Newly-found hybrid attack embeds Java applet in GIF file

Researchers at NGSSoftware have developed a hybrid attack capable of hiding itself within an image and intend to present details on the exploit at the Black Hat security conference next week. New and esoteric attacks are part and parcel of what Black Hat is about, but this particular vector could target web sites with a particularly vulnerable population: MySpace and Facebook. Social networking web sites tend to attract younger users, and while this particular attack can be used in a variety of ways, embedding the hook in profile photos that are then seeded and targeted at the teen crowd could be a very effective tactic. HangZhou Night Net

The full details of the attack won't be available until next week, but Network World has managed to glean some key facts on its operation. The NGSSoftware team has found a way to embed a Java applet within a GIF; the hybridized file is referred to as a GIFAR. Just to make it clear, this is a file extension of convenience and not the literal name of any particular file type. The GIFAR exploit works because two different programs see the same file differently. The web server that actually holds the file sees it as a GIF file, and serves it accordingly, but when the "image" actually reaches the client, it's opened as a Java applet and run.

Simply viewing a GIFAR won't infect a system; the attack method requires that the user be linked to the hybridized infection from an appropriately malicious web site. Despite its name, this attack method is not limited to GIFs; ZDNet's Zero Day blog has additional information on the exploit, and states that a number of files could be combined with .JAR, including both JPEGs and DOCs. This seems to indicate that one could actually hide a Java applet inside another Java applet, and then tie both of them together with a BINK file, but the resulting mess would probably fail, even as comedic relief.

The root of the problem isn't within Java itself, but results from weak web application security. ZDNet's blog entry implies that the attack vector might be significantly reduced if web applications would actually parse a file's contents, rather than simply checking the extension. The research team will leave some details of the attack out in their presentation, to prevent immediate exploitation, and Sun intends to issue a patch that will serve as a short-term correction to the problem.

Windows Live Messenger Library 2.0 is released

The Windows Live Messenger Library is (WLML) a client-side library for building presence-enabled instant messaging web applications hosted in any domain that site visitors can use to interact with each other and Windows Live Messenger users. WLML is written in C# and compiled into JavaScript using Script#; applications can be written either in C# (with Script#) or JavaScript. WLML 2.0 has been released: it is backward compatible with WLML 1.0 and the version 1.0 API is still available. The new version (documentation) contains the following changes: HangZhou Night Net

Sorted contact collections: New OnlineContacts and OfflineContacts collections list contacts in sorted order to make it easier for applications to show sorted contact lists.Contact display picture links: Contact display picture links are now returned but with respect user privacy, there is some special handling required to use them in applications.Customization for the Sign-In Control: color schemes can now be defined for the Sign-In Control.A new URL for loading the library: Library files are now content distributed globally; applications should see improved library load time.Hosted static images for status icons and Messenger logos: GIF and PNG static images for applications to use for displaying user status are now being hosted.URL strings for Messenger resources: The library returns a set of market-specific URLs for applications to display links to required Microsoft pages such as the privacy statement. This is to enable applications to move the Sign-In Control out of view when it is not needed.Sign-In Control returns extended authentication results: The Sign-in Control has been updated to return more detailed information about user authentication results.

Registration with Microsoft is not required to use the Windows Live Messenger Library for development purposes, but to give feedback sign-up on the Windows Live Messenger Web APIs: Development forums is necessary.

Further readingWindows Live Messenger Developer Blog: Messenger Library V2.0 available now!

Mapping the peculiar velocities of stars

All things dark are all the rage is cosmology at the moment. There is dark matter—a type of matter that only weakly interacts with light. And dark energy—the label used to denote the observed increase in the rate of expansion of the universe. Our knowledge of what dark matter is and what dark energy denotes is woefully inadequate, opening up a theoretician's paradise. There are all sorts of models out there and, in the case of dark energy, they all have to fit one data point, making it kind of trivial to obtain a good result. In the meantime, astronomers are scrabbling around—in, yes, the dark—figuring out how to obtain more precise measurements of the increasing acceleration of the universe. HangZhou Night Net

In particular, there are a set of models that predict that the distribution of dark energy is not uniform, meaning that measurements of the velocity of stars at different distances and directions should be able to tell theoreticians whether barking up this particular tree is worthwhile. However, there is a problem: it is quite difficult to measure these velocities. Locally, astronomers use Type Ia supernova as references for distance and speed, but the further away the supernovas are, the weaker the signal, and the more significant confounding sources of noise become.

