that doesn't get talked about in
public. There's this one thing he does -- But that would be telling. The next morning, Kaminsky
strode to the front of the conference room at Microsoft headquarters before Vixie could introduce
him or even welcome the assembled heavy hitters. The 16 people in the room represented Cisco
Systems, Microsoft, and the most important designers of modern DNS software. Vixie was prepared to
say a few words, but Kaminsky assumed that everyone was there to hear what he had to say. After
all, he'd earned the spotlight. He hadn't sold the discovery to the Russian mob. He hadn't used it
to take over banks. He hadn't destroyed the Internet. He was actually losing money on the whole
thing: As a freelance computer consultant, he had taken time off work to save the world. In return,
he deserved to bask in the glory of discovery. Maybe his name would be heralded around the world.
Kaminsky started by laying out the timeline. He had discovered a devastating flaw in DNS and would
explain the details in a moment. But first he wanted the group to know that they didn't have much
time. On August 6, he was going to a hacker convention in Las Vegas, where he would stand before
the world and unveil his amazing discovery. If there was a solution, they'd better figure it out by
then. But did Kaminsky have the goods? DNS attacks were nothing new and were considered difficult
to execute. The most practical attack—widely known as cache
poisoning—required a hacker to submit data to a DNS server at the exact moment
that it updated its records. If he succeeded, he could change the records. But, like sperm swimming
toward an egg, whichever packet got there first—legitimate or
malicious—locked everything else out. If the attacker lost the race, he would
have to wait until the server updated again, a moment that might not come for days. And even if he
timed it just right, the server required a 16-bit ID number. The hacker had a 1-in-65,536 chance of
guessing it correctly. It could take years to successfully compromise just one domain. The experts
watched as Kaminsky opened his laptop and connected the overhead projector. He had created a
"weaponized" version of his attack on this vulnerability to demonstrate its power. A mass of data
flashed onscreen and told the story. In less than 10 seconds, Kaminsky had compromised a server
running BIND 9, Vixie's DNS routing software, which controls 80 percent of Internet traffic. It was
undeniable proof that Kaminsky had the power to take down large swaths of the Internet. Secret Geek
A-Team Hacks Back, Defends Worldwide Web (Photo: John Keatley)...br style="clear: both;"/ a
href="http://www.pheedo.com/feeds/ht.php?t=camp;i=74a15e83cd423bc1350d6a87b483c418amp;p=1"img
style="border:0;"
src="http://www.pheedo.com/feeds/ht.php?t=vamp;i=74a15e83cd423bc1350d6a87b483c418amp;p=1"
border="0" //a
!-- pageType= magazinewide slug= ff_kaminsky section= techbiz subsection= people headline= Secret
Geek A-Team Hacks Back, Defends Worldwide Web authorName= Joshua Davis creditType= photo credit=
John Keatley caption= TBD -- pstrongIn June 2005,/strong a balding, slightly overweight,
perpetually T-shirt-clad 26-year-old computer consultant named Dan Kaminsky decided to get in
shape. He began by scanning the Internet for workout tips and read that five minutes of sprinting
was the equivalent of a half-hour jog. This seemed like a great shortcutmdash;an elegant exercise
hackmdash;so he bought some running shoes at the nearest Niketown. That same afternoon, he laced up
his new kicks and burst out the front door of his Seattle apartment building for his first
five-minute workout. He took a few strides, slipped on a concrete ramp and crashed to the sidewalk,
shattering his left elbow./p pHe spent the next few weeks stuck at home in a Percocet-tinged haze.
Before the injury, he'd spent his days testing the inner workings of software programs. Tech
companies hired him to root out security holes before hackers could find them. a
href="http://www.doxpara.com/?page_id=1159"Kaminsky/a did it well. He had a knack for breaking
thingsmdash;bones and software alike./p pBut now, laid up in bed, he couldn't think clearly. His
mind drifted. Running hadn't worked out so well. Should he buy a stationary bike? Maybe one of
those recumbent jobs would be best. He thought about partying in Las Vegas ... mmm, martinis ...
and recalled a trick he'd figured out for getting free Wi-Fi at Starbucks./p pAs his arm healed,
the details of that Starbucks hack kept nagging at him. He remembered that he had gotten into
Starbucks' locked network using the domain name system, or DNS. When someone types google .com into
a browser, DNS has a list of exactly where Google's servers are and directs the traffic to them.
