Don't squid me, bro.

Selling fear:

The Vivos network, which offers partial ownerships similar to a timeshare in underground shelter communities, is one of several ventures touting escape from a surface-level calamity.

Radius Engineering in Terrell, Texas, has built underground shelters for more than three decades, and business has never been better, says Walton McCarthy, company president.

The company sells fiberglass shelters that can accommodate 10 to 2,000 adults to live underground for one to five years with power, food, water and filtered air, McCarthy says.

The shelters range from $400,000 to a $41 million facility Radius built and installed underground that is suitable for 750 people, McCarthy says. He declined to disclose the client or location of the shelter.

"We've doubled sales every year for five years," he says.Other shelter manufacturers include Hardened Structures of Colorado and Utah Shelter Systems, which also report increased sales.

[...]

The Vivos website features a clock counting down to Dec. 21, 2012, the date when the ancient Mayan "Long Count" calendar marks the end of a 5,126-year era, at which time some people expect an unknown apocalypse.

Vicino, whose terravivos.com website lists 11 global catastrophes ranging from nuclear war to solar flares to comets, bristles at the notion he's profiting from people's fears.

"You don't think of the person who sells you a fire extinguisher as taking advantage of your fear," he says. "The fact that you may never use that fire extinguisher doesn't make it a waste or bad.

"We're not creating the fear; the fear is already out there. We're creating a solution.

Yip Harburg commented on the subject about half a century ago, and the Chad Mitchell Trio recited it. It's at about 0:40 on the recording, though the rest is worth listening to as well.

    Hammacher Schlemmer is selling a shelter,
          worthy of Kubla Khan's Xanadu dome;
    Plushy and swanky, with posh hanky panky
          that affluent Yankees can really call home.

    Hammacher Schlemmer is selling a shelter,
          a push-button palace, fluorescent repose;
    Electric devices for facing a crisis
          with frozen fruit ices and cinema shows.

    Hammacher Schlemmer is selling a shelter
          all chromium kitchens and rubber-tiled dorms;
    With waterproof portals to echo the chortles
          of weatherproof mortals in hydrogen storms.

    What a great come-to-glory emporium!
    To enjoy a deluxe moratorium,
    Where nuclear heat can beguile the elite
          in a creme-de-la-creme crematorium.

Hacking ATMs to spit out money, demonstrated at the Black Hat conference:

The two systems he hacked on stage were made by Triton and Tranax. The Tranax hack was conducted using an authentication bypass vulnerability that Jack found in the system's remote monitoring feature, which can be accessed over the Internet or dial-up, depending on how the owner configured the machine.

Tranax's remote monitoring system is turned on by default, but Jack said the company has since begun advising customers to protect themselves from the attack by disabling the remote system.

To conduct the remote hack, an attacker would need to know an ATM's Internet IP address or phone number. Jack said he believes about 95 percent of retail ATMs are on dial-up; a hacker could war dial for ATMs connected to telephone modems, and identify them by the cash machine's proprietary protocol.

The Triton attack was made possible by a security flaw that allowed unauthorized programs to execute on the system. The company distributed a patch last November so that only digitally signed code can run on them.

Both the Triton and Tranax ATMs run on Windows CE.

Using a remote attack tool, dubbed Dillinger, Jack was able to exploit the authentication bypass vulnerability in Tranax's remote monitoring feature and upload software or overwrite the entire firmware on the system. With that capability, he installed a malicious program he wrote, called Scrooge.

EDITED TO ADD (7/30): Another two articles.

"Who controls the off switch?" by Ross Anderson and Shailendra Fuloria.

Abstract: We're about to acquire a significant new cybervulnerability. The world's energy utilities are starting to install hundreds of millions of 'smart meters' which contain a remote off switch. Its main purpose is to ensure that customers who default on their payments can be switched remotely to a prepay tariff; secondary purposes include supporting interruptible tariffs and implementing rolling power cuts at times of supply shortage.

