Oracle invite la fondation Apache à reconsidérer son départ du Java Community Process

Oracle invite la fondation Apache à reconsidérer son départ du Java Community Process
La fondation ne répond pas

Mise à jour du 13/12/2010 par Idelways


Oracle a réussi à faire valider les spécification de Java 7 et 8 à une forte majorité (lire ci-avant). Il n'en demeure pas moins que le départ, provoqué par ce vote, de la fondation Apache, une fondation impliquée dans une centaine de projets dans l'écosystème Java, semble sérieusement l'inquiéter.

Après voir demandé à la fondation de reconsidérer son opposition aux propositions formulés pour Java 7 et 8 (lire ci-avant), Oracle vient de tendre la main à la fondation pour amorcer une tentative de réconciliation. Et la prie de revoir sa décision de quitter le comité exécutif de java (JCP)

Dans un court billet de blog, Adam Messinger, vice président du développement à Oracle, rappelle les faits et encourage la fondation Apache à "reprendre part aux efforts destinés à faire avancer la technologie Java".

Car, avoue Messinger, "la fondation Apache et ses nombreux projets open-source sont une partie importante de l'écosystème Java".

Sans en dire d'avantage, il semblerait que le départ de la fondation n'enchante pas Oracle.

De son côté, la fondation Apache fait (officiellement) la sourde oreille. Elle semble en tout cas moins pressée de répondre à ce message que la fois passée.

Jim Jagielski, président de la fondation, depuis son compte Twitter personnel se demandait néanmoins, dubitatif et quelque peu ironique, quelle raison pourrait justifier le retour de la fondation au Java Community Process.

Il allait même plus loin la semaine dernière dans un billet sur son blog personnel où il affirmait que le Java Community Process était tout bonnement mort et que c'était "Oracle qui l'a tué".
Jagielski y appelait également à la constitution d'un nouveau Community Process.

Pas sûr qu'une telle initiative emporte une adhésion massive.



Source : le message d'Oracle, le Twit de Jim Jagielski et son Blog personnel

Nokia Launches its new C3

Nokia has just revealed its second “Touch and Type” handset in a surprise announcement at the Nokia World conference at London.
As the name suggests, the C3 Touch and Type has a normal keypad as well as a touchscreen. The C3 Touch and Type is visually similar to the existing devices like the 6700 classic and Nokia 6300 phones and is a Series 40 based handset.

The phone is a Quadband ready device and supports 3G/HSPA and Wi-Fi internet connectivity. It comes with Nokia messaging 3.0, the latest incarnation of Nokia’s email, instant messaging and communities client offering Facebook and Twitter. On the imaging front, there is a 5 megapixel camera with flash at the rear.  The C3 Touch and Type will come in Silver, Warm grey and Khaki Gold colours. The screen is not particularly large at just 2.4-inches but that is perfectly fine for a mid-range product. The C3 Touch and Type supports microSD memory cards for storage up to 32MB.

The C3 Touch and Type is expected to cost Euro 145 (Rs. 8,700)  excluding taxes or subsidies. It will start shipping in the fourth quarter of this year.

Black Hat reflects a changing industry, says founder

Computerworld - In the 13 years since its inception, Black Hat has emerged as one of the premier conferences in the security industry. Each year, Black Hat attracts thousands of security researchers, security practitioners and government types to its annual events in Las Vegas, Tokyo, Amsterdam and Washington. On the eve of the annual conference in Vegas, Black Hat founder Jeff Moss talks about the show and how it has evolved.