It's like directory assistance for the Internet. At Starbucks, the port for the low-bandwidth DNS
connectionmdash;port 53mdash;was left open to route customers to the emPay for Starbucks Wi-Fi/em
Web page./p pSo, rather than pay, Kaminsky used port 53 to access the open DNS connection and get
online. It was free but super-slow, and his friends mocked him mercilessly. To Kaminsky that was an
irresistible challenge. After weeks of studying the minutiae of DNS and refining his hack, he was
finally able to stream a 12-second animated video of Darth Vader dancing a jig with Michael
Flatley. (The clip paired the Lord of the Sith with the Lord of the Dance.)/p pThat was more than a
year ago, but it still made him smile. DNS was the unglamorous underbelly of the Internet, but it
had amazing powers. Kaminsky felt drawn to the obscure, often-ignored protocol all over again./p
pMaybe the painkillers loosened something in his mind, because as Kaminsky began to think more
deeply about DNS he became convinced that something wasn't right. He couldn't quite figure it out,
but the feeling stuck with him even after he stopped taking the pain pills. He returned to work
full time and bought a recumbent stationary bike. He got hired to test the security of Windows
Vista before it was released, repeatedly punching holes in it for Microsoft. Still, in the back of
his mind, he was sure that the entire DNS system was vulnerable to attack./p pThen last January, on
a drizzly Sunday afternoon, he flopped down on his bed, flipped open his laptop, and started
playing games with DNS. He used a software program called Scapy to fire random queries at the
system. He liked to see how it would respond and decided to ask for the location of a series of
nonexistent Web pages at a Fortune 500 company. Then he tried to trick his DNS server in San Diego
into thinking that he knew the location of the bogus pages./p pSuddenly it worked. The server
accepted one of the fake pages as real. But so what? He could now supply fake information for a
page nobody would ever visit. Then he realized that the server was willing to accept more
information from him. Since he had supplied data about one of the company's Web pages, it believed
that he was an authoritative source for emgeneral/em information about the company's domain. The
server didn't know that the Web page didn't existmdash;it was listening to Kaminsky now, as if it
had been hypnotized./p pWhen a
href="http://www.wired.com/science/discoveries/news/2008/06/dayintech_0623"DNS was created/a in
1983, it was designed to be helpful and trustingmdash;it's directory assistance, after all. It was
a time before hacker conventions and Internet banking. Plus, there were only a few hundred servers
to keep track of. Today, the humble protocol stores the location of a billion Web addresses and
routes every piece of Internet traffic in the world./p pSecurity specialists have been revamping
and strengthening DNS for more than two decades. But buried beneath all this tinkering, Kaminsky
had just discovered a vestige of that original helpful and trusting program. He was now
face-to-face with the behemoth's almost childlike core, and it was perfectly content to accept any
information he wanted to supply about the location of the Fortune 500 company's servers./p !--
pagebreak -- div class="wide_img" img
src="http://www.wired.com/images/article/magazine/1612/ff_kaminsky2_f.jpg" alt="" div
class="wide_caption" div class="wide_caption_txt" Paul Vixie organized experts from around the
world to address the DNS security flaw. br/ emPhoto: John Keatley/em /div /div /div br/ br/
pKaminsky froze. This was far more serious than anything he could have imagined. It was the
ultimate hack. He was looking at an error coded into the heart of the Internet's infrastructure.