The off switch creates information security problems of a kind, and on a scale, that the energy companies have not had to face before. From the viewpoint of a cyber attacker -- whether a hostile government agency, a terrorist organisation or even a militant environmental group -- the ideal attack on a target country is to interrupt its citizens' electricity supply. This is the cyber equivalent of a nuclear strike; when electricity stops, then pretty soon everything else does too. Until now, the only plausible ways to do that involved attacks on critical generation, transmission and distribution assets, which are increasingly well defended.

Smart meters change the game. The combination of commands that will cause meters to interrupt the supply, of applets and software upgrades that run in the meters, and of cryptographic keys that are used to authenticate these commands and software changes, create a new strategic vulnerability, which we discuss in this paper.

The two have another paper on the economics of smart meters. Blog post here.

Julie188 writes "GNOME 3.0 was scheduled to be released in September but during the developers conference, GUADEC 2010 in Den Haag, the organization had to face facts: the much ballyhooed GNOME Shell really wasn't ready. The Shell is supposed to bring 'a whole new user experience to the desktop.' So now, in September, what users will see is GNOME 2.32, distributed as a new stable release. Next target date for 3.0: March 2011."

Read more of this story at Slashdot.

The DNSSEC root key has been divided among seven people:

Part of ICANN's security scheme is the Domain Name System Security, a security protocol that ensures Web sites are registered and "signed" (this is the security measure built into the Web that ensures when you go to a URL you arrive at a real site and not an identical pirate site). Most major servers are a part of DNSSEC, as it's known, and during a major international attack, the system might sever connections between important servers to contain the damage.

A minimum of five of the seven keyholders -- one each from Britain, the U.S., Burkina Faso, Trinidad and Tobago, Canada, China, and the Czech Republic -- would have to converge at a U.S. base with their keys to restart the system and connect everything once again.

That's a secret sharing scheme they're using, most likely Shamir's Secret Sharing.
We know the names of some of them.

Paul Kane -- who lives in the Bradford-on-Avon area -- has been chosen to look after one of seven keys, which will 'restart the world wide web' in the event of a catastrophic event.

Dan Kaminsky is another.

I don't know how they picked those countries.

ChiefMonkeyGrinder writes "Software on medical implants is not open to scrutiny by regulatory bodies. Glyn Moody writes: 'Software with the ability to harm as well as help us in the physical world needs to be open to scrutiny to minimise safety issues. Medical devices may be the most extreme manifestation of this, but with the move of embedded software into planes, cars and other large and not-so-large devices with potentially lethal side-effects, the need to inspect software there too becomes increasingly urgent.' A new report 'Killed by Code: Software Transparency in Implantable Medical Devices' from the Software Freedom Law Center points out that, as patients grow more reliant on computerized devices, the dependability of software is a life-or-death issue. 'The need to address software vulnerability is especially pressing for Implantable Medical Devices, which are commonly used by millions of patients to treat chronic heart conditions, epilepsy, diabetes, obesity, and even depression.' Will making the source code free to scrutiny address the issue of faulty devices?"

Read more of this story at Slashdot.

Okay, this is just weird:

Mark S. Price, a specialist in public security, and his privately held company, Paradise Lost Antiterrorism Network of America (www.plan-a.us), have recently applied to the United States Patent and Trademark Office for a Utility Patent on their Suicide Bomb Deterrent, a security device designed, manufactured and distributed by PLAN-A. This device has been designed to warn and deter potential fanatical religious suicide bomb-wielding terrorists from otherwise detonating an explosive charge within close proximity of said device, to the intended end of successfully accomplishing its namesake purpose of Suicide Bomb Deterrent and the protecting and preserving of all life and property otherwise in mortal and destructive danger.

Reading the partial patent application on their minimal website, it appears to be a packet of pork product, combined with a big sign saying something like: "Warning. If you blow up a bomb right here, you'll get pork stuff all over you before you die -- which might be suboptimal from a religious point of view."

This appears to not be a joke.

