] Romanian researchers claim to have discovered a variant
] of the Sobig.F virus that looks to mail and domain name
] servers at Time Warner Telecom for information about how
] to modify its behavior.

According to this, the new virus may be able to receive program updates by performing certain DNS queries or SMTP sessions to compromised servers.

New Sobig Variant May Be Circulating

] This weekend, a denial-of-service attack took down the
] Web site of The SCO Group, which is caught in an
] increasingly acrimonious row with the open-source
] community over the company's legal campaign against
] Linux.

Most under reported story of the day...

Hackers cut off SCO Web site | CNET News.com

] Recent election problems have sparked great interest in
] managing the election process through the use of
] electronic voting systems. While computer scientists, for
] the most part, have been warning of the perils of such
] action, vendors have forged ahead with their products,
] claiming increased security and reliability. Many
] municipalities have adopted electronic systems, and the
] number of deployed systems is rising. For these new
] computerized voting systems, neither source code nor the
] results of any third-party certification analyses have
] been available for the general population to study,
] because vendors claim that secrecy is a necessary
] requirement to keep their systems secure. Recently,
] however, the source code purporting to be the software
] for a voting system from a major manufacturer appeared on
] the Internet. This manufacturer's systems were used in
] Georgia's state-wide elections in 2002, and the company
] just announced that the state of Maryland awarded them an
] order valued at up to $55.6 million to deliver touch
] screen voting systems.

The press claims this paper is discredited because Avi Rubin was involved with an electronic voting company. Read it for yourself and see what you think.

Analysis of an Electronic Voting System

] Roxanne Jekot, a 51-year-old computer program developer from
] Cumming, said she and a few expert friends could crack Georgia's $54
] million touch-screen voting system in a matter of minutes.
]
] Bring it on, said state election officials.

Well, that's a nice change from the we-will-sue-you-into-quiet-submission thing that so in vogue these days..

ajc.com | Metro | Dare accepted on electronic voting machines

] A new Internet worm emerged today that is designed to
] seek out and fix any computer that remains vulnerable to
] "Blaster," the worm that attacked more than 500,000
] computers worldwide last week.

'Good' Worm Fixes Infected Computers (TechNews.com)

] Confirming the elimination of the address and the
] unlinking is easy. Entering www.windowsupdate.com in a
] Web browser results in a "The page cannot be found" error
] message within Internet Explorer, for instance. Earlier,
] typing in that address would have brought users to the
] WindowsUpdate site.
]
] The WindowsUpdate service, which is actually at the
] address of windowsupdate.microsoft.com, is still
] functioning. It's this URL, which Windows refers to when
] the Update Windows icon is selected from the operating
] system's Start menu. Users can thus reach WindowsUpdate
] either by typing in the windowsupdate.microsoft.com
] address manually, or as Microsoft recommends, selecting
] the icon from within Windows.

] "The worm's maker could have made it harder to do this,"

] That led him to speculate that the real goal of the worm's
] writer was not to do damage, but only to embarrass
] Microsoft. Other evidence, he said, including the fact
] that the attack was scheduled to begin exactly one month
] after the vulnerability was first disclosed.

InformationWeek | Microsoft Stymies Blaster Attack

] "I am a U.S. university student who has recently come
] across 2 remote exploits for a homework program used by
] colleges nationwide. Both vulnerabilities allow students
] to give themselves arbitrary scores, and possibly execute
] arbitrary code. To further emphasize the scope of this
] vulnerability, I have written and -selftested
] proof-of-concept exploit code. Naturally, I want to share
] this information with their software engineers, and would
] even be nice enough and suggest a means to fixing it.
] However, with the state of current intellectual property
] and reverse-engineering laws, I hesitate to do so out of
] fear of litigation or academic disciplinary action. As an
] ethical geek, what do -you- do?"

this sounds familiar.

Disclosure of Major Software Exploits by Students?

From speech_freedom2002@yahoo.com Wed Jul 16 10:59:47 2003
Date: Wed, 16 Jul 2003 06:14:52 -0400
From: Rockit [speech_freedom2002@yahoo.com]
Reply-To: root@se2600.org
To: root@se2600.org
Subject: [se2600] Interz0ne Press Release re: Blackboard Settlement

Interz0ne Press Release:

Censorship via lawsuit wins again.

Lawyers working for Blackboard Inc., the maker of a card transaction, vending and ID system used by approximately 275 colleges and universities globally, as well as an undiscosed number of government and military installations, succeeded in silencing two college students who have found numerous flaws in Blackboard's flagship product over the last two years.

Georgia Tech student Billy Hoffman, along with University of Alabama student Virgil Griffith, initially kept the discoveries quiet while attempting to report them to Blackboard engineers, along with possible fixes. Traditionally, the discoverers of such flaws allow the vendors time to fix problems before going public; this provides the vendors with essentially free quality control labor while the discoverers get later bragging rights and items to pad their resumes. This unofficial system has worked well in the past, to the extent that Blackboard even boasts of working with the hacker community on their website.

Instead of taking an interest in news of these flaws, however, Blackboard engineers first dismissed Hoffman as a know-nothing "kid", then attempted to have him expelled from Georgia Tech after he voiced his concerns about Tech's Blackboard system to campus administrators and student organizations. Hoffman responded by first publishing his (and later Griffith's) findings, and then updating his articles via talks at various vendor and security conferences.

It was at such a conference, Interz0ne II in Atlanta, that Hoffman and Griffith were planning to discuss the most severe problems they had uncovered to date, including a demonstration of several easy-to-assemble hardware devices that could supposedly allow anyone with malicious intent free reign on a Blackboard system.

Hoffman and Griffith never gave their talk.

Instead, they and the convention organizers were served with both restraining orders and cease and desist orders. Court dates soon followed, along with legal threats. Several months after the convention, both Hoffman and Griffith settled out of court. They refuse to discuss the issue, so one can assume that the settlement includes an NDA.

Blackboard spokesdrone Michael Stanton stated to AP reporters on Monday, July 14th (a day before the settlement was officially filed) that "...the claims [Hoffman and Griffith] were making were silly," that "...they really didn't do a lot of the things they were claiming to [have done]" and that the settlement reaffirms that Blackboard's systems are secure.

Bullshit.

The settlement does nothing of the sort.

If Hoffman and Griffith's clai... [ Read More (0.4k in body) ]

] Blackboard said the settlement shows its systems are
] secure but the whole case is better understood as a
] successful attempt to protect the firm's reputation
] against the possibly exaggerated claims of a pair of
] student hacker/crackers

The register got caught up in the spin as well.

Since when is using the law an appropriate way to silence critics? Thats the very definition of censorship.

Can we accept that this is really the final word on the story, given that its coming from blackboard, and that Acidus and Virgil are injoined from responding?

Is Blackboard's technology secure?

We may never know. What we do know is that Blackboard has effectively silenced their critics, with extreme prejudice. My lawyer is bigger then your lawyer should not trump the first amendment. In this case it has. These student settled because they did not have the means to defend themselves.

Acidus and Virgil owe $20,000 in (clears throat) "legal fees." They are college students. They can't really afford this and they need help. If you would like to contribute, you can paypal the following email address: gte344p@prism.gatech.edu

(Above comments from Decius..)

I'll have more to say about this later, when I can sit down and type something up without the sound of truck stop poker video games ringing in my ears.

The Register - Blackboard press release

Just caught this one in my inbox.. Psyiode has started up a site to keep track of the Blackboard case.

Its important to note that Psyiode has no connection to Acidus, Virgil, or any of the Interz0ne con staff. Blackboard may decide to come after him too.

I like the domain. :)

www.fuckblackboard.com