It would appear that Microsoft haven’t learnt from its previous experiences. Working as a consumer IT technician during the release of Windows XP, we found it trivial to load up an XP Upgrade pack onto any system. This was possible as the upgrades to XP were merely full editions with a number of checking systems in place. Buy an upgrade, bypass the checks and install your new version of windows at half the cost.

Vista has been released for about two weeks now and guess what? Its happened again.
The Register reports on Marc Liron of www.instantvista.com and his technique to apply the same strategy to Windows Vista.

From the article.

“In short, all you need to do is delay entering your product key and delay validating your copy of Vista online until the setup is complete. For some reason, Microsoft has decided to allow users to install first and deal with the paperwork later. Simple in theory, although the details of exactly how to do this are a bit lengthy, and we strongly recommend following Liron’s step-by-step instructions linked above. But, in a nutshell, all you are doing is avoiding the traps that MS has set up to cancel the upgrade installation if an authorised version of Windows isn’t already present. If you dodge those traps, you can install a Vista upgrade on any machine, and later enter your product key and validate your copy normally.”

More Information:

The Register - How to install a Vista upgrade on any PC
Marc Liron Article, Step by step guide.

From Slashdot:

“Security researcher Alex Ionescu claims to have successfully bypassed the much discussed DRM protection in Windows Vista, called ‘Protected Media Path’ (PMP), which is designed to seriously degrade the playback quality of any video and audio running on systems with hardware components not explicitly approved by Microsoft. The bypass of the DRM protection was in turn performed by breaking the Driver Signing / PatchGuard protection in the new operating system. Alex is now quite nervous about what an army of lawyers backed by draconian copyright laws could do to him if he released the details, but he claims to be currently looking into the details of safely releasing his details about this at the moment though.”

I came across a very interesting story on Slashdot yesterday. Having studied Advanced-Level Psychology, I am well versed in the Milgram experiment (Wikipedia); An experiment performed in 1963 by psychologist Stanley Milgram. Much TV coverage has been given to Milgram clones over the past number of years, yet the original experiment remains the subject of some debate.

Milgram placed subjects in a room with another person in an authority role. The subject was then given instructions to question a third person (confederate), located in a second room. Upon receiving an incorrect response, the subject was to shock the confederate in increasing doses. The confederate, at no point, actually received a shock, but was instructed to act as if they had.

The aim of the experiment was to “measure the willingness of a participant to obey an authority who instructs the participant to do something that may conflict with the participant’s personal conscience.”

The following was pulled from Slashdot, and describes the same experiment being performed against a computer character; with surprising results;

Considered unethical to ever perform again with humans, researcher Mel Slater recreated the Milgram experiment in a immersive virtual environment. Subjects (some of whom could see and hear the computerized woman, others who were only able to read text messages from her) were told that they were interacting with a computer character and told to give increasingly powerful electric shocks when wrong answers were given or the ‘woman’ took too long to respond. The computer program would correspondingly complain and beg as the ’shocks’ were ramped up, falling apparently unconscious before the last shock. The skin conductance and electrocardiograms of the subjects were monitored. Even though the subjects knew they were only ’shocking’ a computer program, their bodies reacted with increased stress responses. Several of the ones who could see and hear the woman stopped before reaching the ‘lethal’ voltage, and about half considered stopping the study. The full results of the experimental report can be read online at PLoS One. Already, some (like William Dutton of the Oxford Internet Institute) are asking whether even this sanitized experiment is ethical.

Recently, users of GRISoft’s AVG Free Anti Virus software have been subjected to software popups informing them that, come 15 January 2007, their AVG Free protection will expire and they will be required to pay for the fully supported version of the popular anti virus system.

Fortunately, some confusion has arisen. GRISoft have stated that they will continue to offer the Free variant of the AVG software, and that the popup, whilst badly written, only serves to inform users of the upgrade from version 7.1 to version 7.5. The newer versions offer increased performance and compatibility with the upcoming Vista operating system.

You can download the latest version of AVG Free here.

zbuffered at Slashdot writes,

“Today, Mozilla made public bug #360493, which exposes Firefox’s Password Manager on many public sites. The flaw derives from Firefox’s willingness to supply the username and password stored on one page on a domain to another page on a domain. For example, username/password input tags on a Myspace user’s site will be unhelpfully propagated with the visitor’s Myspace.com credentials. It was first discovered in the wild by Netcraft on Oct. 27. As this proof-of-concept illustrates, because the username/password fields need not be visible on the page, your password can be stolen in an almost completely transparent fashion. Stopgap solutions include avoiding using Password Manager and the Master Password Timeout Firefox extension, which will at least cause a prompt before the fields are filled. However, in the original case detailed in the bug report, the phish mimicked the login.myspace.com site almost perfectly, causing many users to believe they needed to log in. A description of this new type of attack, dubbed the Reverse Cross-Site Request (RCSR) vulnerability, is available from the bug’s original author.”

