Posted by alect on February 11th, 2010 in
RSS Feed and has
No CommentsBy Scott M. Fulton, III, Betanews
A defect in the protocol that secures monetary exchanges and other private transactions throughout the Web, discovered by wireless security engineers last August, continues to go unfixed as vendors work towards a solution. It can only be described as miraculous that a working exploit hasn't yet been detected for a security hole that hid in plain sight ever since Transport Layer Security was developed.
The problem was inadvertently made public last November. In short, it has to do with the transition Web sites make between the older Secure Sockets Layer protocol and the augmented TLS. During the transition process, the Web sites leave one protocol, but have to remind each other what they were transitioning from and to -- like asking one another, "What were we talking about again?" The question and answer get sent in the clear, making it easy for a man-in-the-middle to spoof the site with the answer.
Yesterday, Microsoft issued an advisory for server administrators, linked to a Knowledgebase article that provides an update package for Windows Server. But that package is not a fix; actually, it's just a System Registry patch that disables the entire renegotiation process. It makes your system safe from the exploit, but it may end up leaving transactions encrypted with SSL rather than TLS.
Microsoft warns that this could be an inconvenience for some customers whose applications require this kind of step-up renegotiation in order to make a connection. That could be a very serious inconvenience indeed if your name happens to be "US Dept. of Defense."
Back in April 2004, DoD directive 8100.2 (recently redubbed 8100.02) specified that data traffic over wireless devices was only permissible by layering an encryption system atop the existing wireless infrastructure. This was back before Wi-Fi was trusted. That changed with a supplement to that directive issued in June 2006 by the Assistant Secretary of Defense for Networks and Information Integration (known on record as "ASD(NII)/DoD CIO"). The supplement marked the Department's official embrace of 802.11i security standards for Wi-Fi, which the CIO deemed compliant with Security Level 2 out of 4, of the government's Security Requirements for Cryptographic Modules (PDF available here).
As the latest (2007) version of 8100.02 now reads (PDF available here), "Encryption of unclassified data for transmission to and from wireless devices is required. Exceptions may be granted on a case-by-case basis as determined by the Designated Approving Authority (DAA) for the wireless connections under their control. At a minimum, data encryption must be implemented end-to-end over an assured channel and shall be validated under the Cryptographic Module Validation Program as meeting requirements per Federal Information Processing Standards (FIPS) Publication (PUB) 140-2, Overall Level 1 or Level 2, as dictated by the sensitivity of the data."
And as the FIPS 140-2 document explains, "Security Level 2 allows the software and firmware components of a cryptographic module to be executed on a general purpose computing system using an operating system. An equivalent evaluated trusted operating system may be used. A trusted operating system provides a level of trust so that cryptographic modules executing on general purpose computing platforms are comparable to cryptographic modules implemented using dedicated hardware systems."
Standard 802.11i is published and maintained by the IEEE, and its encryption protocol of choice is maintained by the IETF: EAP-TLS, the most evolved form of the protocol that started out as SSL.
Now, it would appear the DoD may be on the threshold of wading into precisely the minefield they had hoped to avoid, prior to their embrace of 802.11i. The fix to the TLS security hole, when it comes, will have to be coordinated and simultaneous, involving the cooperation of not just Microsoft but hardware vendors that supply the government with systems, such as Cisco and Aruba Networks. Technically, operating systems that were considered "trusted" enough to substitute for firmware cryptographic modules, under FIPS 140-2 Security Level 2, may not qualify as "trusted" now, were someone to make that official evaluation. The more time vendors assume in coordinating their response, the more opportunity the Pentagon may have to reach that dreadful conclusion.
Copyright Betanews, Inc. 2010 
No tags for this post.
Posted by alect on February 11th, 2010 in
RSS Feed and has
No Comments According to MobileTechWorld, Microsoft is hard at work on MyPhone 2.0. According to some Microsoft job postings, the update to their free phone backup and sync service will be made available as part of Windows Mobile 7 (referred to below as "the next release of Windows Mobile"). Although no new...No tags for this post.
Posted by alect on February 11th, 2010 in
RSS Feed and has
No Comments Google announced on Wednesday that it plans to create and test ultra high-speed broadband networks in a small number of trial locations across the United States.
The network connections will deliver Internet speeds of 1 gigabit per second with fiber direct to the home connections. Google says it plans to offer...No tags for this post.
Posted by alect on February 11th, 2010 in
RSS Feed and has
No CommentsBy Tim Conneally, Betanews
Google announced today that it is planning to build and test broadband networks in several trial deployments across the US which promise to be "100 times faster than what most Americans have access to today with 1 Gbps fiber-to-the-home connections."
A careful read of that line suggests that Google is promising 1 Gbps fiber, which is 100x faster than the average broadband user's transfer rate, as opposed to a 100 Gbps pipeline. The company says the service will reach 50,000 people initially, with a potential reach of up to 500,000, the company announced.
Right now, Google is putting out a request for information for communities looking to test Google's new fiber service. On March 26, the Mountain View search company will be announcing the markets where it will begin deployment.
