UC Berkeley offers free course lectures on YouTube

The University of California at Berkeley took a dive into the Web 2.0 world with Wednesday's launch of a program that offers entire course lectures and special events on YouTube to all Internet users without charge.

Users can view more than 300 hours of videotaped courses on topics that include bioengineering, peace and conflict studies, and physics, the university said. Moving forward, Berkeley said that it will constantly expand its catalogue of YouTube videos.

"UC Berkeley on YouTube will provide a public window into university life - academics, events and athletics - which will build on our rich tradition of open educational content for the larger community," said Christina Maslach, UC Berkeley's vice provost for undergraduate education, in a statement.

Berkeley said that it is the first university to offer lectures on the YouTube site. However, it noted that it has used open-source video since 2001, when the campus's Educational Technology Services division launched webcast.berkeley.edu, a local site that now provides course and event content via podcasts and streaming video.

The university noted that the number of courses available by podcast has increased from 15 to 86 since that program was launched in April, 2006.

Dan Herman, an analyst at research firm New Paradigm, blogged that while the university's YouTube project and previous podcasting efforts don't "allow for the engagement that makes academia what it is, it's a heck of an improvement over readings lists, course notes and audio recordings."

In addition, Herman noted that such programs could help improve access to post-secondary education in developing countries where budgets are focused on primary education.

(ComputerWorld)

Sun patches critical Java bugs

Sun Microsystems Inc. patched 11 vulnerabilities in the Windows, Linux and Solaris versions of its Java Runtime Environment and Java Web Start yesterday, including several rated critical by outside researchers.

The fixes to Java Runtime Environment (JRE) 1.3.1, 1.4.2, 5.0 and 6.0 plug holes that attackers could use to bypass security restrictions, manipulate data, disclose sensitive information or compromise an unpatched machine. Among the JRE bugs, Sun said in several security advisories, are two that allow attack code from malicious sites to make network connections on machines other than the victimized computer. One possible result, according to a paper by several Stanford University researchers that was cited by Sun: circumvented firewalls.

Other vulnerabilities in JRE and Java Web Start, a framework that lets Java-based applications launch directly from a browser, could be used by attackers to read local files, overwrite local files and hide Java-generated warnings.

Although Sun does not assign threat scores or label its advisories with terms such as "critical" or "low," Danish bug tracking vendor Secunia collectively tagged the five advisories and their 11 patches as "highly critical," its second-highest ranking.

Some of the vulnerabilities are limited to specific JRE versions, but pulling action items from the advisories is difficult since Sun does not use an easy-to-understand grid as does Microsoft, for instance, to indicate affected software. Neither JRE nor Web Start includes an automatic update mechanism; users must manually download and apply the updated versions Sun has posted on its Web site here.

Mention of Mac OS X was, as usual, absent in the security advisories. Sun does not post updated editions of JRE and other Java components for the Mac operating system. Instead, Apple Inc.'s implementation of Java requires that the company provide Java fixes as part of its own security updates. That's been a sticking point with some Mac users, who have expressed concern that Apple has not updated its Java code since February.

(Computerworld)

Web 2.0, social networking can endanger corporate security

With the Web becoming central to the way companies do business, cybercriminals are taking increasing advantage of Web 2.0 and social networking sites to launch attacks, according to IDC analyst Christian Christiansen.

The Web isn't the benign resource for information that people once saw it as, said Christiansen, who spoke today at Kaspersky Lab Inc.'s Surviving CyberCrime conference in Waltham, Mass. "One of the things that's happened that's disconcerting -- and it's been growing over the last 10 years -- is the blending of people's private lives with their corporate lives," he said.

Employees' personal lives -- their online shopping habits and interactions with friends and families -- get intermingled with the interactions they have at work with customers, fellow employees, partners and suppliers, he said. "So that creates a perforated perimeter where there isn't a hard, fast separation between the corporate world and the personal world," he said.

The problem is that employees don't always follow their companies' security policies -- probably because they don't know what those policies are, just as they don't know what their companies' acceptable use policies are. The result: employees don't know what's allowed and what they're barred from doing. Sometimes, Christiansen said, the very people who set up the corporate policies don't even follow them.

Problems also occur when an IT department no longer controls the products being connected to the corporate network. That list could include everything from smart phones to new and untested laptop and desktop computers to various application environments, he said.

"We're seeing the realization that the internal security problem is growing -- the threats are coming from inside the network," he said.

The latest threats to network security now are coming from collaboration and Web 2.0 environments -- where employees casually click on links that could lead them to malware. And they're coming from the wide variety of devices that may be accessing private as well as corporate networks, he said.

"We're seeing a change in the threat environment," he said. "Instead of the threats -- the malicious code -- being distributed as e-mail attachments, we're seeing more and more that they're being embedded in Web 2.0 links," he said. "In the past, what you saw was an immediate effect. Now we're seeing much greater levels of subterfuge and much more sophisticated attacks."

To better avoid potential problems, IT departments need to control user behavior, the types of devices being used to access information, the applications being used and content contributions.

