uncompiled.com

Con Kolivas had stopped working on the Linux kernel for two years after he became fed up with the kernel development community, but last year he made a return by introducing the BFS scheduler. The BFS scheduler for the Linux kernel is quite simple in design compared to other schedulers, but it performed fairly well on desktop systems. Due to Con’s past frustrations, he has no intentions of mainlining the Brain Fuck Scheduler, but he has now offered up another batch of patches.

Kolivas has released a new set of patches this morning that are “designed to improve system responsiveness and interactivity with specific emphasis on the desktop.” There are 13 patches he has made available that can be applied against the freshly released Linux 2.6.33 kernel. One of the patches is BFS, another changes the default timer frequency to 1000Hz, another adds new values that allows the timer frequency to be upped to 10,000Hz, and various other changes.

While Con Kolivas is not likely trying to get these patches pushed into the Linux 2.6.34 kernel, he has published this to the Linux kernel mailing list. His patches can be found in the 2.6.33-ck1 directory.

Source

An update which fixes around 40 bugs is available for the PHP 5.2 development branch. Version 5.2.13 comes highly recommended for all PHP 5.2.x users, as it includes a number of security-related fixes. These include a bug when validating the safe_mode configuration variable in the tempnam() function which arises when the path does not end in /). An open_basedir/safe_mode bypass vulnerability in the session extension has also been fixed.

More details about the release, including other significant changes, can be found in the release announcement and change log. PHP 5.2.13 is available to download from the project’s site.

The current PHP development branch is PHP 5.3, for which version 5.3.1 has been available since November 2009. A third release candidate for PHP 5.3.2 was released on the 23rd of February.

Source

The 2010 CWE/SANS Top 25 Most Dangerous Programming Errors is a list of the most widespread and critical programming errors that can lead to serious software vulnerabilities. They are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all.

The Top 25 list is a tool for education and awareness to help programmers to prevent the kinds of vulnerabilities that plague the software industry, by identifying and avoiding all-too-common mistakes that occur before software is even shipped. Software customers can use the same list to help them to ask for more secure software. Researchers in software security can use the Top 25 to focus on a narrow but important subset of all known security weaknesses. Finally, software managers and CIOs can use the Top 25 list as a measuring stick of progress in their efforts to secure their software.

The list is the result of collaboration between the SANS Institute, MITRE, and many top software security experts in the US and Europe. It leverages experiences in the development of the SANS Top 20 attack vectors (http://www.sans.org/top20/) and MITRE’s Common Weakness Enumeration (CWE) (http://cwe.mitre.org/). MITRE maintains the CWE web site, with the support of the US Department of Homeland Security’s National Cyber Security Division, presenting detailed descriptions of the top 25 programming errors along with authoritative guidance for mitigating and avoiding them. The CWE site contains data on more than 800 programming errors, design errors, and architecture errors that can lead to exploitable vulnerabilities.

The 2010 Top 25 makes substantial improvements to the 2009 list, but the spirit and goals remain the same. The structure of the list has been modified to distinguish mitigations and general secure programming principles from more concrete weaknesses. This year’s Top 25 entries are prioritized using inputs from over 20 different organizations, who evaluated each weakness based on prevalence and importance. The new version introduces focus profiles that allow developers and other users to select the parts of the Top 25 that are most relevant to their concerns. The new list also adds a small set of the most effective “Monster Mitigations,” which help developers to reduce or eliminate entire groups of the Top 25 weaknesses, as well as many of the other 800 weaknesses that are documented by CWE. Finally, many high-level weaknesses from the 2009 list have been replaced with lower-level variants that are more actionable.

Source

Cloud computing is one of the most hyped technology concepts in recent memory, and, like many buzzwords, the term “cloud” is overloaded and overused. A while back Ars ran an article attempting to clear some of the confusion by reviewing the cloud’s hardware underpinnings and giving it a proper definition, and in this article I’ll flesh out that picture on the software side by offering a brief tour of the cloud platform options available to development teams today. I’ll also discuss these options’ key strengths and weaknesses, and I’ll conclude with some thoughts about the kinds of advances we can expect in the near term. In all, though, it’s important to keep in mind that what’s presented here is just a snapshot. The cloud is evolving very rapidly—critical features that seem to be missing today may be standard a year from now.

Before I begin, it’s worth noting one of the key reasons for the confusion that surrounds cloud computing. Unlike most hot tech trends that attain buzzword status, the aspects of the cloud that make it a truly new form of client-server (e.g., rapid scalability from a few resource units to tens of thousands, metered usage models, the ability to access resources from any Internet-connected device, low barriers to client entry, etc.) also make it impossible, at least from a developer’s perspective, to pin down into traditional “enterprise,” “small to medium business,” or “consumer” boxes that the IT world traditionally thinks in terms of. Enterprises, SMBs, and tiny startups, and lone coders all run their code on the cloud platforms described below. It’s true that each category of user faces different parameters and constraints when deciding how and where to use cloud services, and I’ll reference a few of the issues that enterprise users face in the article below. But just because the basic perspective of this article is that of enterprise IT, much of the material has relevance to non-enterprise users, as well.

Source

What is believed to be the country’s biggest hacker training site has been shut down by police in Central China’s Hubei province. Three people were also arrested, local media reported yesterday.

The three, who ran Black Hawk Safety Net, are suspected of offering others online attacking programs and software, a crime recently added to the Criminal Law. A total of 1.7 million yuan ($249,000) in assets were also frozen.