This is the biggest Black Hat so far. What's driving interest in the conference? I don't know if it's a rebound. People held off last year because of the economic downturn, and now there's a hunger to bounce back. I don't know if it has to do with that, or if it is more of an awareness issue. U.S. Cyber Command is hiring, the [Department of Homeland Security] is hiring, the federal government is hiring, all the defense contractors are hiring like mad. I don't know if it's a reflection of that.
How has it evolved since you first launched it? As we grew, I never ever wanted to downplay the researcher part. Nothing is going to impact that. Every year, something surprises us about what's new and which directions the researchers are going in. But as we have grown, we have gotten access to lots of space. You just can't have 10 tracks of pure researchers. It's hard to find that many good talks. So now I am trying to focus on business and policy implications as well.
So, what has surprised you this year? Some of the talks that have gotten interest are surprising. I wouldn't have thought the Robin Sage talk was going to get a lot of interest. That is just an illustration of the dangers of social networking, which pretty much everyone gets.
It goes back to my belief that a lot of people don't believe it until they see it. They can intellectualize it, they can visualize it. But until they can actually see it happen, it's not real. So I was really surprised by the attention that's getting. Not so surprising is the interest in a talk on ATM hacking.
How has the security landscape changed since you launched Black Hat? There was no money in any of this. Back then, it was a hobby. You did this because you loved it. You couldn't get a job in information security unless maybe you worked for a Sun or an IBM, a bank, the military, a hospital or something. Everything was pretty ad hoc. There were no real rules, there was no secure software development life cycle, there were no rules for disclosure or notification, and no collaborative bug-finding.
Then in the fourth of fifth year of Black Hat, the dot-com bubble started growing and everybody was getting a job in security. Once it became a profession, once it became a career, everything changed. We have seen everything grow at a very rapid rate.
Do events such as Black Hat close or widen the communication gap that seems to persist between security practitioners and enterprise decision-makers? My contention is, if decision-makers don't know what is actually technically possible, how can they make an informed decision? If business people who make decisions don't have accurate information, they are bound to make inaccurate decisions. So, No. 1, we have to show them what the art of the possible is and what they can expect in future. We really try to focus on the practical and applied effects.
But are you succeeding in closing the communication gap? Yeah, I think so. We are breaking out of the pure security researcher community to a wider audience of people who now realize that security is one of their concerns. We are getting more [people from] telcos, more enterprise, and a little more financial services. We have seen growth. We want to see where these people are coming from, but there has been a definite broadening of the base.
There's always some new vulnerability or the other disclosed at Black Hat. In general, how should vulnerability disclosures be handled? I have always believed in the responsible disclosure model. You inform the vendors [of a flaw's] discovery. It is responsible for you to turn over enough information so they can reproduce the bug and go seek a solution. But it is not your job as a researcher to hold the hands of every vendor you find a bug for and to walk them through everything.
It can consume a whole lot of time, and they don't pay you for that. I don't think it is reasonable for the researcher to have to wait for a year for a patch. I would advocate never being totally beholden to the vendor, never being on their timetable. But on the other hand, it is irresponsible for the researcher to tell the vendor on Monday and on Tuesday tell the whole world.
What do you think about vendors paying bounties to bug hunters to find vulnerabilities in their software? It's as if companies hired their own researchers to go find bugs. That's fine. The part that bothers me though is, what's going on underground, what's going in the market we can't see? People are getting all bent out of shape about [public vulnerability disclosures].
But what is really happening in the underground marketplace, where criminals are buying and selling vulnerabilities? [With legitimate disclosures] the vendors get informed, and hopefully we'll all have better software and hopefully better processes. In the underground marketplace, it never makes it to the vendor, so the software never gets improved.
You are a member of the Homeland Security Advisory Council. When you started this whole thing, did you ever envision yourself advising Washington on security issues? I always assumed that was impossible for me because of my running DefCon and Black Hat and not having the right academic credentials. There was no Ph.D. in computer security or anything back when I was in college, so I didn't have all the checkboxes. So I was very surprised when I was named and sworn in.
But for now, just like everything else, it's a challenge, and I want to be as helpful as I can to help information security. I have this belief that you don't get to bitch about the system until you try and fix the system. So I figure this gives me plenty of room to bitch because I am trying really hard to make a difference.

Infected USB drive blamed for '08 military cyber breach

Computerworld - It was a USB drive loaded with malware.

