Cody Taylor

Wired is reporting that Microsoft is releasing the most secure version of Windows XP ever created, but only if you are the US Air Force. “The Air Force persuaded Microsoft CEO Steve Ballmer to provide it with a secure Windows configuration that saved the service about 0 million in contract costs and countless hours of maintenance. At a congressional hearing this week on cybersecurity, Alan Paller, research director of the Sans Institute, shared the story as an template for how the government could use its massive purchasing power to get companies to produce more secure products. And those could eventually be available to the rest of us. Security experts have been arguing for this “trickle-down” model for years. But rather than wield its buying power for the greater good, the government has long wimped out and taken whatever vendors served them. If the Air Force case is a good judge, however, things might be changing.”

Read more of this story at Slashdot.

It’s the most secure distribution version of Windows XP ever produced by Microsoft: More than 600 settings are locked down tight, and critical security patches can be installed in an average of 72 hours instead of 57 days. The only problem is, you have to join the Air Force to get it.

portscan writes “OpenBSD 4.5 has been released. New and extended platforms include sparc64, and added device drivers. OpenSSH 5.2 is included, plus a number of tweaks, bugfixes, and enhancements. See the announcement page for a full list. OpenBSD is a security-oriented UNIX/BSD operating system.” As per OpenBSD tradition, of course there’s a song.

Read more of this story at Slashdot.

coondoggie writes “So, if the government gave your company 0 million to spend on building a new data center what would you buy and how would you build it? Well, the Social Security Administration is about to find out. As part of the stimulus bill, or the American Recovery and Reinvestment Act of 2009, the SSA got the tidy little sum to replace its National Computer Center. The SSA in fact says it will need closer to 0 million to fund a new IT infrastructure, including the new data center — the physical building, power and cooling infrastructure, IT hardware, and systems applications. (This is addition to a million backup facility currently under construction in Durham, North Carolina).”

Read more of this story at Slashdot.

Time Doctor writes “The de-facto standard in Quake 3 engine technology, ioquake3, has hit version 1.36 recently. It includes a garbage bag full of improvements: in-game VOIP; optional external Mumble (voip); OpenAL; IPV6; anaglyph stereo rendering; Full x86-64 architecture support; Rewritten PowerPC JIT compiler, with ppc64 support; new SPARC JIT compiler, with support for both sparc32 and sparc64; improved console command auto-completion; persistent console command history; improved QVM (Quake Virtual Machine) tools; colored terminal output on POSIX operating systems; multiuser support on Windows systems (user-specific game data is stored in their respective Application Data folders); PNG format support for textures. Of course, there are even more fixes for security holes and other bugs in there. So, if you don’t like ads and queues in your Quake 3 experience, get a copy of Quake 3 off Steam and copy your data files and key into your ioquake3 directory.”

Read more of this story at Slashdot.

jchrisos writes “Microsoft is planning to disable autorun in the next Release Candidate of Windows 7 and future updates to Windows XP and Vista. In order to maintain a ‘balance between security and usability’, non-writable media will maintain its current behavior however. In any case, if it means no more autorun on flash drives, removable hard drives and network shares, that is definitely a step in the right direction. Will be interesting to see what malware creators do to get around this …”

Read more of this story at Slashdot.

CWmike writes “Adobe Systems has acknowledged that all versions of its Adobe Reader, including editions for Windows, the Mac and Linux, contain at least one, and possibly two, critical vulnerabilities. ‘All currently supported shipping versions of Adobe Reader and Acrobat, [Versions] 9.1, 8.1.4 and 7.1.1 and earlier, are vulnerable to this issue,’ said Adobe’s David Lenoe said in a blog entry yesterday. He was referring to a bug in Adobe’s implementation of JavaScript that went public early Tuesday. A “Bugtraq ID,” or BID number has been assigned to a second JavaScript vulnerability in Adobe’s Reader. Proof-of-concept attack code for both bugs has already been published on the Web. Adobe said it will patch Reader and Acrobat, but Lenoe offered no timetable for the fixes. In lieu of a patch, Lenoe recommended that users disable JavaScript in the apps. Andrew Storms, director of security operations at nCircle Network Security, said of the suggestion in lieu of patches, ‘Unfortunately, for Adobe, disabling JavaScript is a broken record, [and] similar to what we’ve seen in the past with Microsoft on ActiveX bugs.'”

Read more of this story at Slashdot.

There are numerous changes affecting data security and Ext3 and Ext4 performance. EXOFS and NILFS2 and FS-Cache for AFS und NFS are all new. Although it is now barely maintained, there are also fixes for ReiserFS

mask.of.sanity writes “Australia’s national welfare agency will release its ‘unbreakable’ AU0,000 smart card identification protocol for free. The government agency wants other departments and commercial businesses to adopt the Protocol for Lightweight Authentication of ID (PLAID), which withstood three years of design and testing by Australian and American security agencies. The agency has one of Australia’s most advanced physical and logical converged security systems: staff can access doors and computers with a single centrally-managed identity card, and user identities can be automatically updated as employees leave, are recruited or move to new departments. PLAID, which will be available soon, is to be used in the agency’s incoming fleet of contact-less smartcards that are currently under trial by staff. It will replace existing identity cards that operate on PKI encryption.”

Read more of this story at Slashdot.

nk497 writes “The UK government has further detailed plans to track all communications — mobile phone calls, text messages, email and browser sessions — in the fight against terrorism, pedophiles and organized crime. The government said it’s not looking to see what you’re saying, just to whom and when and how. Contrary to previous plans to keep it all in a massive database, it will now let ISPs and telecoms firms store the data themselves, and access it when it feels it needs it.” And to clarify this Barence writes “The UK Government has dropped plans to create a massive database of all internet communications, following stern criticism from privacy advocates. Instead the Government wants ISPs and mobile phone companies to retain details of mobile phone calls, emails and internet sites visited. As with the original scheme, the actual content of the phone calls and messages won’t be recorded, just the dates, duration and location/IP address of messages sent. The security services would then have to apply to the ISP or telecoms company to have the data released. The new proposals would also require ISPs to retain details of communications that originated in other countries but passed over the UK’s network, such as instant messages.”

Read more of this story at Slashdot.