One source of noise is gravitational lensing, which causes an apparent change in the brightness of the supernova, resulting in an incorrect distance calculation. A pair of Chinese astronomers have now examined the problem and showed that the signature of gravitational lensing can be removed.

A gravitational lens will often smear the image of the star into an arc shape, depending on the relative location of the star, the lens, and the telescope. The behavior of the lens is relatively static and its influence can be calculated in two dimensions by examining the correlations between points on the image and calculating the spatial frequencies of those correlations—dark matter can be observed through this method.

However, this 2D power spectrum does not allow a correction to be made for the distance and velocity of the star. To do that, the researchers performed the correlation and power spectrum calculations in 3D. The supernova light has most of its power along the line of sight, while the lens power spectrum remains 2D and at right angles to the line of sight. This effectively separates out the contribution of the lens, allowing researchers to correct for gravitational lensing.

So, this seems like a pretty obscure bit of research to put on Nobel Intent, but I think it is important to show these slightly less sexy parts of the scientific process. Should dark energy models with a non-isotropic distribution of dark energy prove correct, measurements derived from observations of Type Ia supernova will play a critical role in confirming them. Before that can happen, these sorts of problems need to be solved.

To give you some insight into how important issue is to the astronomy community, during the time this paper was being written and going through peer review, four other papers on the topic were published or accepted for publication, presenting other ways to solve the same problem.

Physical Review D, 2008, DOI: 10.1103/PhysRevD.78.023006

Next up for pointless gaming laws? Illinois and FFXI

New York was the last state to pass a law forcing gaming companies to do something the already do, and it was such a great use of time and money that Illinois had to get into the action. Following the trials of two parents trying to cancel a Final Fantasy XI account, the state passed a law saying that online games had to have a way to cancel your account online. HangZhou Night Net

The summary of the bill, which was signed into law on Tuesday, follows:

…an Internet gaming service provider that provides service to a consumer… for a stated term that is automatically renewed for another term unless a consumer cancels the service must give a consumer who is an Illinois resident: (1) a secure method at the Internet gaming service provider's web site that the consumer may use to cancel the service, which method shall not require the consumer to make a telephone call or send U.S. Postal Service mail to effectuate the cancellation;

and (2) instructions that the consumer may follow to cancel the service at the Internet gaming service provider's web site. Makes it an unlawful business practice for an Internet gaming service provider to violate the new provisions.

I passed this over to our own Frank Caron. Caron, a while back, decided to work on his pasty Canadian complexion and canceled his Final Fantasy XI account in order to spend more time outside. How did he do it? He used the PlayOnline software that comes bundled with the game. As Frank points out, canceling your account is possible online, even if the software may seem obtuse to those who aren't familiar with this sort of service. "Besides, there are plenty of help files and 'contact us' notices to help guide users," he noted.

The law has good intentions, but are there many online games that doesn't allow you to do this? Was this a major problem? Don't you think someone would have looked into this a little more closely before writing the legislation? Sadly, we know the answer to that last question.

Thanks to GamePolitics for the heads up on this story. What do you guys think? Is canceling FFXI trickier than it needs to be? Do other games need to make this process more use-friendly? Sound off.

Game Review: Soulcalibur IV (PS3)

Soulcalibur IV is one of the few high-profile fighting games built from the ground up for current-gen consoles, and as such it's a pretty significant release. Sadly, though, while the graphics have been improved and the combat has been relatively untouched, the game as a whole is hurt by unneeded or unpolished additions. HangZhou Night Net

Speaking strictly about the combat engine and the stock characters, Soulcalibur IV is at best an incremental improvement on Soulcalibur III. Combat largely feels the same, though the addition of equipment destruction and critical finishes does present some new opportunities. The former adds more than just a nice graphical effect, as it gives combat a nice technical dimension by allowing players to hone in on certain spots and deal extra damage.

The latter, which is a powerful one-shot-kill finishing attack that can only be activated after breaking an opponent's guard, rarely occurs in normal combat, but does prevent players from turtling indefinitely. Neither addition is revolutionary, but both are welcome.

The mandatory equipment for my character made me abandon her almost immediately.

The character roster is expansive, encompassing players from all three previous games along with some new ones. Hilde is the standout addition, as she offers a great mix of ranged and close-quarters combat for skilled players. However, the bonus characters will likely wind up being soft-banned among those who play fair and exploited by those who don't.