That's how U.S. defense networks were compromised in 2008, according to U.S Deputy Defense Secretary William Lynn, who today offered the first official confirmation of a data breach that led to restrictions on the use of removable USB drives in the military.
In an article written for Foreign Affairs magazine, Lynn said the breach occurred when a single USB drive containing malicious code was inserted into a laptop computer at a U.S. base in the Middle East. The malware, placed on the drive by a foreign intelligence agency, was uploaded to a network run by the U.S. Central Command.
The malware then spread -- undetected -- on both classified and unclassified systems, essentially establishing a "digital beachhead" from which data could be transferred to servers outside the U.S, "It was a network administrator's worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary," Lynn wrote.
He did not say whether the malware allowed any classified or unclassified data to be stolen from U.S. Defense networks. Nor did he offer clues as to which foreign intelligence agency may have been behind the intrusion.
Even so, Lynn described the hitherto classified incident as the "most significant breach of U.S. military computers ever," saying it served as an important wake-up call for the military.
The incident led to a massive Pentagon response operation called "Operation Buckshot Yankee" aimed at purging infected systems of the malware and preventing something similar from happening again.
Lynn's description in Foreign Affairs throws a little more light on the military's sudden ban on the use of removable USB flash drives in 2008. At that time, the Pentagon said its decision was tied to concerns about a malware program called Agent.btz that propagated itself via the drives. That worm was a variant of another malware program called SillyFDC that was designed to scan infected systems for specific data and open backdoors for communications with remote command and control servers.
The Pentagon said at the time that the malware had begun infecting military systems, but offered few other reasons for the USB ban.
The incident highlights the enormous problems that can result from seemingly minor vulnerabilities, said J.R. Reagan, a analyst with Deloitte Consulting Services. "It brings to life what we have all feared for a long time from the small little holes in the dike that can really open up big problems," Reagan said.
In the military's case, the problems may have been exacerbated by an ongoing drive to make information sharing easier, he said.
The bigger issue really is not that the intrusion happened in the first place, but just how much information was in danger of being spirited out of the military's network, he said.
Lynn's description of the USB incident is part of a broader article on the challenges the U.S. military faces in securing its networks against foreign intelligence agencies. U.S. military networks are probed thousands of a times a day, he said.
"Right now, more than 100 foreign intelligence organizations are trying to hack into the digital networks that undergird U.S. military operations," Lynn said.

Moscow police investigate alleged ransomware gang

IDG News Service -

Russian police are reportedly investigating a criminal gang that installed malicious "ransomware" programs on thousands of PCs and then forced victims to send SMS messages in order to unlock their PCs.
The scam has been ongoing and may have made Russian criminals millions of dollars, according to reports by Russian news agencies. Russian police seized computer equipment and detained a Russian "crime family" in connection with the crime, the ITAR-TASS News Agency reported Tuesday.
Russian-language reports say that 10 people are expected to be charged and that tens of thousands of Russian-language victims were hit by the scam, which also affected users in Ukraine, Belarus and Moldova.
The criminals reportedly used news sites to spread their malicious software, known as WinLock, which disables certain Windows components, rendering the PC unusable, and then displays pornographic images.
To unlock the code, victims must send SMS messages that cost between 300 rubles ($9.72) and 1,000 rubles.
The scam may have hit as many as 1 million PCs in the Russian-speaking world, according to Sergey Golovanov, a malware analyst with Russian antivirus vendor Kaspersky Lab. "The bad guys are paying $3 per infection to anyone who agrees to spread this malware through blogs, banners, exploits, botnets, etc." he said in an e-mail interview.
The scam has worked so well, because in many former Soviet-bloc countries telecommunication companies make it very easy for criminals to anonymously register the kind of paid phone numbers used to pay the ransom, Golovanov said. And communication companies are happy to take their 50% cut of these SMS charges. "It's a big problem and in my opinion no one wants a solution in this case," he said.
Usually victims who pay the ransom do get their PCs unlocked, but there's no guarantee. Victims could very well have their hard drives deleted after they make the payment, Golovanov said. "It all depends on the bad guys."
Security experts have tracked this type of software for more than a year now, but in most of the world it rarely shows up, according to Dave Marcus, director of McAfee Labs security research communications.
The software is not considered to be a very sophisticated threat, he said. "It's just locking your screen with a password you don't know, which is not that sophisticated when you get down to do."