This was not a security hole in Windows or a software bug in a Cisco router. This would allow him
to reassign any Web address, reroute anyone's email, take over banking sites, or simply scramble
the entire global system. The question was: Should he try it?/p pThe vulnerability gave him the
power to transfer millions out of bank accounts worldwide. He lived in a barren one-bedroom
apartment and owned almost nothing. He rented the bed he was lying on as well as the couch and
table in the living room. The walls were bare. His refrigerator generally contained little more
than a few forgotten slices of processed cheese and a couple of Rockstar energy drinks. Maybe it
was time to upgrade his lifestyle./p pOr, for the sheer geeky joy of it, he could reroute all of
.com into his laptop, the digital equivalent of channeling the Mississippi into a bathtub. It was a
moment hackers around the world dream ofmdash;a tool that could give them unimaginable power. But
maybe it was best simply to close his laptop and forget it. He could pretend he hadn't just
stumbled over a skeleton key to the Net. Life would certainly be less complicated. If he stole
money, he'd risk prison. If he told the world, he'd be the messenger of doom, potentially
triggering a collapse of Web-based commerce./p pBut who was he kidding? He was just some guy. The
problem had been coded into Internet architecture in 1983. It was 2008. Somebody must have fixed it
by now. He typed a quick series of commands and pressed enter. When he tried to access the Fortune
500 company's Web site, he was redirected to an address he himself had specified./p p"Oh shit," he
mumbled. "I just broke the Internet."/p pstrongPaul Vixie/strong, one of the creators of the most
widely used DNS software, stepped out of a conference in San Jose. A curious email had just popped
up on his laptop. A guy named Kaminsky said he'd found a serious flaw in DNS and wanted to talk. He
sent along his phone number./p pVixie had been working with DNS since the 1980s and had helped
solve some serious problems over the years. He was president of the a
href="https://secure.isc.org/"Internet Systems Consortium/a, a nonprofit that distributed BIND 9,
his DNS software. At 44, he was considered the godfather of DNS. If there was a fundamental error
in DNS, he probably would have fixed it long ago./p pBut to be on the safe side, Vixie decided to
call Kaminsky. He picked up immediately and within minutes had outlined the flaw. A series of
emotions swept over Vixie. What he was hearing shouldn't be possible, and yet everything the kid
said was logical. By the end of the third minute, Vixie realized that Kaminsky had uncovered
something that the best minds in computer science had overlooked. This affected not just BIND 9 but
almost all DNS software. Vixie felt a deep flush of embarrassment, followed by a sense of pure
panic./p p"The first thing I want to say to you," Vixie told Kaminsky, trying to contain the flood
of feeling, "is never, ever repeat what you just told me over a cell phone."/p pVixie knew how easy
it was to eavesdrop on a cell signal, and he had heard enough to know that he was facing a problem
of global significance. If the information were intercepted by the wrong people, the wired world
could be held ransom. Hackers could wreak havoc. Billions of dollars were at stake, and Vixie
wasn't going to take any risks./p pFrom that moment on, they would talk only on landlines, in
person, or via heavily encrypted email. If the information in an email were accidentally copied
onto a hard drive, that hard drive would have to be completely erased, Vixie said. Secrecy was
critical. They had to find a solution before the problem became public./p !-- pagebreak --
pstrongAndreas Gustafsson/strong knew something was seriously wrong. Vixie had emailed the
43-year-old DNS researcher in Espoo, Finland, asking to talk at 7 pm on a hardwired line. No cell
phones./p pGustafsson hurried into the freezing March eveningmdash;his only landline was the fax in
his office a brisk mile walk away. When he arrived, he saw that the machine didn't have a handset.
Luckily, he had an analog phone lying around. He plugged it in, and soon it let off an
old-fashioned metallic ring./p pGustafsson hadn't spoken to Vixie in years, but Vixie began the
conversation by reading aloud a series of numbersmdash;a code that would later allow him to
authenticate Gustafsson's emails and prove that he was communicating with the right person.
Gustafsson responded with his own authenticating code. With that out of the way, Vixie got to his
point: emFind a flight to Seattle now/em./p pa
href="http://tools.ietf.org/id/draft-wijngaards-dnsext-resolver-side-mitigation-00.txt"Wouter
Wijngaards/a got a call as well, and the message was the same. The Dutch open source programmer
took the train to the airport in Amsterdam, got on a 10-hour flight to Seattle, and arrived at the
Silver Cloud Inn in Redmond, Washington, on March 29. He had traveled all the way from Europe, and
he didn't even know why. Like Gustafsson, he had simply been told to show up in Building Nine on
the Microsoft campus at 10 am on March 31./p pIn the lobby of the Silver Cloud, Wijngaards met a
href="http://www.enyo.de/fw/"Florian Weimer/a, a German DNS researcher he knew. Weimer was talking
with Chad Dougherty, the DNS point man from Carnegie Mellon's Software Engineering Institute.
