Enon writes "eEye Digital Security has discovered 14 vulnerabilities in the FLAC file format that affect a huge range of media players on every supported operating system (Windows, Mac OS, Linux, Unix, BSD, Solaris, and even some hardware players are vulnerable). Heise points out a number of vulnerable apps that use the open source libavcodec audio codec library, which in turn relies on the flawed libFLAC library. These vulnerabilities could allow a person of ill will to trojanize FLAC files that could compromise your computer if they are played on a vulnerable media player. eEye worked with US-CERT to notify vulnerable vendors."Read more of this storyat Slashdot.

  bestweasel writes "The BBC reports that a UK Government department has lost discs with details of 15 million benefit recipients, including names, addresses, date of birth and bank accounts. The head of the department involved, HM Revenue & Customs, has resigned and his resignation 'was accepted because discs had been transported in breach of rules governing data protection' so someone thinks it's not a trivial matter. The Chancellor will try to evade responsibility in the House of Commons at 3.30 GMT. A similar leak of a 'mere' 15,000 records from the same department happened a month or so ago. At that time, they refused to say 'on security grounds' whether the information was encrypted." We just recently talked about Britain's consideration of legal penalties for situations like this. I imagine this incident will weigh on that decision.Read more of this storyat Slashdot.

  Lucas123 writes "According to a Computerworld story, a relatively simple breakdown in communications led to a day-long systems outage within the VA's medical centers. The ultimate result of the outage: the cancellation of a project to centralize IT systems at more than 150 medical facilities into four regional data processing centers. The shutdown 'left months of work to recover data to update the medical records of thousands of veterans. The procedural failure also exposed a common problem in IT transformation efforts: Fault lines appear when management reporting shifts from local to regional.'"Read more of this storyat Slashdot.

  bednarz writes "AT&T is requiring thousands of employees who work from their homes to return to traditional office environments, sources say. 'It is a serious effort to reel in the telework people,' says the Telework Coalition's Chuck Wilsker, who has heard that as many as 10,000 or 12,000 full-time teleworkers may be affected. One AT&T employee says rumors have been circulating since AT&T's merger with SBC that the new upper management is not supportive of teleworking: 'We'd heard rumors to that effect, and all of a sudden we got marching orders to go back to an office.'"Read more of this storyat Slashdot.

  stern writes "A security researcher at Cambridge was trying to figure out the password used by somebody who had hacked his Web site. He tried running a dictionary through the encryption hash function; no dice. Then he pasted the hacker's encrypted password into Google, and voila — there was his answer. Conclusion? Use no password that any other human being has ever used, or is ever likely to use, for any purpose. I think."Read more of this storyat Slashdot.

  mcwop writes "Early this morning Maryland passed legislation to apply a new 6% sales tax to 'custom computer programming' and other computer- and hardware-related services. Computer industry groups lobbied hard against the measure to no avail. Purchasers of IT services may find that in-house IT and buying out-of-state become attractive options, as well as cutting money out of other projects."Read more of this storyat Slashdot.

  An anonymous reader writes "The 12 Angry Men have a followup to their piece on the cross-sell scam credit card companies have begun using. Their new article concerns another evolving scam being employed, where users are racking up huge fees and charges on cards that have never even been activated. The article goes deep into the standard way the scam plays out, as well as detailing some interesting history on how credit applications are processed, and where they are typically (and frighteningly) subject to tampering."Read more of this storyat Slashdot.

  walk*bound writes "In an essay published by ZDNet, security scientist Dan Geer has an interesting proposal for e-commerce sites to evaluate the trustworthiness of clients that try to connect. Assume that end users either always say 'Yes' or always say 'No' to security dialog boxes. Then make the decision one of two ways: 'When the user connects, ask whether they would like to use your extra special secure connection. If they say "Yes," then you presume that they always say "Yes" and thus they are so likely to be infected that you must not shake hands with themwithout some latex between you and them. In other words, you should immediately 0wn their machine for the duration of the transaction — by, say, stealing their keyboard away from their OS and attaching it to a special encrypting network stack all of which you make possible by sending a small, use-once rootkit down the wire at login time, just after they say "Yes."'"Read more of this storyat Slashdot.

  Kurtz'sKompund writes in with word on the latest annual survey of the state of DNS on the Net. The survey, commissioned by infrastructure appliance vendor Infoblox, found that the use of Windows DNS Server in Internet-facing applications has fallen off dramatically as more users act on concerns about security. BIND 9, the latest version, gained against earlier, less secure versions. But in other dimensions, DNS practices showed little improvement from a security point of view. Hardly anyone is using DNSSEC; and 31% of nameservers allow promiscuous zone transfers, a number little changed from last year. Here's a video of an interview with Infoblox's chief architect Cricket Liu on the state of DNS.Read more of this storyat Slashdot.

  juct writes "The long-standing suspicion that the anonymizing network TOR is abused to catch sensitive data by Chinese, Russian, and American government agencies as well as hacking groups gets new support. Members of the Teamfurry community found TOR exit-nodes which only forward unencrypted versions of certain protocols. These peculiar configurations invite speculation as to why they are set up in this way. Another tor exit node has been caught doing MITM attacks using fake SSL certificates."Read more of this storyat Slashdot.

  miller60 writes "Intel has become the latest major tech company to express interest in using portable data centers to transform IT infrastructure. Intel says an approach using a "data center in a box" could be 30 to 50 percent cheaper than the current cost of building a data center. "The difference is so great that with this solution, brick-and-mortar data centers may become a thing of the past," an Intel exec writes. Sun and Rackable have introduced portable data centers, while Google has a patent for one and Microsoft has explored the concept. But for all the enthusiasm for data centers in shipping containers, there are few real-world deployments, which raises the question: are portable data centers just fun to speculate about, or can they be a practical solution for the current data center expansion challenges?"Read more of this storyat Slashdot.

  thefickler notes that consumers aren't the only ones carrying "Death to DRM" placards. UK music retailers are telling the recording industry enough is enough — that the industry's obsession with copy protection is hurting, not helping, profit. Kim Bayley, director-general of the UK Entertainment Retailers Association, said that the anti-piracy technologies are not protecting industry revenue but instead "stifling growth and working against the consumer interest." The ERA hopes the industry will drop DRM in time for the holiday season. Good luck with that.Read more of this storyat Slashdot.

  Arashtamere sends in a Computerworld story on a security flaw in the Windows 2000 pseudo-random number generator published by Israeli researchers earlier this month. Microsoft has now admitted that the flaw is present in XP too. Microsoft denies that the bug is a security vulnerability, since an attacker would have to have gained administrative access to a system before exploiting it. (The Israeli researchers point out that many common exploits provide admin access.) This stance apparently lets them off the hook for patching Win2K, which is in "extended support" mode, though it powers about 9% of US and EU business computers. Microsoft said that XP SP3, due in the first half of next year, will fix the bug. The company said that Vista, Windows Server 2003 SP2, and the new Windows Server 2008 are not vulnerable.Read more of this storyat Slashdot.

  longacre writes "The FAA has awarded the long-anticipated first contract for development of its NextGen air traffic control system: a $1.8 billion deal with ITT Corporation, beating out bids from aerospace heavyweights such as Raytheon and Lockheed Martin. ITT's design will make use of hundreds of specially modified AT&T cellular phone towers which, in addition to their normal communications duties, will relay an aircraft's position to air traffic controllers and other aircraft in real time. The initial contract is only enough to wire and test the so-called ADS-B system in the Philadelphia area and around the Gulf of Mexico — hooking up the rest of the country will take an estimated 20 years and $20 billion."Read more of this storyat Slashdot.