It seems like just the other day when Microsoft started getting hit by a not-actually-zero-day-vuln in IE through an ActiveX control for video.  Why not actually?  Because the bug was actually reported to Microsoft ages back, but Microsoft just didn’t feel like releasing any patches.

Well, Microsoft has been hit again.  Yes, in IE.  Yes, in yet another ActiveX control.

This time it’s not video though, it’s Office Web Components.  Yipee!  The vulnerability is in an ActiveX control used to display Excel spreadsheets on web pages.  Attacks are supposedly happening in China, but could hit people anywhere else any day now.

Of course I’m not exactly sure just why someone would be looking at an Excel spreadsheet in Internet Explorer when there’s, you know, Excel.  But hey.  It’s a security hole.  If you use IE, then you’re potentially at risk.  Although it’s been said that Vista’s increased security features do actually board up the security hole in this case.

It’s particularly concerning however since it seems a little too close to Patch Tuesday to have a fix.  So it’ll be at least a month until we see a patch.

So be warned.  Be wary.

And for goodness sake Microsoft, give us some patches already!

Eve Online, one of the biggies in online MMO gaming, has just banned Ricdic (AKA Richard), one of the CEOs of the game’s in-game Ebank from the game.  And not entirely for why one would think.

Yes, it’s true, he embezzled some 200 billion odd Intersteller Kredits from the bank.  But that wasn’t why he was banned.

No, Ricdic was banned for selling the in-game money to other players for real money, in this case about AU$6,300 (he is an Australian tech worker).  It comes to about five grand in US dollars.  But the amount isn’t all that important.  It was the selling of in-game money for real money which breached Eve Online’s terms of service, forcing them to give him the boot.

So why’d he do it?  For fame and profit?  Nope.  Nothing so easy to hate him for.  He did it to cover some of his son’s medical expenses.

Right then.

There are just so many things wrong with this picture that it’s really hard to make heads or tales of this scandal.  Proof once again that the world is rarely black and white, no matter how old your monitor is.

Craigslist – Know it.  Love it.  Hate it.  Ignore it.  Whatever you do with it, it’s there, and apparently staying.  For those who don’t know what it is, Craigslist is a mostly free internet-classifieds website where you can look for jobs, advertise your garage sale, meet local singles, and basically everything done traditionally in print.  There is, however, a controversy struggling to grip legal tread: the Craigslist “Erotic Services” section.

In the Craigslist  “Erotic Services” section you can find many a thinly veiled advertisement for quasi-legal services under the guise of massage or escort.  And allegedly, sometimes, you’ll even find a bit of outright illegal prostitution.

Craigslist founder, Craig Newmark, and Craigslist CEO, Jim Buckmaster, have so far refused to do much of anything about it, in spite of demands from state and local law enforcement across the US.  They claim that Craiglist already has a means for users to flag “inappropriate” advertisements.  And, just recently, they implemented a required phone verification and credit card authorization for all “Erotic Services” listings, causing a reduction in 95% of illegal sex trade advertisements.  Surely they’re doing enough?

Well, perhaps not.

Especially after the “Craiglist Murderer” – Philip Markoff of Quincy, Boston – went on his little “erotic services” killing spree, and the new pressures and lawsuits started piling up, Craigslist is finally making a significant change.  The “Erotic Services” section is being removed.  No more postings to that section will be accepted.  And in seven days, it will be removed entirely.

“Great!” you say?

Well, perhaps not.

A new “Adult Services” section will be taking its place on Craigslist.  Advertisements posted will cost $10, with a $5 renewal fee to keep them there.  Oh, and supposedly now each posting will be “manually reviewed”.

Hmm.  Yes.  I can almost see how that might make a small difference…  Maybe…

I suppose the real question is, will it make any legal difference?  Can Craiglist be said to be performing due diligence?  Were they ever really legally responsible in the first place?  And more to the point, do either of those questions actually matter?  Time and again we have seen “legal” but morally questionable online businesses attacked with prejudice by the judicial system who in the process re-invented the law to their own liking while setting dangerous precedents.  That’s the problem with such flexible legal systems.  Law doesn’t necessarily have to be written.  It just has to be bent to the will of popular discontent.

So what does the future hold for Craiglist and it’s support for thinly veiled prostitution advertisements?  Only time will tell.

Last night my thumb was all itchy, red, and a little swollen. But I was exhausted and managed to get to sleep anyway. This morning it was down to a little itchy bump. An itchy bump with two little holes. I’d been bitten!