Wijngaards joined the conversationmdash;they were trying to figure out where to have dinner. Nobody
talked about why some of the world's leading DNS experts happened to bump into one another near the
front desk of this generic US hotel. Vixie had sworn each of them to secrecy. They simply went out
for Vietnamese food and avoided saying anything about DNS./p pstrongThe next morning,/strong
Kaminsky strode to the front of the conference room at Microsoft headquarters before Vixie could
introduce him or even welcome the assembled heavy hitters. The 16 people in the room represented
Cisco Systems, Microsoft, and the most important designers of modern DNS software./p pVixie was
prepared to say a few words, but Kaminsky assumed that everyone was there to hear what he had to
say. After all, he'd earned the spotlight. He hadn't sold the discovery to the Russian mob. He
hadn't used it to take over banks. He hadn't destroyed the Internet. He was actually losing money
on the whole thing: As a freelance computer consultant, he had taken time off work to save the
world. In return, he deserved to bask in the glory of discovery. Maybe his name would be heralded
around the world./p pKaminsky started by laying out the timeline. He had discovered a devastating
flaw in DNS and would explain the details in a moment. But first he wanted the group to know that
they didn't have much time. On August 6, he was going to a hacker convention in Las Vegas, where he
would stand before the world and unveil his amazing discovery. If there was a solution, they'd
better figure it out by then./p pBut did Kaminsky have the goods? DNS attacks were nothing new and
were considered difficult to execute. The most practical attackmdash;widely known as a
href="http://www.secureworks.com/research/articles/dns-cache-poisoning/"cache
poisoning/amdash;required a hacker to submit data to a DNS server at the exact moment that it
updated its records. If he succeeded, he could change the records. But, like sperm swimming toward
an egg, whichever packet got there firstmdash;legitimate or maliciousmdash;locked everything else
out. If the attacker lost the race, he would have to wait until the server updated again, a moment
that might not come for days. And even if he timed it just right, the server required a 16-bit ID
number. The hacker had a 1-in-65,536 chance of guessing it correctly. It could take years to
successfully compromise just one domain./p pThe experts watched as Kaminsky opened his laptop and
connected the overhead projector. He had created a "weaponized" version of his attack on this
vulnerability to demonstrate its power. A mass of data flashed onscreen and told the story. In less
than 10 seconds, Kaminsky had compromised a server running a
href="http://www.isc.org/index.pl?/sw/bind/view/?release=9.3.2-P2"BIND 9/a, Vixie's DNS routing
software, which controls 80 percent of Internet traffic. It was undeniable proof that Kaminsky had
the power to take down large swaths of the Internet./p pThe tension in the room rose as Kaminsky
kept talking. The flaw jeopardized more than just the integrity of Web sites. It would allow an
attacker to channel email as well. A hacker could redirect almost anyone's correspondence, from a
single user's to everything coming and going between multinational corporations. He could quietly
copy it before sending it along to its original destination. The victims would never know they had
been compromised./p pThis had serious implications. Since many "forgot my password" buttons on
banking sites rely on email to verify identity, an attacker could press the button, intercept the
email, and change the password to anything he wanted. He would then have total access to that bank
account./p p"We're hosed," Wijngaards thought./p !-- pagebreak -- pIt got worse. Most Internet
commerce transactions are encrypted. The encryption is provided by companies like VeriSign. Online
vendors visit the VeriSign site and buy the encryption; customers can then be confident that their
transactions are secure./p pBut not anymore. Kaminsky's exploit would allow an attacker to redirect
VeriSign's Web traffic to an exact functioning replica of the VeriSign site. The hacker could then
offer his own encryption, which, of course, he could unlock later. Unsuspecting vendors would
install the encryption and think themselves safe and ready for business. A cornerstone of secure
Internet communication was in danger of being destroyed./p pa
href="http://david.ulevitch.com/"David Ulevitch/a smiled despite himself. The founder of OpenDNS, a
company that operates DNS servers worldwide, was witnessing a tour de forcemdash;the geek
equivalent of Michael Phelps winning his eighth gold medal. As far as Ulevitch was concerned, there
