Tài nguyên nội sinh của Đại học Quốc gia Hà Nội

Ngày nay, nhu cầu về tìm kiếm tài liệu rất lớn. Đại học Quốc gia Hà Nội đã tạo dựng một trang mã nguồn mở để cung cấp cho bạn đọc trên khắp thế giới có thể truy cập miễn phí.

Các bạn có thể xem và tải tài liệu tại VNU Open Access.
Hoặc các bạn có thể sao chép địa chỉ http://repository.vnu.edu.vn

Hackers at Microsoft?! Now, wait a minute ...

Their existence is inarguable; it's the title that's weirding some folks out
For the record, there are hackers at Microsoft. Just don't call them hackers.

In August, a blogger using the handle "Techjunkie" started a Microsoft Developer Network blog called Hackers @ Microsoft that, he claimed, would introduce the world to some of the ethical "white hat" hackers working there.

White-hat hackers are security professionals who use many of the same techniques as the bad guys, but who learn how to break into systems for research purposes only. "The focus of this blog is likely to be a little different from most other blogs you'll see on blogs.msdn.com," Techjunkie wrote.

Then he went silent for a month and a half.

Late Thursday, however, Techjunkie resurfaced, saying that he was dropping the Hackers @ Microsoft name. "There was some concerns raised that the average blog reading audience may not be able to discern the difference, and we may inadvertently associate Microsoft with the negative connotations of the word 'hacker' that is out there," he wrote.

Techjunkie didn't say whether the decision to drop the name came from Microsoft Corp.'s marketing department, but if it did, he's found a way to get even. "To alleviate that concern, I've changed the name of the blog to '%41%43%45%20%54%65%61%6d'," he wrote.

"%41%43%45%20%54%65%61%6d" may not be as memorable as Hackers @ Microsoft, but it does mean something. It is code for "ACE Team," a reference to Microsoft's Application Consulting & Engineering Team, which does performance, security and privacy development work at Microsoft. They have a blog too.

Microsoft's PR agency said Friday that Techjunkie is, in fact, Ahmad Mahdi, a manager with the ACE Team. The %41%43%45%20%54%65%61%6d name was chosen to "better reflect the intent of the blog, its posts and content, as well as the work conducted by security researchers at Microsoft," a spokeswoman said via email.

Microsoft has talked frequently about its growing use of ethical hackers to test its products for bugs. The software vendor even invites them onsite twice a year for its Blue Hat security conference.

Techjunkie followed up his Thursday evening post explaining the name change with a generic blog item on the need for security processes when developing software.

The debate over the term "hacker" is long running and bitter. Originally used to denote someone creative who enjoyed building new things with computers the term has also come to mean computer attacker in the popular culture, much to the dismay of the white hats.

One security professional who also maintains a hacking blog said he understood why Microsoft may have wanted to drop the name. "Unfortunately, I think there's a bit of a stigma associated with the word hacker," said Robert Hansen, CEO of security consultancy SecTheory LLC and also the man behind the ha.ckers.org Web site.

Though Hansen considers himself a hacker, he says that he sometimes downplays this fact in business situations. "There are definitely times at which I use the ha.ckers.org persona more than I use the SecTheory persona," he said. "Some people aren't comfortable with the concept."

(Theo ComputerWorld)

Microsoft offers IE7 to all, pirates included

Browser download in XP no longer requires a WGA check
Users running pirated or counterfeit copies of Windows XP or Windows Server 2003 can now download Internet Explorer 7, Microsoft announced yesterday.

From the moment it released IE7 almost a year ago, Microsoft has restricted the browser to users who can prove they own a legitimate copy of the operating system. Before Microsoft allows the browser to download, it runs the user's PC through a Windows Genuine Advantage (WGA) validation test, a prime part of XP's antipiracy software.

When it instituted the requirement in 2006, Microsoft said rights to IE7 was one of the rewards for being legal. It changed its mind yesterday, saying the move is in users' best interest.

"Because Microsoft takes its commitment to help protect the entire Windows ecosystem seriously, we're updating the IE7 installation experience to make it available as broadly as possible to all Windows users," said Steve Reynolds, an IE program manager in a posting to a Microsoft company blog. "With today's 'Installation and Availability Update,' Internet Explorer 7 installation will no longer require Windows Genuine Advantage validation and will be available to all Windows XP users."

Microsoft has consistently touted IE7 as a more secure browser, and post-launch patch counts back that up. In the past 11 months, IE6 for Windows XP SP2 has been patched for 22 vulnerabilities, 20 of them rated critical. IE7 for XP SP2, however, has been patched only 13 times; 10 of those fixes were ranked critical. In fact, when Microsoft announced that IE7 would not be offered to users running illegal copies of XP, some analysts questioned the company's commitment to security.

This is the first time that Microsoft has removed a WGA check for a major product. Among those that still require validation are Windows Defender, the company's antispyware software, and Windows Media Player 11.