More Information: Bugzilla Bug 360493

It has just come to my attention that, last week, a rather hilarious example of skiddie stupidty occured whereby a 13 year old game enthusiast attempted to gain the login details of a gamer from Tennessee.

The 13 year old, posing as a Valve worker, started up a chat session via MSN with br0kenrabbit of the Futuremark gaming forums. The 13 year old, known as “Greg”. Attempted to steal br0kenrabbits Steam account by asking for sensitive information.

Not being as naive as Greg, br0kenrabbit turned the tables on his would be assailant posing as an official Valve employee himself. Notifying Greg that a true Valve agent would NEVER converse with customers over MSN and NEVER ask for sensitive account information, br0kenrabbit informed Greg that his account would be suspended, going on to acquire all the personal information from the fraudster himself.

Coming clean after blocking access to Gregs account, Greg expressed his horror with a..

i was just making a joke but not cerious honest dude just give
my acount back pllllleeease i’m only 13 and save d up for like a year to buy it

The full MSN log can be found here on Futuremark Gaming Forum.

Kudos to DrDeath at Hackers Voice for pointing out this story.

Ever the bearer of proprietry software, Microsoft have inadvertantly managed to steal an hour of everyones time.

A bug in Microsofts Exchange Server is set to turn the clocks back a week earlier than anticipated meaning loyal users of Outlook, and the such, will find need to log a call with the much beloved Mulder and Scully as an hour of their day is molested by the Seattle enitities.

The issue occurs as Microsofts Exchange Server handles the yearly change from BST to GMT. However, under the impression that every October is to only have 4 sundays, the program will reset the clocks a week early, as this year, along with 2010, 2011 and 2016, October has 5 sundays.

Microsoft have issued a patch for pre-service pack 2 releases here.

As some of you may have noticed, 2600uk.com has dropped off the face of the Google planet. Asking around it would appear that a number of other websites have also fallen from googles grace and, interestingly enough, each of those interviewed contained information on the darkside of Googles CodeSearch facility.

I swift email to Google produced no reply and checking Google’s cache of 2600uk.com lists our CodeSearch post at the top spot. With its frequent intrusion in to our lives not enough, could it be that Google is also trying to censor those with whom it fails to agree?

I’ve always said, “He who controls Google, controls the world”. Yet with the Google hole becoming ever deeper, it wouldn’t be ludicrous to suggest that Google itself will fall from grace in the not too distant future.

Update: It looks like Google has now relisted the site. Interestingly this comes as the CodeSearch post drops off the homepage and into the archives. Again, there has been no response to previous emails querying Google.

Trend Micro, a pretty big AV company have announced that thousands of government computers may be compromised with bot infections. Among those listed are the Department of Defense, the Navy Network Information Center, the Pittsburgh Supercomputing Center, Argonne National Laboratory, and the Navy Regional Data Automation Center.

Their research comes from the analysis of 60Terabytes of data from their Behavioral Analysis Security Engine (BASE), including a massive amount of spam email in addition to aggregated data from network connections on netflow enabled networks and dns queries. Some of the organisations listed have disputed the finding and research team is now rechecking their findings.

Trend Micro estimates there are 70 million hacked zombie computers worldwide and that each month 8 to 9 million are used to send spam. Also 60% of the compromised computers are primarily used to send spam, the remainder for more nefarious purposes.

Sources: Trend Micro: Thousands Of Government Computers Infected By Bots and Trend Micro Goes After Botnets

The Bureau of Industry and Security (BIS) is the US gov department that accepts paperwork on dual use tech for export approval. Basicly, anything crypto that isn’t mass marketed goes through them.

As part of the process they receive detailed plans of how devices work which they keep on computer.

It is these computers that were hacked from src ips in China. Whether the actual hackers were in china or whether that was just an intemediate node is anyones guess. Its also not known what information was taken. However, the US has took it seriously enough to take all the department’s systems offline pending a reinstall rather than attempt to clean the rootkits that were used. This is the second breach the gov have admitted to since July.

Source: Bureau of Industry and Security Hacked and Chinese Hackers Hit Commerce Department
And for anyone that knows me… ‘Hi!’
This is the first of hopefully many regular posts…