Moscow police investigate alleged ransomware gang

IDG News Service -

Russian police are reportedly investigating a criminal gang that installed malicious "ransomware" programs on thousands of PCs and then forced victims to send SMS messages in order to unlock their PCs.
The scam has been ongoing and may have made Russian criminals millions of dollars, according to reports by Russian news agencies. Russian police seized computer equipment and detained a Russian "crime family" in connection with the crime, the ITAR-TASS News Agency reported Tuesday.
Russian-language reports say that 10 people are expected to be charged and that tens of thousands of Russian-language victims were hit by the scam, which also affected users in Ukraine, Belarus and Moldova.
The criminals reportedly used news sites to spread their malicious software, known as WinLock, which disables certain Windows components, rendering the PC unusable, and then displays pornographic images.
To unlock the code, victims must send SMS messages that cost between 300 rubles ($9.72) and 1,000 rubles.
The scam may have hit as many as 1 million PCs in the Russian-speaking world, according to Sergey Golovanov, a malware analyst with Russian antivirus vendor Kaspersky Lab. "The bad guys are paying $3 per infection to anyone who agrees to spread this malware through blogs, banners, exploits, botnets, etc." he said in an e-mail interview.
The scam has worked so well, because in many former Soviet-bloc countries telecommunication companies make it very easy for criminals to anonymously register the kind of paid phone numbers used to pay the ransom, Golovanov said. And communication companies are happy to take their 50% cut of these SMS charges. "It's a big problem and in my opinion no one wants a solution in this case," he said.
Usually victims who pay the ransom do get their PCs unlocked, but there's no guarantee. Victims could very well have their hard drives deleted after they make the payment, Golovanov said. "It all depends on the bad guys."
Security experts have tracked this type of software for more than a year now, but in most of the world it rarely shows up, according to Dave Marcus, director of McAfee Labs security research communications.
The software is not considered to be a very sophisticated threat, he said. "It's just locking your screen with a password you don't know, which is not that sophisticated when you get down to do."

Microsoft investigates years-old IE bug

Computerworld - Microsoft last Friday said it was looking into a long-known vulnerability in Internet Explorer (IE) that could be used to access users' data and Web-based accounts.

The bug can allow hackers to hijack Web mail accounts, steal data and send illicit tweets, said Google security engineer Chris Evans in a message posted on the Full Disclosure mailing list.
Evans also published a demonstration that showed how the flaw in IE8 could be used to commandeer a user's Twitter account and send unauthorized tweets.
The vulnerability, known as a "CSS cross-origin theft" bug, has a long history. Researchers at Carnegie Mellon University, who recently published a paper (download PDF) on the subject, have traced it back as far as 2002. Those researchers will present their paper at the Conference on Computer and Communications Security next month.
Even so, the flaw received little attention until Evans blogged about it in December 2009. He had submitted a bug report for Chrome eight months earlier.
Although Microsoft has not patched the vulnerability in IE8, other browsers, including Firefox, Chrome, Safari and Opera, have fixed the flaw. Google patched the bug in Chrome last January, while Mozilla did the same in July with Firefox 3.6.7 and Firefox 3.5.11.
IE9 includes a fix for the vulnerability. Microsoft plans to ship a public beta of IE9 on Sept. 15.
On Friday, Evans explained why he was adding to the patch pressure by crafting a proof-of-concept. "I have been unsuccessful in persuading the vendor to issue a fix," he said of Microsoft.
Microsoft issued a statement Friday saying it was investigating Evans' reports, but declined to answer questions on Monday, including whether earlier versions of IE were vulnerable or why it has not yet addressed the bug.
"We're currently unaware of any attacks trying to use the claimed vulnerability or of customer impact," said Jerry Bryant, a group manager with the Microsoft Security Response Center, in the e-mailed statement.
Microsoft should not have been surprised by Evans' disclosure. In early August, Evans blogged that IE8 was the "most vulnerable" to the flaw. In that blog, Evans also said he had a proof-of-concept able to appropriate a Web mail account. "It's a nasty attack," Evans said, "E-mail someone a link and if they click it, they are owned with a pure browser cross-origin bug."
This isn't the first time that someone from Google has released information about a bug in Microsoft software after claiming he got the cold shoulder. Earlier this summer, Tavis Ormandy -- like Evans a Google security researcher -- went public with a Windows flaw after he said Microsoft wouldn't commit to a patching deadline. Microsoft disputed Ormandy's account.
Microsoft eventually pushed up the patch date for Ormandy's bug by a month.
On Friday, Bryant reiterated Microsoft's position on early disclosures. "To minimize risk to computer users, Microsoft continues to encourage coordinated vulnerability disclosure," he said, referring to his company's new term for keeping vulnerability information secret until a patch is available.