It's a service:

The mechanism used involves captured network traffic, which is uploaded to the WPA Cracker service and subjected to an intensive brute force cracking effort. As advertised on the site, what would be a five-day task on a dual-core PC is reduced to a job of about twenty minutes on average. For the more “premium” price of $35, you can get the job done in about half the time. Because it is a dictionary attack using a predefined 135-million-word list, there is no guarantee that you will crack the WPA key, but such an extensive dictionary attack should be sufficient for any but the most specialized penetration testing purposes.

[...]

It gets even better. If you try the standard 135-million-word dictionary and do not crack the WPA encryption on your target network, there is an extended dictionary that contains an additional 284 million words. In short, serious brute force wireless network encryption cracking has become a retail commodity.

FAQ here.

In related news, there might be a man-in-the-middle attack possible against the WPA2 protocol. Man-in-the-middle attacks are potentially serious, but it depends on the details -- and they're not available yet.

Here's a book from 1921 on how to profile people.

An article from The Economist makes a point that I have been thinking about for a while: the modern technology makes life harder for spies, not easier. It used to be the technology favored spycraft -- think James Bond gadgets -- but more and more, technology favors spycatchers. The ubiquitous collection of personal data makes it harder to maintain a false identity, ubiquitous eavesdropping makes it harder to communicate securely, the prevalence of cameras makes it harder to not be seen, and so on.

I think this an example of the general tendency of modern information and communications technology to increase power in proportion to existing power. So while technology makes the lone spy more effective, it makes an institutional counterspy organization much more powerful.

WesternActor writes "Computers are getting cheaper to buy every year, but there are still sometimes advantages to building them yourself. ExtremeTech has a story about how they sought out the parts for a $200 computer that (of course) runs Linux as a way of breaking the budget barrier. They even test it against a commercially available eMachines nettop to see how it compares in terms of performance. This probably isn't something everyone will want to do, but it's an interesting example of something you can do on the cheap if you put your mind to it."

Read more of this story at Slashdot.

Barence writes "Dell has stopped selling consumer PCs preloaded with Ubuntu from its website, and doesn't know when they're coming back. A search for Ubuntu on the Dell UK website returns only one laptop — the Dell Latitude 2100 from the company's business range. Dell insists that it's continuing to sell Ubuntu systems, but only over the phone, and has no idea when — or even if — the Ubuntu PCs will return online. 'We've recently made an effort to simplify our offerings online, by focusing on our most popular bundles and configuration options, based on customer feedback for reduced complexity and a simple, easy purchase experience,' Dell told PC Pro. 'We're also making some changes to our Ubuntu pages, and as a result, they are currently available through our phone-based sales only.' The move comes after Dell put a page on its website advising customers only to go for Ubuntu if they were interested in open-source programming."

Read more of this story at Slashdot.

lunatic1969 writes "I've got an old G5 PowerPC tower that's sitting in a spare room not seeing much in the way of use. I'd like to stick a Linux distribution on it and maybe breathe some life back into it. I've got a few vague ideas — it might be a handy file server, streaming video for a security system, or simply just to have a spare box around. My question is therefore in two parts: First, are there any particularly creative projects or ideas anyone has for an old G5, and second and most important, which distribution currently offers the best support for this box?"

Read more of this story at Slashdot.

Where do these TV shows come from?

Follows the adventures of the Cuylers, an impoverished and dysfunctional family of anthropomorphic, air-breathing, redneck squids who live in a rural Appalachian community in the US state of Georgia.

eldavojohn writes "ZDNet blogger Fred Muller notes that a Chinese company called Taobao has become one of the first in the country to participate in open source. After years of Chinese companies using Linux, Taobao has announced they are open sourcing TAIR, and they revealed what is believed by Muller to be the first open source repository hosted by a Chinese corporation. Muller tracked down the originator of this information and was also informed that the Linux kernel can expect contributions soon from Taobao. Several people involved with bringing open source to China have expressed concerns over a cultural divide (PDF) in regards to opening your corporation's source code to potential competition. Some people speculated that the culture created by an open source movement was irreversibly foreign to Chinese culture. Taobao is exhibiting cracks in that assumption — exciting times for open source advocates as code contributions to open source become even more multicultural."