While the anime guest characters are for the most part okay, if rather lifeless, the Star Wars cameos are an absolute joke. Darth Vader, the PS3 version pack-in, is by far the most balanced of them all, playing a bit like a short-bladed Siegfried with slightly more speed but slightly less power. But even he, with his ranged Force moves, doesn't mesh well with the other characters. As for Yoda and the Apprentice, imbalance is the name of the game. Yoda cannot be grabbed at all or hit with most high attacks and the Apprentice can shoot lightning. That should say all that needs to be said.

The game's character creation system is one of the biggest new additions, but sadly the whole thing falls flat on its face. First, created characters are effectively useless from the get-go. Players will need to spend quite a bit of time offline grinding their character up and unlocking better gear before they're ready to tackle the online mode. Created characters start off relatively weak, and need to be improved significantly before they can stand beside even stock normal characters online. This proved to be a little disappointing, as I quickly abandoned my custom character for a stock Hilde.

You're rewarded for and basically forced into equipping your character with a bunch of goofy items just to make it viable. Equipment has crucial stats, and opting to leave out a silly hat or a stupid monocle will actually weaken your character. Given that there's no way to create a "stock" custom character free from the limitations of this stat and experience system, the character creation system fails miserably by preventing you from creating the character you actually want to create.

The other big addition, online play, is also lacking. You've already heard my thoughts on it in detail but it bears repeating that the entire section of the game lacks polish. Everything from the interface itself to actual online connectivity is far from excellent, which is disappointing considering the "caliber" of this release. Hopefully a post-release patch can suss out some of these issues.

During my play time with Soulcalibur IV, I was seriously considering a retraction of my Soulcalibur piece which suggested you wait for this rather than pick up the Xbox Live Arcade port of the original. At its core, Soulcalibur IV is a solid fighter and a worthy upgrade for the old series on the current consoles. If you can ignore the new additions and the over-the-top art direction, you'll find yourself with a solid, high-definition Soulcalibur. There are some good single player modes beyond the simple arcade mode to enjoy, including the excellent Tower mode, as well as the expected goodness of local versus multiplayer.

But all the glitz and glamor, all the extras and needless distractions, that Namco-Bandai decided to pack in weigh the game down. What could have been a perfectly tight product is instead a gaudy mess, full of unnecessary and unfulfilling additions. Like Dead or Alive, Soulcalibur IV at times feels as though the scantily-clad women, whose clothes are easily shredded in battle to reveal little more than a piece of cloth, take a front-seat to the action all too often.

I'm going back to Soulcalibur.

Verdict: Rent
Developer and Publisher: Namco-Bandai
Platform: PS3, 360
Price: $59.99
Rating: Teen
Other recent reviews:

GrimmFinal Fantasy IV
Rock Band WiiChocobo's DungeonSong Summoner: The Unsung Heroes

TI launches hackable Beagle Board for hobbyist projects

TI has announced the availability of the Beagle Board, a hackable embedded development platform built around an OMAP3530 processor, which incorporates an ARM Cortex A8 and a TMS320C64x+ DSP. Aimed squarely at hobbyist developers, the board provides an expandable foundation for experimentation and homebrew computing appliance projects. HangZhou Night Net

The board, which is sold through Digi-Key for $149, includes DVI and S-Video outputs, an SD card slot, stereo audio input and output, and a USB OTG port. It has 128MB of LPDDR RAM and 256MB of NAND flash. It has a small footprint (only 3 inch by 3 inch), very low power requirements, and no fan. It can be powered via a USB connector, AC adapter, portable battery, car adaptor, or even a solar-powered backpack. Several flavors of Linux have already been experimentally ported and tested on the board, including Ubuntu, Maemo, and an OpenEmbedded derivative called Angstrom. There is also a project that aims to bring an embedded version of Windows to the device.

We spoke with TI open platform architect Jason Kridner, who explained that the function of the Beagle Board is to empower enthusiasts and enable them to innovate in the hardware space. He says that a vibrant community has already sprung up around the product and is exploring applications ranging from homebrew media centers to wearable computing. If you add a monitor and USB input devices, it can be used as a low-cost computer. I saw it used in this manner myself when I was at Lug Radio Live earlier this year.

The Beagle Board mailing list has become the primary hub for communication between adopters. It already has over 500 members and lots discussion on topics like software compatibility and power consumption.

Overall, it’s a nifty little hardware platform for open source experimentation and it offers enough performance and expandability to facilitate some useful things. For more details, check out the project’s web site.