According to the provincial public security department of Hubei, the closure of the website had its roots in a previous Web attack and virus dissemination case in the city of Macheng in 2007, when police found some of the suspects caught were members of Black Hawk Safety Net.

Hubei province named Black Hawk Safety Net as the largest hacker training site in China, which openly recruited members and disseminated hacker techniques through lessons, trojan software and online forum communications.

Since it was established in 2005, the site had recruited more than 12,000 VIP members and collected more than 7 million yuan in membership fees. More than 170,000 people registered for free membership.

Police said more than 50 officers had been investigating the case.

They seized nine Web servers, five computers and one car, and shut down all the sites involved in the case, according to the provincial public security department.

“I could download trojan programs from the site which allowed me to control other people’s computers. I did this just for fun but I also know that many other members could make a fortune by attacking other people’s accounts,” said a 23-year-old member of Black Hawk Safety Net in Nanjing of East China’s Jiangsu province, who asked to remain anonymous.

“It is not very difficult to do simple hacker tasks. Some hacker members are teenagers who dropped out of school and make money by stealing accounts,” he said.

A 20-year-old college student who registered with three different hacker training sites said a hacker training course costs from 100 to 2,000 yuan.

“Basically students were told how to steal accounts and use trojan programs. Sometimes trainers show us how to write programs,” he said.

“But now it’s very difficult to become a registered member. Some well-known hacker training sites have not been accessible since November,” he said.

According to a report released by the National Computer Network Emergency Response Coordination Center of China, the hacker industry in China caused losses of 7.6 billion yuan in 2009.

Source

Studying PHP’s (5.3.1 and below) LCG (linear congruential generator, a pseudorandom number generator), I discovered that there are weaknesses that reduce the complexity of determining the sequence of pseudorandom numbers. What this means is that PHP is severely deficient in producing random session IDs or random numbers, leading to the possibility of stealing sessions or other sensitive information.

The initial seed can be reduced from 64-bits to 35-bits, and with PHP code execution, can be reduced further down to just under 20-bits, which takes only seconds to recreate the initial seed. You can test with sources available below.

Other tools to work out the LCG in forward and reverse, as well as determine session IDs, found below.

Source

The PHP developers have released version 5.2.12 of their popular programming language, fixing over 60 bugs mainly to increase stability, but also closing some security holes. While PHP 5.3 has been available since mid 2009, backwards compatibility issues with various popular PHP applications have prevented many users from upgrading. Since, as a result, the 5.2 branch is still used on numerous systems, the developers continue to update this branch.

The current update particularly prevents attackers from bypassing the safe_mode and open_basedir security functions in connection with the tempnam() and posix_mkfifo() functions. The new max_file_uploads option prevents potential DoS attacks when uploading files by limiting the number of files per upload request. Furthermore, the $_SESSION variable is now less susceptible to manipulations, and the htmlspecialchars() PHP function for converting special characters in HTML code offers enhanced string checking.

Source

The formidable combination of Matt Galligan (Founder, Socialthing!) and Joe Stump (Former Lead-Architect, Digg) came out on-top yesterday at ‘Under the Radar‘. The duo’s new company SimpleGeo won both the judges & audience awards for the location category at the event. ‘Under the Radar’ helps to give up-and-coming technology innovators a stage to show what they’ve been up to.

TechCrunch gave their insight on the company’s offerings:

SimpleGeo is akin to an ‘Amazon Web Services’ for location: developers looking to integrate location based services (LBS) can plug into some simple APIs and SimpleGeo will do most of the legwork for them. The startup originated as a gaming company, but after spending four months building out their location platform, Stump and Galligan realized they had stumbled across an opportunity: location is soon going to become an expected feature in many applications, and there’s no reason developers should have to reinvent the wheel every time they want to include the feature. SimpleGeo is looking to do it for them.

The team of Galligan and Stump stands to bring a level playing-field to many smaller developers. By utilizing their infrastructure, SDK, and services, developers who were previously too intimidated to get into location-based development now have an opportunity to see their ideas through.

Source

From Security-Shell:

After a short an intense setup, we are ready to present the Offsec Exploit Archive. We’ve recreated the milw0rm database, updated it and are now accepting submissions. The purpose of the site is to provide researchers and security enthusiasts a repository of exploits, and when possible, the relevant affected software. We’ve started the party by posting a few new exploits of our own – namely a Novell eDirectory 8.8 SP5 iConsole Buffer overflow exploit and a HP Power Manager Administration Universal Buffer Overflow Exploit.

Find the new site here!

Cloud computing management functionality and standards are right now laser-focused on virtual machines, and most APIs include the ability to stop,start,launch,etc…at that level of the infrastructure. This is because the application is still insulated by its virtualized environment. The “depth” of management and standards efforts today stops at the hard shell of the virtualization layer and leaves the soft, chewy application center alone. This means nothing is really all that different for developers. But it could, and some might argue should, be different.

The development of a web-application for a cloud computing environment today is really no different than the development of an application destined for deployment in a traditional data center. If the developers or architects are network-savvy, they know they need to worry about a few environmental specific conditions like persistence and stateful load balancing, but other than that they don’t have to change how they develop the application.

That’s because when they complete the application and deploy it into a web-application server, the entire environment – OS, application server, and application – will be packaged up into a neat virtual image and shipping out. There’s nothing more they need to do. Nothing different than it was before cloud computing appeared on the scene.

Source