Copyright Betanews, Inc. 2010 
No tags for this post.
Posted by alect on February 11th, 2010 in
Internet,
RSS Feed and has
No Comments Since Google wants to control all forms of communication, the logical next step is being not just what you do on the internet, but how you access the internet as well. To do that, they'll deploy 1Gbps fiber to you.
The company is going to test this super high speed internet to "a small number of trial locations across the United States," and give somewhere between 50k to 500k people an amazingly fast pipe. What's the point of this?
* Next generation apps: We want to see what developers and users can do with ultra high-speeds, whether it's creating new bandwidth-intensive "killer apps" and services, or other uses we can't yet imagine.
* New deployment techniques: We'll test new ways to build fiber networks, and to help inform and support deployments elsewhere, we'll share key lessons learned with the world.
* Openness and choice: We'll operate an "open access" network, giving users the choice of multiple service providers. And consistent with our past advocacy, we'll manage our network in an open, non-discriminatory and transparent way.
We basically read that as bridging the gap between webapps and desktop apps by making the connection so fast that most people won't be able to tell the difference. And, forcing other ISPs to upgrade their pipes to compete with Google, since they say it's going to be released at "a competitive price". Think of it as the Nexus One of service providers. Google is going to make an offering that's better than other comparable devices/services in order to make everyone else play catch-up.
So, if you want my address, Google, to know where you need to deploy the test, you've probably got it already. Seriously man, I need this. [Google]
Tags:
1Bps,
fiber,
Gigabit,
Gigabit internet,
google,
Google fiber,
Google internet,
topPosted by alect on February 11th, 2010 in
RSS Feed and has
No Comments According to ComputerWorld, Microsoft has, for all intent and purposes, won the Windows XP WGA, anti-piracy, lawsuit. The lawsuit was brought to court over three years ago because people felt Microsoft was misleading its customers by releasing WGA as a critical security update. The beta version of WGA would send...No tags for this post.
Posted by alect on February 11th, 2010 in
RSS Feed and has
No Comments Microsoft has shared some new Windows Live Messenger stats, confirming that more than 300 million people in 76 countries and 48 languages use Messenger every month.
The Windows Live Social Networking team also shared individual statistics for country specific Messenger users but did not include the United States. Microsoft's Jeff Kunins,...No tags for this post.
Posted by alect on February 11th, 2010 in
RSS Feed and has
No CommentsBy Tim Conneally, Betanews
Almost exactly a year after Verizon Wireless named its LTE equipment partners, AT&T has done the same. And like Verizon, AT&T has chosen Swedish wireless technology provider Ericsson and French telecommunications company Alcatel-Lucent, to make the transition from 3G to LTE more streamlined.
Rather than start fresh and attempt to install all new hardware at its cell sites, AT&T is going for hardware that is easily upgradeable. All 3G equipment purchased from the Ericsson and Alcatel-Lucent this year will be easily convertible to LTE, AT&T said.
Ericsson and Alcatel-Lucent will be the suppliers for AT&T's Radio Access Network Domain, also known as the middle tier between the users and the central AT&T network. It's called a "domain" because it is part of AT&T's Domain Supplier program which launched last September. In this program, only two suppliers are selected to work on each part of AT&T's network, and they're given multi-year contracts which include not only immediate goals, but also goals for the future. That way, the contractors can develop systems that can evolve, and AT&T can worry less about legacy systems.
This year, AT&T says it will upgrade the fiber backhaul to its cell sites to boost 3G speeds and pave the way for its first LTE-compatible sites next year.
Copyright Betanews, Inc. 2010 
No tags for this post.
Posted by alect on February 10th, 2010 in
RSS Feed and has
No Comments A Microsoft project manager has posted and then removed a blog post regarding what he feels the next version of Windows will be like.
Entitled "What’s in store for the next Windows" the blog has now been removed but a Google cached version is still available. The Windows Club, who originally...No tags for this post.
Posted by alect on February 10th, 2010 in
RSS Feed and has
No CommentsBy Tim Conneally, Betanews
Prominent developers sometimes tease us with products made on the iPhone platform that have not yet been approved by Apple. Frequently it's because their applications face certain rejection; sometimes on the famous grounds of "duplicate functionality", sometimes for other reasons.
Mobile World Congress next week will be hosting the mother of all iPhone app teases: Opera Mini for iPhone.
Opera Mini is already on more than 40 million devices, and is easily the most prominent browser for resource-constrained mobile devices. The company announced today that it will be showing off a version of Opera Mini for the iPhone that is up to six times faster than the iPhone's native Safari browser and can cut bandwidth consumption by up to 90%, thanks to the server-side rendering techniques that Opera uses.
Naturally, the browser is not available to the public, nor is it likely to ever be. Opera has built the "duplicate functionality" argument into its very presentation...claiming it can improve upon a primary piece of the iPhone's software.
It actually looks more like Opera has gotten wise to Apple's PR magic; and hopes to stimulate some attention for itself in showing off a product certain to create friction with the strict Cupertino company.
Copyright Betanews, Inc. 2010 
No tags for this post.