"Risk reduction requires policy managements and layered protection -- at the gateway to the Internet as well as at the endpoint [desktops, laptops and servers]," he said. "You need a whole series of checks and balances."

(Computer World)

Microsoft launches enterprise 'get legal' program

Microsoft Corp. amped up its antipiracy campaign today, adding a program that targets large customers that need to "get legal" after being fingered for using counterfeit or illegally-applied volume licenses.

The program, dubbed Get Genuine Windows Agreement (GGWA), plugs a hole in the company's antipiracy efforts, said Cori Hartje, the director of Microsoft's 18-month-old initiative to identify phony copies of Windows or instances of unlicensed use of the software.

"This fills in the entire picture," said Hartje. "Consumers who had been identified as running a counterfeit [version of] Windows could simply push a button and have the purchase made right then. But we didn't have a good way to programmatically address the same for larger-scale customers, particularly through the [reseller] channel."

GGWA uses Microsoft's standard volume licensing -- and therefore is designed for organizations that generally acquire the company's software through that venue -- to sell full licenses of Windows XP Professional. Most customers looking to get legal using GGWA would go through their existing channel reseller, Hartje said.

"We also wanted something like this as a turnkey for the channel," she said. "This way, resellers will be able to offer [their customers] Microsoft financing, for example, as well as other services, such as Software Assurance."

Hartje said she expects that most organizations using GGWA would do so not because they find counterfeit copies of Windows on OEM-sourced PCs, but because they have "mislicensed" systems. "After an internal review, a company may find it has, for example, 2,000 machines that it got 'naked.' And they need a way to address that."

In "mislicensing," Hartje explained, a customer misunderstands the licensing rules. They think they can purchase "naked" computers -- PCs sans operating system -- and then apply their volume licensing agreements to load Windows. "The regular volume licensing agreements like the Select Agreement or Enterprise Agreement have upgrades available for purchase, so there must be an eligible licensed copy of the Windows software already on the machine to be able to use the upgrade available in those programs."

Other companies might find they're running a large number of illegal machines if they misuse a volume licensing key or let it leak. When it identifies a leaked key, Microsoft invalidates it; subsequent activations of Windows, or in Vista and the upcoming Windows Server 2008, regular checks of Windows legitimacy, would then finger PCs as noncompliant.

"We needed to have options for our business customers so that it was easy to get full Windows licenses, to help customers who found themselves in an unlicensed situation," said Hartje.

GGWA is in addition to the still-available Get Genuine Kit (GGK) packages, which contain one or 10 XP Pro licenses, but it comes with several new provisions that strip away the anonymity of GGK. According to information posted on Microsoft's site, GGWA requires customers to sign a legalization agreement and make a commitment to legalize all out-of-compliance PCs. The legalization agreement also contains what Microsoft describes as an "audit clause." Microsoft officials were not able to immediately confirm this, but the clause would presumably be similar to the one in an Open Value volume licensing agreement. Open Value's audit clause lets Microsoft request an internal audit of all Microsoft software used in an organization.

"Enterprises who want anonymity can still purchase the Get Genuine Kit," said Hartje, "though that's cumbersome in large volume, with the packs showing up on the loading dock and having to be opened."

The new program offers Windows XP Professional licenses rather than Vista licenses, she added, because XP Professional is what's in widespread use. "XP is where we have the gap. It has a large installed base, and that's where [companies] are discovering [noncompliant] PCs."

In other words, stocking GGWA with Windows XP is not an admission that Vista isn't selling well to corporate customers. "Most people are now buying new PCs that come with Vista," she said. "And so they don't need to get another license."

(Computer World)

Could Adobe be vulnerable to an AIR attack?

Adobe Systems Inc.'s moves to support rich Internet applications are exposing the software vendor -- and its developers and users -- to the threat of more Web-based malware and efforts to take advantage of security holes in its products.

"It's annoying to Adobe that suddenly they have become a target" for malicious hackers, said Chris Swenson, an analyst at NPD Group Inc. in Port Washington, N.Y.

For instance, a British security researcher claimed last month that an unpatched vulnerability in Adobe's Portable Document Format (PDF) technology could be exploited to take control of systems running Windows XP; at the time, Adobe said it was researching the reported flaw. And in January, Adobe issued a patch to fix a vulnerability in its PDF-based Adobe Reader and Acrobat software that made systems vulnerable to cross-site scripting attacks.

And then there are all the potential vulnerabilities lurking in Adobe's newer, less mature technologies, such as its still-in-beta Adobe Integrated Runtime (AIR) software.

The AIR framework enables Web applications built with HTML or Asynchronous JavaScript and XML (AJAX) to run offline. The problem, though, is that doing so exposes users of AIR-based applications to many of the same security issues that other users face, if not more of them, according to Ron Schmelzer, an analyst at ZapThink LLC in Waltham, Mass.

"The current generation of spyware, virus and malware [detection] products have no visibility into running AIR programs," Schmelzer wrote in an e-mail. "As such, there is a high possibility for malicious AIR applications -- which are no longer security-restricted to the browser sandbox and are free to manipulate local machines -- to spread into the wild."