EFF “Switzerland” packet monitor tool looks for ISP meddling

In recent years, ISPs have taken an increased interest in faking packets, and for some mysterious reason, they don't always like to make this fact perfectly clear to customers. Hoping to bring power to the people, the Electronic Frontier Foundation (EFF) yesterday released a tool called "Switzerland" that can help users find out if an ISP is modifying packets or injecting packets of its own into any protocol. The tool is open source and available now for download, but there's a reason that EFF refers to the current release as "Version Zero." HangZhou Night Net

The software, designed to see if an ISP is delivering packets "neutrally" (hence the Switzerland reference), has undergone in-house development for some time. EFF Staff Technologist Peter Eckersley coded the initial version, which has now been opened up and made available on SourceForge. Enterprising network hackers (and GUI experts) are needed to continue development of version 0.0.4.

The app, coded in Python, runs on Linux, OS X, and Windows, but currently operates only in a command-line version that can take a fair bit of technical skill to install (the backup installation instructions involve a compiler). Once running, the software uses a "semi-P2P, server-and-many-clients architecture" to monitor all packets sent from the clients to the server; if any are altered in transit or appear at the server without being sent from the client, the software alerts the user that packets are being modified or injected somewhere between the two machines.

The software is protocol agnostic, which means that it can be used to find both the TCP reset packets that Comcast has used to limit BitTorrent uploading and the code injected by NebuAd's ISP-based ad-serving system. Development was inspired by the Comcast case, and the software was fittingly announced the day before the FCC vote that brought the matter to a close.

"Until now, there hasn't been a reliable way to tell if somebody—a hacker, an ISP, corporate firewall, or the Great Firewall of China—is modifying your Internet traffic en route," said Eckersley in a statement. "The few tests available have been for narrow and specific kinds of interference, or have required tremendous amounts of advanced forensic labor. Switzerland is designed to make general-purpose ISP testing faster and easier."

It's not there yet, but the EFF hopes that one day, Switzerland will pump copious amounts of data into its "Test Your ISP Project." The project gathers white papers, test results, and network testing software into a single repository so that users can find out exactly what ISPs are doing with their packets. While companies like Comcast have already pledged to be better about disclosure, the EFF is fan of the "trust… but verify" approach.

"At a minimum, consumers deserve a complete description of what they are getting when they buy 'unlimited Internet access' from an ISP," says the Test Your ISP project page. "Only if they know what is going on and who is to blame for deliberate interference can consumers make informed choices about which ISP to prefer (to the extent they have choices among residential broadband providers) or what counter-measures they might employ."

If the FCC lacks the resources to proactively examine ISP network management, and ISPs themselves aren't always up for full disclosure, tools like Switzerland should let consumers know what to expect from an ISP. Finding a better one, though, may be more difficult.

aTV Flash brings GUI installer, Apple TV 2.1 support

The Apple TV is a debatably great device with what many argue is a lot of unrealized potential. Some want to see the Apple TV bring widgets and applications into the living room, while others want support for the codec rainbow and external USB storage. For some time now, aTV Flash from Apple Core, LLC has brought a number of these improvements to the Apple TV with a set of clunky Unix scripts and magic fairy dust. With a fresh new version 3.2 update, however, things have gotten a lot more interesting. HangZhou Night Net

As a quick primer: aTV Flash has enabled Apple TVs with support for DivX, Xid, AVI, and WMV formats, surfing the web with Safari, checking weather forecasts, and much-sought-after USB mass storage for some time now. The only catch has been that setting all this up involves some fairly unfriendly scripts and a USB flash drive.

With version 3.2, aTV Flash now sports a GUI installer for those allergic to Unix and the Terminal. It also supports the latest Apple TV 2.1 update, which means that all the support for codecs and external USB storage doesn't require downgrading to a previous, less capable version of the Apple TV software. The update also adds regular FTP support to aTV Flash's previous SFTP and SSH capabilities.

All this useful functionality doesn't come cheap, though. aTV Flash has no demo to download and try out, and a license with simple installation instructions costs $50, which includes one year of free updates. Extra years can be purchased for $10 each, and "lifetime" updates costs $30. On the upside, Apple Core says aTV Flash in no way voids the Apple TV's warranty. We aren't positive whether that's accurate, but we'll agree with 43Folders:it's probably best to dive into aTV Flash on the premise that you proceed at your own risk.