had never been a vulnerability of this magnitude that was so easy to use. "This is an amazingly
catastrophic attack," he marveled with a mix of grave concern and giddy awe./p pstrongIt was a
difficult flight/strong back to San Francisco for a
href="http://www.nominum.com/company/executives_wilbourn.php"Sandy Wilbourn/a, vice president of
engineering for Nominum, a company hired by broadband providers to supply 150 million customers
with DNS service. What he heard in Redmond was overwhelmingmdash;a 9 out of 10 on the scale of
disasters. He might have given it a 10, but it was likely to keep getting worse. He was going to
give this one some room to grow./p pOne of Wilbourn's immediate concerns was that about 40 percent
of the country's broadband Internet ran through his servers. If word of the vulnerability leaked,
hackers could quickly compromise those servers./p pIn his Redwood City, California, office, he
isolated a hard drive so no one else in the company could access it. Then he called in his three
top engineers, shut the door, and told them that what he was about to say couldn't be shared with
anyonemdash;not at home, not at the company. Even their interoffice email would have to be
encrypted from now on./p pTheir task: Make a change to the basic functioning of Nominum's DNS
servers. They and their customers would have to do it without the usual testing or feedback from
outside the group. The implementationmdash;the day the alteration went live to millions of
peoplemdash;would be its first real-world test./p pIt was a daunting task, but everyone who had
been in Redmond had agreed to do the same thing. They would do it secretly, and then, all together
on July 8, they would release their patches. If hackers didn't know there was a gaping DNS security
hole before, they would know then. They just wouldn't know exactly what it was. Nominum and the
other DNS software vendors would have to persuade their customersmdash;Internet service providers
from regional players such as Cablevision to giants like Comcastmdash;to upgrade fast. It would be
a race to get servers patched before hackers figured it out./p pThough the Redmond group had agreed
to act in concert, the patchmdash;called the source port randomization solutionmdash;didn't satisfy
everyone. It was only a short-term fix, turning what had been a 1-in-65,536 chance of success into
a 1-in-4 billion shot./p pStill, a hacker could use an automated system to flood a server with an
endless stream of guesses. With a high-speed connection, a week of nonstop attacking would likely
succeed. Observant network operators would see the spike in traffic and could easily block it. But,
if overlooked, the attack could still work. The patch only papered over the fundamental flaw that
Kaminsky had exposed./p pstrongOn July 8, Nominum,/strong Microsoft, Cisco, Sun Microsystems,
Ubuntu, and Red Hat, among many others, released source port randomization patches. Wilbourn called
it the largest multivendor patch in the history of the Internet. The ISPs and broadband carriers
like Verizon and Comcast that had been asked to install it wanted to know what the problem was.
Wilbourn told them it was extremely important that they deploy the patch, but the reason would
remain a secret until Kaminsky delivered his talk in Las Vegas./p pEven as Kaminsky was giving
interviews about the urgency of patching to media outlets from the citeLos Angeles Times/cite to
CNET, the computer security industry rebelled. "Those of us ... who have to advise management
cannot tell our executives 'trust Dan,'" wrote a
href="http://archives.neohapsis.com/archives/dailydave/current/0090.html"one network
administrator/a on a security mailing list. On one blog, an anonymous poster wrote this to
Kaminsky: "You ask people not to speculate so your talk isn't blown but then you whore out minor
details to every newspaper/magazine/publishing house so your name can go all over Google and gain
five minutes of fame? This is why people hate you and wish you would work at McDonald's instead."/p
!-- pagebreak -- pWith a backlash building, Kaminsky decided to reach out to a few influential
security experts in hopes of winning them over. He set up a conference call with a
href="http://securosis.com/about/"Rich Mogull/a, founder of Securosis, a well-respected security
firm; researcher a href="http://www.theta44.org/main.html"Dino Dai Zovi/a; and a
href="http://www.matasano.com/team/"Thomas Ptacek/a, a detractor who would later accuse Vixie and
Kaminsky of forming a cabal./p pThe call occurred July 9. Kaminsky agreed to reveal the
vulnerability if Mogull, Dai Zovi, and Ptacek would keep it secret until the Vegas talk August 6.
They agreed, and Kaminsky's presentation laid it out for them. The security experts were stunned.
