Suramya's Blog : Welcome to my crazy life…

Just read this article on Betanews which tells about a special function in the Microsoft’s Windows Genuine Advantage (WGA) validation program that seems to check for a registry key used by WINE (An open source implementation of Windows API’s). If the program encounters the key it shows an error message and exits.

This on its own is not that bad, but if this is not stopped here whats to stop MS from using the same detection procedure on other programs and prevent them from running on wine? Their main target would probably be the MS Office Application suite which a lot of people run on Linux using Crossover Office. Soon they might decide that its against the EULA to run MS Office on a non-windows platform. Apple did the same thing with the OS X, by making it illegal to run it on non apple branded hardware.

I personally don’t care that much ’cause I run Linux and don’t run Wine on my system. I have a seperate windows machine where I run the Windows only software I use [Warcraft, Diablo etc etc] and all the MS software I have is legal and licenced. (For a change)

On the other hand its pretty disturbing. Lets see if the courts decide that this is a breach of law.

Original Story: BetaNews

– Suramya

The infamous SCO has been threatened to be delisted from the Nasdaq by the Nasdaq Exchange. I guess they should have paid a bit more attention to deadlines than on their lawsuites. If SCO doesn’t make a meeting with the Nasdaq officials it will disappear from the market on Feb 25th.

Considering that SCO stock dropped to $4.06 when the news of possible delisting spread, if the stock is delisted, the company is finished. ‘cant say I will miss them much. Never liked their high handedness is accusing the entire Linux community of stealing their work and then refusing to show the proof. They deserve whatever comes to them.

Complete Story: The Register
Another Version: computerweekly.com

– Suramya

I was catching up on all my unread email when I saw an email telling Bugtraq on how the SHA-1 encryption algorithim has been broken by a research team of Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu (mostly from Shandong University in China). These guys have published a semi-private paper describing how they broke the crypto.

Now that even this algorithim is broken, we have to move to a new hash function that is harder to break. The National Institute of Standards and Technology (NIST) already has standards for harder-to-break hash functions: SHA-224, SHA-256, SHA-384 and SHA-512. They’re already part of government standards and can be used. Though I don’t know how fast people with switch to the new hashes.

A pretty good introduction to secure hashes is available here to help put all this in context.

Original Story: SHA-1 Broken, Schneier.com

– Suramya

Just read about this on the Secunia.com website. This one is a real scary one.

A new cross site scripting Vulnerability was discovered in the DHTML Edit ActiveX control in Internet Explorer when handling the ‘execScript()’ function. This allows the attacker to inject arbitrary script code in a user’s browser session in context of an arbitrary site. The best part is that even the SSL certificates etc are passed so there’s absolutely no way to find out if the site is spoofed or not. The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP1/SP2.

Check out a demo of the attack at: http://secunia.com/internet_explorer_cross-site_scripting_vulnerability_test/. The link above is hosted by the group which published the vulnerability. You can read the original advisory here

The code to create your own spoofed sites can be gotten by viewing the source code for the above page. I copied it to my site and tested it and it actually works. Don’t try anything stupid with this code ’cause if you do you will be caught and then you can pass my regards to Bubba your new cell-mate.

Mozilla Firefox is not affected by this so stop using IE and enjoy the holiday shopping without worying about phishing attacks.

Enjoy.

Just days after AOL Released its media search engine (SingingFish.com) Yahoo has released a beta version of its video search engine. I tried it out and it actually seems to work pretty well. It has some problems finding stuff if the name is not spelled correctly but overall it works pretty nicely.

Yahoo is planning on using RSS to enable them to index the files. Its still in Beta so if you have problems/suggestions with it consider submitting a bug report.

Check it out at: http://video.search.yahoo.com/

– Suramya