Several people who left comments on Reynold's post wondered if there's more to the decision than meets the eye. "I am guessing that this is in reaction to Firefox's growing market share," said someone identified as Dileepa. "I am not surprised at this at all."

Mozilla Corp.'s Firefox has gained some ground on Internet Explorer since IE7's launch. According to Net Applications, a Web metrics company, Firefox's share is up by about two percentage points since October 2006, while IE's total -- IE6 and IE7 combined -- slipped by more than three points.

IE7's uptake was dramatic late last year, when it went from about a 3% share in October to 18% in December, but growth has slowed. Since April, for instance, it has increased its share by four percentage points, almost all of it at the expense of the older IE6.

The IE7 update also sports a few tweaks: The menu bar is now visible by default, for example, and a new administration kit that includes a revamped MSI installer is available to smooth corporate deployment.

Users can download IE7 from Microsoft's site immediately or wait for it to appear in Windows Update as a high-priority item. It will take several months for Windows Update to roll out IE7 to all XP customers, and anyone dissatisfied with the new browser can downgrade to IE6 by using the Add/Remove Programs control panel applet.

A blocking tool kit is still available for companies and organizations that don't use Windows Server Update Services and want to permanently prevent IE7 from automatically installing on PCs equipped with IE6.

(ComputerWorld)

UC Berkeley offers free course lectures on YouTube

The University of California at Berkeley took a dive into the Web 2.0 world with Wednesday's launch of a program that offers entire course lectures and special events on YouTube to all Internet users without charge.

Users can view more than 300 hours of videotaped courses on topics that include bioengineering, peace and conflict studies, and physics, the university said. Moving forward, Berkeley said that it will constantly expand its catalogue of YouTube videos.

"UC Berkeley on YouTube will provide a public window into university life - academics, events and athletics - which will build on our rich tradition of open educational content for the larger community," said Christina Maslach, UC Berkeley's vice provost for undergraduate education, in a statement.

Berkeley said that it is the first university to offer lectures on the YouTube site. However, it noted that it has used open-source video since 2001, when the campus's Educational Technology Services division launched webcast.berkeley.edu, a local site that now provides course and event content via podcasts and streaming video.

The university noted that the number of courses available by podcast has increased from 15 to 86 since that program was launched in April, 2006.

Dan Herman, an analyst at research firm New Paradigm, blogged that while the university's YouTube project and previous podcasting efforts don't "allow for the engagement that makes academia what it is, it's a heck of an improvement over readings lists, course notes and audio recordings."

In addition, Herman noted that such programs could help improve access to post-secondary education in developing countries where budgets are focused on primary education.

(ComputerWorld)

Sun patches critical Java bugs

Sun Microsystems Inc. patched 11 vulnerabilities in the Windows, Linux and Solaris versions of its Java Runtime Environment and Java Web Start yesterday, including several rated critical by outside researchers.

The fixes to Java Runtime Environment (JRE) 1.3.1, 1.4.2, 5.0 and 6.0 plug holes that attackers could use to bypass security restrictions, manipulate data, disclose sensitive information or compromise an unpatched machine. Among the JRE bugs, Sun said in several security advisories, are two that allow attack code from malicious sites to make network connections on machines other than the victimized computer. One possible result, according to a paper by several Stanford University researchers that was cited by Sun: circumvented firewalls.

Other vulnerabilities in JRE and Java Web Start, a framework that lets Java-based applications launch directly from a browser, could be used by attackers to read local files, overwrite local files and hide Java-generated warnings.

Although Sun does not assign threat scores or label its advisories with terms such as "critical" or "low," Danish bug tracking vendor Secunia collectively tagged the five advisories and their 11 patches as "highly critical," its second-highest ranking.

Some of the vulnerabilities are limited to specific JRE versions, but pulling action items from the advisories is difficult since Sun does not use an easy-to-understand grid as does Microsoft, for instance, to indicate affected software. Neither JRE nor Web Start includes an automatic update mechanism; users must manually download and apply the updated versions Sun has posted on its Web site here.

Mention of Mac OS X was, as usual, absent in the security advisories. Sun does not post updated editions of JRE and other Java components for the Mac operating system. Instead, Apple Inc.'s implementation of Java requires that the company provide Java fixes as part of its own security updates. That's been a sticking point with some Mac users, who have expressed concern that Apple has not updated its Java code since February.

(Computerworld)

Web 2.0, social networking can endanger corporate security

With the Web becoming central to the way companies do business, cybercriminals are taking increasing advantage of Web 2.0 and social networking sites to launch attacks, according to IDC analyst Christian Christiansen.

The Web isn't the benign resource for information that people once saw it as, said Christiansen, who spoke today at Kaspersky Lab Inc.'s Surviving CyberCrime conference in Waltham, Mass. "One of the things that's happened that's disconcerting -- and it's been growing over the last 10 years -- is the blending of people's private lives with their corporate lives," he said.