John Landwehr, Adobe's director of security solutions and strategy, said at the company's Adobe MAX 2007 North America conference here that AIR applications are not only digitally signed to ensure authenticity, but also use security sandboxes to limit the ability of malware to take control of other applications on a compromised PC.

(ICTNEWS)

Video security networks: IT's newest frontier

You may think you have security locked up. But unless you've brought video surveillance and building access control networks under the IT umbrella, you've still got some work to do.

"People still think of physical and information security as two separate entities. But to completely manage risk and identity you have to bring all the pieces of security together. It doesn't matter if you're talking people, products, data or data systems -- they're all assets that have to be protected," says Marene Allison, vice president of global security at Medco Health Solutions Inc. in Franklin Lakes, N.J.

Allison signed on at Medco three years ago to create a converged security application for the Fortune 50 pharmacy benefit company. With HIPAA, Sarbanes-Oxley, the Payment Card Industry Act and other mandates to comply with, she says the walls between physical and information security have come tumbling down and IT executives now are responsible for all aspects of data security. "Physical security is just one more peel of the onion skin that has to be dealt with, like firewalls and intrusion detection," she says.

In addition, she says video surveillance networks and access control are becoming more advanced and can ride on the IP network.

Moving video surveillance and access control, such as closed circuit television (CCTV) and building entry card readers, onto the IT platforms leads to reduced costs and management headaches for both IT and physical security teams.

To capitalize on the possibilities, Allison merged her physical security unit with the IT security team to take advantage of each group's knowledge base. She cross-trained the teams to learn each other's security approach. Her team also upgraded the CCTV and access control technology into a single, cohesive IP-based business intelligence network using Dallas-based TAC's integrated security systems.

"We use the CCTV in conjunction with alerting methodology and more traditional IT intrusion detection to know who is touching data and data systems when," she says. By integrating her video surveillance and network access control systems with her IP network, the unified security team can now set policies that dictate how long a building door should stay open.

Real-time video

If they receive an alert that an entryway has stayed open too long, they can call up real-time video, stored video and access control information right from their desktops. In the past, they would have had to wait for the physical team to notice an anomaly in its building access reports and then search through an analog videotape to find the culprit.

"This definitely narrows the window on solving security problems," Allison says. It also helps her prove a safe chain of command for data control, which many federal and private sector mandates require.

While Medco's approach might be cutting edge to some, a January 2007 IDC report finds a worldwide shift from analog surveillance cameras to digital network cameras. "In 2008, analog cameras will occupy 75% of the total market, yet as more usage of the network occurs for more than simple data transmission, we expect the network share to take off in 2009 and 2010," IDC says. In fact, the research firm predicts that global shipments of network cameras will increase at a five-year compound annual growth rate of 63%, moving from 540,817 in 2006 to 6.2 million in 2011.

IDC calls the use of the corporate network as a means to facilitate surveillance, security and monitoring "a natural extension of [network] capital expenditure."

Network cameras definitely offer advantages over analog cameras that transfer black-and-white images over coaxial cables to proprietary recorders with magnetic tapes. Companies then log the tapes and store them for certain periods of time before erasing and reusing them -- all of which consume human and monetary resources.

(Computerworld)

Lawsuit charging GPL violation is first ever

In what may be the first action of its kind in the U.S., the Software Freedom Law Center has filed a lawsuit to enforce an open-source license.
The SFLC filed the suit on Wednesday in the United States District Court for the Southern District of New York against Monsoon Multimedia Inc., on behalf of the developers of BusyBox, Erik Andersen and Rob Landley. The suit charges Monsoon with using BusyBox under the GNU General Public License version 2 but failing to publish its source code. Under the terms of the license, distributors of software that uses the licensed software must make their source code available. Failing to do so is considered copyright infringement.

BusyBox, members of the public and the SFLC legal team notified Monsoon of its responsibilities, but Monsoon has not yet published the code, said Dan Ravicher, legal director at SFLC. While it's relatively common for licensees to neglect to share their code, parties typically work through the issue without having to go to court, he said.

This case is a last resort after Monsoon failed to rectify the situation, he said. The suit is necessary because from a legal perspective, copyright owners can start to lose rights if they don't act to protect them, he said.

BusyBox is a lightweight set of Unix utilities used in embedded systems. Monsoon develops digital video products, including a Slingbox-like device that enables remote TV viewing.

If BusyBox ultimately prevails in the case, under copyright law the company is entitled to damages, an injunction prohibiting continued infringement and court costs, Ravicher said.

He believes this is the first case filed in the U.S. in order to enforce an open-source license.

The GPL Violations Project is a group that actively pursues license violators and has brought at least one case to court in Germany. Earlier this year, one of the project's team members publicly revealed violations that Cisco Systems Inc. made in its phone previously called the iPhone. Cisco subsequently corrected the problem.

Monsoon did not reply to a request for comment.

The IDG News Service is a Network World affiliate.

(networkworld.com)