Expect a review of aTV Flash's installation process and performance in the coming weeks. Considering that its features make the Apple TV a far more appealing device, we're very interested in whether aTV Flash can live up to its promises.

House Committee decides to HANG UP on in-flight cell calls

It's the classic battle fought against a modern backdrop: just as technology is finally saying that we could have wireless communication on airplanes, humanity is questioning whether we should have it; or at least certain kinds of it. The hemorrhaging airline industry is eager to allow (and charge for) passengers to use mobile phones on planes, but a bill that would ban such use is making progress through the US House. HangZhou Night Net

Dubbed the "Halting Airplane Noise to Give Us Peace" (HANGUP… get it?) Act of 2008, the bill was approved by the House Transportation and Infrastructure Committee by a voice vote yesterday. The bill's next stop is likely to be the House floor.

In a nutshell, the bill states that "An individual may not engage in voice communications using a mobile communications device in an aircraft during a flight in scheduled passenger interstate air transportation or scheduled passenger intrastate air transportation." Exempt from this rule are flight crew, flight attendants, and federal law enforcement officers acting in an official capacity. Note that the bill's language doesn't touch other mobile-phone-based communication like text messaging, e-mail, and Internet access, and it also excludes voice communicating using a phone installed on an aircraft.

Currently, the FAA and FCC are responsible for policy regarding in-flight use of electronics, but this bill would take the decision-making authority out of their hands. Traditionally, the use of mobile phones and other wireless communication devices has been banned on planes out of concern for interference with sensitive equipment. While this point has been regularly contested over the years, research as recent as 2006 still leaves the matter undecided, with data remaining inconclusive as to whether making a call mid-flight could adversely affect instrumentation.

If mobile phone use were unleashed for flights, however, the airlines are reportedly thrilled about the revenue potential. Customers could be charged a small premium for the privilege of making a mid-flight call (though we aren't quite sure how this could be policed on a flight), while other customers could be charged a different fee to sit in a "phone-free section."

Before we all start investing in highly effective noise-canceling headphones, however, this HANG UP bill may cut airlines off at the pass. "Polls show the public overwhelmingly doesn't want to be subjected to people talking on their cell phones on increasingly over-packed airplanes," Representative Peter DeFazio, a Democrat from Oregon who cosponsored the HANG UP Act, said in a press release. "However, with Internet access just around the corner on US flights, it won't be long before the ban on voice communications on in-flight planes is lifted."

NVIDIA Forceware 180: Big Bang II?

NVIDIA will launch a new version of its ForceWare graphics drivers in September, and its unusual name is causing some ripples. GPUCafe claims to have information on what the new update will include, and if they're right, it will be quite an update indeed. HangZhou Night Net

The new release, properly called ForceWare release 180, is being referred to in NVIDIA documentation as "Big Bang 2." This name evokes an earlier driver launch, Big Bang, which first allowed multi-GPU support on the GeForce 6000 series. The name implies that this driver release will be similarly huge, and the declared feature list is pretty compelling. GPUCafe says ForceWare release 180 will bring the following features:

Multimonitor support for SLIDisplay Port supportOpenGL 3.0Hardware video transcodingGPU PhysX supportPerformance optimizations

The performance optimizations are a continuing process, and a matter of routine. Support for the new standards is a good thing, and HTPC users will like the transcoding support. DisplayPort may now begin to appear on NVIDIA cards. The big news, however, is the PhysX and multimonitor announcements.

NVIDIA promised to release PhysX support for 8-series and 9-series cards in February, and this release will make good on that promise. Users will be able to use a second card, possibly a different kind, for Physics calculations while another handles graphics, in something similar to demos from both NVIDIA and ATI in years past. It may drive sales of new cards, or merely allow reutilization of older cards. SLI has been a bit of a thoroughbred for some time now, and these restrictions are gradually coming apart.

In the beginning, SLI required the two cards to be from the same exact model and same memory size, and later allowed any two cards with the same GPU to be chain-ganged. Similarly, Crossfire once required a special Crossfire-edition card and now does not. AMD has been making baby steps in the direction of allowing different GPUs to cooperate with its Hybrid Crossfire on the 780G, but NVIDIA's PhysX announcement takes it a bit further by allowing different discrete cards to cooperate, and to drive multiple monitors.

It is probable that at some time in the future, coordination will be able to use any number of different cards from the same manufacturer, driving any combination of monitors. This announcement brings that day a bit closer.