Mogull wrote, "This is absolutely one of the most exceptional research projects I've seen." And in
a blog post Ptacek wrote, "Dan's got the goods. emIt's really f'ing good/em."/p pAnd then, on July
21, a complete description of the exploit appeared on the Web site of Ptacek's company. He claimed
it was an accident but acknowledged that he had prepared a description of the hack so he could
release it concurrently with Kaminsky. By the time he removed it, the description had traversed the
Web. The DNS community had kept the secret for months. The computer security community couldn't
keep it 12 days./p pAbout a week later, an ATamp;T server in Texas was infiltrated using the
Kaminsky method. The attacker took over google.commdash;when ATamp;T Internet subscribers in the
Austin area tried to navigate to Google, they were redirected to a Google look-alike that covertly
clicked ads. Whoever was behind the attack probably profited from the resulting increase in ad
revenue./p pEvery day counted now. While Kaminsky, Vixie, and the others pleaded with network
operators to install the patch, it's likely that other hacks occurred. But the beauty of the
Kaminsky attack, as it was now known, was that it left little trace. A good hacker could reroute
email, reset passwords, and transfer money out of accounts quickly. Banks were unlikely to announce
the intrusionsmdash;online theft is bad PR. Better to just cover the victims' losses./p pstrongOn
August 6,/strong hundreds of people crammed into a conference room at Caesars Palace a
href="http://www.youtube.com/watch?v=R-SSVxsH7vw"to hear Kaminsky/a speak. The seats filled up
quickly, leaving a scrum of spectators standing shoulder to shoulder in the back. A group of
security experts had mockingly nominated Kaminsky for the a
href="http://pwnie-awards.org/2008/awards.html"Most Overhyped Bug award/a, and many wanted to know
the truth: Was the massive patching effort justified, or was Kaminsky just an arrogant,
media-hungry braggart?/p pWhile his grandmother handed out homemade Swedish lace cookies, Kaminsky
took the stage wearing a black T-shirt featuring an image of Pac-Man at a dinner table. He tried
for modesty. "Who am I?" he asked rhetorically. "Some guy. I do code."/p pThe self-deprecation
didn't suit him. He had the swagger of a rock star and adopted the tone of a misunderstood genius.
After detailing the scope of the DNS problem, he stood defiantly in front of a bullet point summary
of the attack and said, "People called BS on me. This is my reply."/p pBy this time, hundreds of
millions of Internet users were protected. The bomb had been defused. The problem was, there was
little agreement on what the long-term solution should be. Most discussion centered around the
concept of authenticating every bit of DNS traffic. It would mean that every computer in the
worldmdash;from iPhones to corporate server arraysmdash;would have to carry DNS authentication
software. The root server could guarantee that it was communicating with the real .com name server,
and .com would receive cryptological assurance that it was dealing with, say, the real Google. An
impostor packet wouldn't be able to authenticate itself, putting an end to DNS attacks. The
procedure is called a href="http://www.dnssec.net/"DNSSEC/a and has high-profile proponents,
including Vixie and the US government./p pBut implementing a massive and complicated protocol like
DNSSEC isn't easy. Vixie has actually been trying to persuade people for years, and even he hasn't
succeeded. Either way, the point might turn out to be moot. Kaminsky ended his Las Vegas talk by
hinting that even darker security problems lay ahead. It was the type of grandstanding that has
made him a polarizing figure in the computer security community. "There is no saving the Internet,"
he said. "There is postponing the inevitable for a little longer."/p pThen he sauntered off the
stage and ate one of his grandma's cookies./p pemContributing editor Joshua Davis/em(a
href="http://www.joshuadavis.net"www.joshuadavis.net/a) emwrote about the rescue of the a
href="/science/discoveries/magazine/16-03/ff_seacowboys"/afoundering Cougar Ace in issue
16.03./em/pbr style="clear: both;"/ a style='font-size: 10px; color: maroon;'
href='http://www.pheedo.com/hostedMorselClick.php?hfmm=v3:2440041967a5080eed3b2e028c523b47:a86LZtGDbU8osVSIrxV1PFlw7pm5tvcZL2p5JzaIEXcmazG%2FOS%2BC2LrGWGUABFvTOX4dkXkq1krhAg%3D%3D'img