LG announces smartphones with dual-core processor

IDG News Service - LG Electronics on Tuesday announced a new series of smartphones with next-generation dual-core processors, which should provide a big leap in performance while maintaining device battery life.

LG's new Optimus line will include smartphones running on Nvidia's Tegra 2 dual-core chips, which will also allow handsets to play 1080p high-definition video, LG said in a statement.
Most of today's smartphones come with single-core processors and are capable of playing only 720p resolution video. Beyond full HD support, dual-core processors could enable smartphones to run more demanding applications like videoconferencing.
The Optimus smartphones will "debut" in the fourth quarter of this year, the company said in a statement. The company did not specify when the phones would be generally available for purchase.
The new smartphones will come with two 1GHz processors. The Tegra 2 chip will provide double the Web browsing and up to five times faster gaming performance over single-core 1GHz chips, the company said.
Some of the most advanced smartphones today, including Motorola's Droid X, Apple's iPhone 4 and HTC's Evo 4G come with single-core 1GHz Arm processors.
Nvidia announced Tegra 2 in January, initially targeting the chips at tablets. The company has since said smartphones with Tegra 2 chips would ship later this year. Tegra 2 couples processor cores based on Arm's Cortex-A9 design with other components such as Nvidia's GeForce graphics core.
LG is one of the early companies to announce a dual-core smartphone, and major phone makers are expected to follow as chip makers release dual-core chips. Arm licensee Texas Instruments has said it will ship its first dual-core OMAP4430 chip later this year. Qualcomm has already shipped its first dual-core processor, the MSM8660, and plans to start testing samples of a faster dual-core chip, the QSD8672, later this year.
Samsung also jumped into the dual-core smartphone processor race on Tuesday. The South Korean chip maker announced its first dual-core mobile processor, code-named Orion, targeted at tablets, netbooks and smartphones. Orion features two 1GHz ARM Cortex A9 cores, and will be able to record video at a 1080p resolution. The processor will be available for testing in the fourth quarter and will be mass produced starting the first half of 2011.

Police in Europe conduct raids over file-sharing sites

IDG News Service - Police across Europe conducted raids Tuesday against Internet service providers and private individuals to collect evidence against several Web sites suspected of offering content to file-sharing networks without permission of the copyright holder.