Read more of this story at Slashdot.

The Washington Post has published a phenomenal piece of investigative journalism: a long, detailed, and very interesting expose on the U.S. intelligence industry (overall website; parts 1, 2, and 3; blog; Washington reactions; top 10 revelations; many many many blog comments and reactions; and so on).

It's a truly excellent piece of investigative journalism. Pity people don't care much about investigative journalism -- or facts in politics, really -- anymore.

EDITED TO ADD (7/25): More commentary.

EDITED TO ADD (7/26): Jay Rosen writes:

Last week, it was the Washington Post's big series, Top Secret America, two years in the making. It reported on the massive security shadowland that has arisen since 09/11. The Post basically showed that there is no accountability, no knowledge at the center of what the system as a whole is doing, and too much "product" to make intelligent use of. We're wasting billions upon billions of dollars on an intelligence system that does not work. It's an explosive finding but the explosive reactions haven't followed, not because the series didn't do its job, but rather: the job of fixing what is broken would break the system responsible for such fixes.

The mental model on which most investigative journalism is based states that explosive revelations lead to public outcry; elites get the message and reform the system. But what if elites believe that reform is impossible because the problems are too big, the sacrifices too great, the public too distractible? What if cognitive dissonance has been insufficiently accounted for in our theories of how great journalism works...and often fails to work?

EDITED TO ADD (7/27): More.

NotBornYesterday was one of many readers sending in news that the Indian government has announced it is helping to develop a $35 tablet computer running Linux. "India has unveiled the prototype of a $35 basic touchscreen tablet aimed at students, which it hopes to bring into production by 2011. The government plans to subsidize the tablets so the cost to students could be $20; and eventually, they hope the cost will fall to $10 per unit. India's human resource development minister, Kapil Sibal, says, 'The motherboard, its chip, the processing, connectivity, all of them cumulatively cost around $35, including memory, display, everything.' Using a memory card instead of a hard drive, and running a Linux OS, the designers have managed to keep the price low, and are now looking for manufacturing partners. The tablet can be used for functions like word processing, Web browsing, and video conferencing. It has a solar power option too, which is important in India's less developed areas, though that add-on costs extra."

Read more of this story at Slashdot.

Stuxnet is a new Internet worm that specifically targets Siemens WinCC SCADA systems: used to control production at industrial plants such as oil rigs, refineries, electronics production, and so on. The worm seems to uploads plant info (schematics and production information) to an external website. Moreover, owners of these SCADA systems cannot change the default password because it would cause the software to break down.

Hugh Pickens writes "Katherine Noyes writes at LinuxInsider that it may be time for Linus Torvalds to share more of the responsibility for Linux that he's been shouldering. 'If Linux wants to keep up with the competition there is much work to do, more than even a man of Linus's skill [can] accomplish,' argues one user. The 'scalability of Linus' is the subject of a post by Jonathan Corbet wondering if there might there be a Linus scalability crunch point coming. 'The Linux kernel development process stands out in a number of ways; one of those is the fact that there is exactly one person who can commit code to the "official" repository,' Corbet writes. A problem with that scenario is the potential for repeats of what Corbet calls 'the famous "Linus burnout" episode of 1998' when everything stopped for a while until Linus rested a bit, came back, and started merging patches again. 'If Linus is to retain his central position in Linux kernel development, the community as a whole needs to ensure that the process scales and does not overwhelm him,' Corbet adds. But many don't agree. 'Don't be fooled that Linus has to scale — he has to work hard, but he is the team captain and doorman. He has thousands doing most of the work for him. He just has to open the door at the appropriate moment,' writes Robert Pogson, adding that Linus 'has had lots of practice and still has fire in his belly.'"

Read more of this story at Slashdot.