Employees' personal lives -- their online shopping habits and interactions with friends and families -- get intermingled with the interactions they have at work with customers, fellow employees, partners and suppliers, he said. "So that creates a perforated perimeter where there isn't a hard, fast separation between the corporate world and the personal world," he said.

The problem is that employees don't always follow their companies' security policies -- probably because they don't know what those policies are, just as they don't know what their companies' acceptable use policies are. The result: employees don't know what's allowed and what they're barred from doing. Sometimes, Christiansen said, the very people who set up the corporate policies don't even follow them.

Problems also occur when an IT department no longer controls the products being connected to the corporate network. That list could include everything from smart phones to new and untested laptop and desktop computers to various application environments, he said.

"We're seeing the realization that the internal security problem is growing -- the threats are coming from inside the network," he said.

The latest threats to network security now are coming from collaboration and Web 2.0 environments -- where employees casually click on links that could lead them to malware. And they're coming from the wide variety of devices that may be accessing private as well as corporate networks, he said.

"We're seeing a change in the threat environment," he said. "Instead of the threats -- the malicious code -- being distributed as e-mail attachments, we're seeing more and more that they're being embedded in Web 2.0 links," he said. "In the past, what you saw was an immediate effect. Now we're seeing much greater levels of subterfuge and much more sophisticated attacks."

To better avoid potential problems, IT departments need to control user behavior, the types of devices being used to access information, the applications being used and content contributions.

"Risk reduction requires policy managements and layered protection -- at the gateway to the Internet as well as at the endpoint [desktops, laptops and servers]," he said. "You need a whole series of checks and balances."

(Computer World)

Microsoft launches enterprise 'get legal' program

Microsoft Corp. amped up its antipiracy campaign today, adding a program that targets large customers that need to "get legal" after being fingered for using counterfeit or illegally-applied volume licenses.

The program, dubbed Get Genuine Windows Agreement (GGWA), plugs a hole in the company's antipiracy efforts, said Cori Hartje, the director of Microsoft's 18-month-old initiative to identify phony copies of Windows or instances of unlicensed use of the software.

"This fills in the entire picture," said Hartje. "Consumers who had been identified as running a counterfeit [version of] Windows could simply push a button and have the purchase made right then. But we didn't have a good way to programmatically address the same for larger-scale customers, particularly through the [reseller] channel."

GGWA uses Microsoft's standard volume licensing -- and therefore is designed for organizations that generally acquire the company's software through that venue -- to sell full licenses of Windows XP Professional. Most customers looking to get legal using GGWA would go through their existing channel reseller, Hartje said.

"We also wanted something like this as a turnkey for the channel," she said. "This way, resellers will be able to offer [their customers] Microsoft financing, for example, as well as other services, such as Software Assurance."

Hartje said she expects that most organizations using GGWA would do so not because they find counterfeit copies of Windows on OEM-sourced PCs, but because they have "mislicensed" systems. "After an internal review, a company may find it has, for example, 2,000 machines that it got 'naked.' And they need a way to address that."

In "mislicensing," Hartje explained, a customer misunderstands the licensing rules. They think they can purchase "naked" computers -- PCs sans operating system -- and then apply their volume licensing agreements to load Windows. "The regular volume licensing agreements like the Select Agreement or Enterprise Agreement have upgrades available for purchase, so there must be an eligible licensed copy of the Windows software already on the machine to be able to use the upgrade available in those programs."

Other companies might find they're running a large number of illegal machines if they misuse a volume licensing key or let it leak. When it identifies a leaked key, Microsoft invalidates it; subsequent activations of Windows, or in Vista and the upcoming Windows Server 2008, regular checks of Windows legitimacy, would then finger PCs as noncompliant.

"We needed to have options for our business customers so that it was easy to get full Windows licenses, to help customers who found themselves in an unlicensed situation," said Hartje.

GGWA is in addition to the still-available Get Genuine Kit (GGK) packages, which contain one or 10 XP Pro licenses, but it comes with several new provisions that strip away the anonymity of GGK. According to information posted on Microsoft's site, GGWA requires customers to sign a legalization agreement and make a commitment to legalize all out-of-compliance PCs. The legalization agreement also contains what Microsoft describes as an "audit clause." Microsoft officials were not able to immediately confirm this, but the clause would presumably be similar to the one in an Open Value volume licensing agreement. Open Value's audit clause lets Microsoft request an internal audit of all Microsoft software used in an organization.

"Enterprises who want anonymity can still purchase the Get Genuine Kit," said Hartje, "though that's cumbersome in large volume, with the packs showing up on the loading dock and having to be opened."

The new program offers Windows XP Professional licenses rather than Vista licenses, she added, because XP Professional is what's in widespread use. "XP is where we have the gap. It has a large installed base, and that's where [companies] are discovering [noncompliant] PCs."

In other words, stocking GGWA with Windows XP is not an admission that Vista isn't selling well to corporate customers. "Most people are now buying new PCs that come with Vista," she said. "And so they don't need to get another license."

(Computer World)