"The action is still ongoing," said Jean-Marc Meilleur, spokesman for the Belgian Prosecutor's Office. "We are planning to give some information tomorrow morning."
At the request of Belgian authorities, Swedish police conducted a total of seven raids, including ones in Malmo, Eslöv, Umeå and at two places in Eskilstuna and around Stockholm, said Fredrik Ingblad, senior public prosecutor for the Swedish Prosecution Authority. Other raids were conducted in Norway, Belgium, Britain, Germany and Italy, according to Swedish prosecutors.
The raids were in connection with several Web sites, or Warez sites, that enable file sharing of material without proper permission, Ingblad said. Four suspects in Sweden were interrogated but later released, he said.
The action comes just shortly after Swedish authorities conducted a series of raids over the last two weeks related to file sharing using the Direct Connect protocol. At least 20 other cases related to file sharing are under investigation. Sweden has stepped up its efforts to stop file sharing, including prosecuting four men related to the Pirate Bay search engine, which enabled users to find content shared using the BitTorrent protocol.
Computer equipment was confiscated at some sites, including at Umeå University and several private residences, Ingblad said. Police also visited the ISPs Phomera and PRQ.
"The sole purpose of the raids is to get information about IP addresses," he said.
Internet Protocol addresses can be used to find out the general area of where a server is located and what hosting provider provides the connectivity to that machine. ISPs can connect that address with the actual person who holds an account on the ISP network, which is not necessarily the same person when the illegal activity occurred on the computer.
Entertainment companies have often turned to the courts in order to force ISPs to reveal the subscriber information and file lawsuits against them.

Ingblad said Swedish authorities have no plans to start an investigation and the seized equipment will be turned over to Belgium authorities.
The raids were first reported on Tuesday by TorrentFreak, a blog that tracks file-sharing issues.

Spammers exploit second Facebook bug in a weektechnology news

Computerworld - Facebook today said it has fixed the bug that allowed a spamming worm to automatically post messages to users' walls earlier this week.

The flaw was the second in the past week that let spammers flood the service with messages promoting scams.
Last week, Facebook quashed a different bug in its photo upload service that let a spammer post thousands of unwanted wall messages.
The newest worm was noticed Monday by researchers at a pair of antivirus vendors, Finland-based F-Secure and U.K.-based Sophos.
"A clever spammer has discovered a Facebook vulnerability that allows for auto-replicating links," said Sean Sullivan, an F-secure security researcher. "Until now, typical Facebook spam has required the use of some social engineering to spread."
Clicking on the link to the bogus application automatically added the app to users' profiles, then automatically reposted a status message with a new link to friends' walls, said Sophos' Graham Cluley today.
While last week's spam plugged free iPhones, this week's scam touted surveys that offered Best Buy and Walmart gift cards to consumers who completed a marketing poll.
"I thought this survey stuff was GARBAGE but I just went on a shopping spree at walmart thanks to FB," some of the spam messages read.
Facebook today said it had plugged the newest hole and cleaned up users' walls.
"Earlier this week, we discovered a bug that made it possible for an application to bypass our normal CSRF [cross-site request forgery] protections through a complicated series of steps," said a company spokesman in an e-mailed statement. "We ... fixed it within hours of discovering it [but] for a short period of time before it was fixed, several applications that violated our policies were able to post content to people's profiles if those people first clicked on a link to the application."
"This is different than the photo upload bug," said Sullivan. "But be glad it's spammers doing this and not bot generators."
If malware makers had had this bug or last week's photo upload flaw, they might have been able to use them to attack Facebook's more than 500 million users with malformed images or auto-generated links to sites hosting a wide range of browser, operating system or application exploits, said Sullivan.
While Sullivan said a recent four-month analysis he's done on Facebook spam showed that the company has done a better job at curbing what he called "feature abuse" -- bogus accounts sending massive numbers of friend requests, for instance -- it's had a tougher job quashing bugs before scammers have used them.
"Clearly, there are bugs in Facebook and its application platform," said Sullivan. "There will be more to come. I certainly don't envy [Facebook]."
The two scammer-leveraged bugs came on the heels of a more traditional spam campaign two weeks ago that enticed Facebook and Twitter users with bogus claims of a free iPad.
Both Facebook and Sullivan gave users the same advice about dealing with spam, bug-related or not.
"We're advising people to be wary of posts and messages with suspicious-looking links, even if they come from friends, and to report applications that might violate our policies," said the Facebook spokesman.
"This should be a wake-up call for people who are clicking on links," added Sullivan. "They should be thinking, 'Maybe I don't even need to look at this [link].' It's better to be safe than sorry."