border='0' title='Add to Facebook' alt='Add to Facebook'
src='http://www.pheedo.com/images/mm/facebook.gif'//a a style='font-size: 10px; color: maroon;'
href='http://www.pheedo.com/hostedMorselClick.php?hfmm=v3:67b0d7468c2ef7fd70000364ace0efde:6tTH0J1MtWaybPCAtyS8MXn%2Fjti8ZTAKWodRzBLf5kecGWAt3ZuZtIsP%2Fk7w3v130yexYqmNDV9w'img
border='0' title='Add to Reddit' alt='Add to Reddit'
src='http://www.pheedo.com/images/mm/reddit.png'//a a style='font-size: 10px; color: maroon;'
href='http://www.pheedo.com/hostedMorselClick.php?hfmm=v3:7846052528f145efe484cf50dae37255:k9NbsrnIxGwpmdNP%2BUuf8IRVRF%2BOjcF%2FECqqllE7NNlA%2FO9pb7K8GBQlBPoLfgAH90PSuIe5MY%2BZ'img
border='0' title='Add to digg' alt='Add to digg' src='http://www.pheedo.com/images/mm/digg.gif'//a
a style='font-size: 10px; color: maroon;'
href='http://www.pheedo.com/hostedMorselClick.php?hfmm=v3:7a032bbfe924662c4e2494c598eae2c3:7uWjO2lLqMpadz5ADBEnMeo0pDd3int9IIlUsvppvBX5517yqEMWk0Y9shvCdk%2BWPs9Z2Gy57mQY'img
border='0' title='Add to Google' alt='Add to Google'
src='http://www.pheedo.com/images/mm/google.png'//a br style="clear: both;"/ a
href="http://www.pheedo.com/click.phdo?s=ea67ea42add425d2f0f5016f1a176661p=1"img alt=""
style="border: 0;" border="0"
src="http://www.pheedo.com/img.phdo?s=ea67ea42add425d2f0f5016f1a176661p=1"//a img
src="http://www.pheedo.com/feeds/tracker.php?i=ea67ea42add425d2f0f5016f1a176661" style="display:
none;" border="0" height="1" width="1" alt=""/ pa
href="http://feeds.wired.com/~a/wired/index?a=6NKR0K"img
src="http://feeds.wired.com/~a/wired/index?i=6NKR0K" border="0"/img/a/pimg
src="http://feeds.wired.com/~r/wired/index/~4/471672381" height="1" width="1"/
To commemorate his 30-year anniversary in music, guitar legend George Lynch (DOKKEN, LYNCH MOB) is
releasing a series of 200 fine art original canvases.
Riots are breaking out in factories in Dongguan as bankruptcies and layoffs throw thousands out of
work with wages owing. South China, "the world's factory," is in chaos, faltering. After the
mid-autumn festival, enormous numbers of workers simply stayed home in the provinces, rather than
returning to work in Shenzhen, Guangzhou, and Dongguan. This AP story talks about a riot in the
factory where Nerf toys were manufactured for Hasbro -- and no, they didn't fight with Nerf bats.
Tempers began flaring Tuesday when the plant's Hong Kong owner, Kader Holdings Company Ltd.,
prepared to lay off 216 migrant workers at the factory that employs 6,500. About 80 senior workers
claimed they were getting shortchanged on their severance pay, and they mobilized a mob of 500
— mostly other unemployed workers and friends, Guo said. The workers battled
security guards, turned over a police car, smashed the headlights of police motorcycles and forced
their way through the factory's front gate, Guo said. They went on a rampage in the plant's
offices, damaging 10 computers, the company said. The account was confirmed Wednesday by several of
the 200 or so jobless laborers peacefully milling around the street in front of the four-story
factory complex covered in soot-stained white and green tiles. Small groups of workers inside the
factory pressed against glass windows and stared at the crowd below. When their shift ended, they
flooded into the streets and mixed with the angry workers. "The factory's management and the local
officials really look down on the workers," said one laid-off worker who would only give his
surname, Qiao, because he feared criticizing the company might jeopardize his chance of getting any
compensation. Workers riot at Chinese toy factory (Thanks, Jennifer!)...br style="clear: both;"/ a
href="http://www.pheedo.com/click.phdo?s=f22d24d7a5122253e9887d693fe0905fp=1"img alt=""
style="border: 0;" border="0"
src="http://www.pheedo.com/img.phdo?s=f22d24d7a5122253e9887d693fe0905fp=1"//a img
src="http://www.pheedo.com/feeds/tracker.php?i=f22d24d7a5122253e9887d693fe0905f" style="display:
none;" border="0" height="1" width="1" alt=""/
A website that sorts everyday the most relevant information to you.
Vote for the news and Matoumba will learn your tastes and the information that you like the most.
It is all FREE!
Find here the history of the stories you found interesting.
Show this to people who share the same interests as you,
and if they use Matoumba, their own votes will fine recommandations to you.
Recommandations
)
and reject those that you are not interested in
(
)