Most likely it was a spider. Dastardly little critters! It’s no wonder I hate them. And wasps. Both for the same reason. They likes to hurtses us. They hateses us, my Precious…

But as annoying as a little spider bite is, and obviously it couldn’t have been all that poisonous of a spider if I’m still alive to talk about it, there are worse things biting innocent people out there.

Take, for example, the UK’s most popular Wi-Fi router, the BT Home Hub. Now, GNUCITIZEN has already found in this router a VoIP hijacking vulnerability and the ability for hackers to bypass password protection. Both of these vulns were rapidly fixed by BT upon discovery. Still, not a great sign of secure gear.

But now, GNUCITIZEN has found yet more insecurity in this ever so popular wireless networking product. Now WEP is normally a rather insecure form of encryption anyway, but in the BT Home Hub it’s apparently even worse than that. Thomson/Alcatel (the equipment manufacturer) uses such a weak algorithm for generating keys that they can be guessed in an average of 80 attempts. GNUCITIZEN has even written a simple program to prove this point, which requires no special hardware or software to crack this UK’s favorite Wi-Fi router, which is set by default to use WEP encryption. Does anyone see a problem here?

Right. Well, standard practice for security-minded people is, of course, to go to the highest security encryption possible. In this case only WPA. (There is a WPA2 which is far more secure, just not on this device.) But wait. Remember that weak key-gen algorithm? Yep. You guessed it. When using the default encryption key, the WPA setting is just as easy to crack. Oops.

Fortunately, the WPA setting has other modes for encryption keys. You can enter your own. You can set it to a random key. Whatever, just so long as it isn’t the default key. Which is sound security advice anyway, but rather awful that the BT Home Hub is such an insecure device that you actually need to do this. As always, security starts with an intelligent user. Never settle for default.

While we’re on the subject of things that bite, let’s jump back across the pond to the “wonderful” state of New York. Or perhaps they’re trying to change their name to New Pork?

The New York Pork legislature has approved a frightening new law that would force big online retailers like Amazon.com to collect sales tax on all goods shipped to NY. Yes, you read that right. And no, these businesses don’t have any physical presence in the state, but they would be forced to collect taxes for the state anyway.

You see in 1992 a Supreme Court case against a mail order business ruled that businesses with a physical presence in a state must collect sales tax for orders delivered to that state. And anyone receiving delivery outside of that state must declare their out of state purchases on their income tax return for that year. And so life went on to the point of today where most people never pay their taxes for online purchases as they conveniently “forget” to declare that printer ink, book, or sun dress when taxes come due.

New York, apparently, has grown tired of not receiving their due. So in spite of common decency and the way things are done in every other state across the entire United States of America, New Pork is passing a law that says that even businesses that don’t have warehouses or offices in the state must still collect taxes for them. So now, in theory at least, every resident of New York will always pay sales tax for online purchases. And by that same theory, every mail-order catalog will also have to charge citizens of New Pork a sales tax.

Call me crazy, but I expect this one to be fought.

It’s the Vernal Equinox. Yay! Winter is officially over! (In theory. Looking out your window may reveal different results.) Personally, I’m already seeing flowers bloom and rain fall like mad. There’s not a speck of snow on the ground. Spring has sprung!

But while Mother Nature is doing her best in spite of our efforts to poison the Earth and bring about “Global Warming”, technology has taken a few serious blows. Oh my! Is it some nefarious plot by nature to reclaim her power over us? I’ll let you decide.

Pennsylvania, the state you may remember as being previously bone-headed when their roads iced up, causing major highways and even their famous state turnpike to be down all night long with many stranded motorists, and heard PA state officials say things to the tune of, “the roads aren’t being salted because ice gives more traction,” has done it again. Any and all voter registration forms completed online in PA were made quite available for anyone to view all of the included information such as name, date of birth, driver’s license number, and political party. All by simply changing the unique number request parameter included in the URL of the voter registration site to a different number. Since each online registration is given a unique number, all you had to do to view someone else’s was change that number to a different one. Go through all of the numbers possible, and you’ll have gone through all of the online registrations. Can we say, “Oooops!” Once again PA proves their genius to the world and renders online voting unsafe for everyone in the state.

Meanwhile the US military has run into yet another nasty snag in their efforts to crossbreed a helicopter and an airplane. The V-22 Osprey is having problems with their AE1107C “Liberty” turboshaft engines made by Rolls Royce. The engines simply wear out too fast, making it costly and difficult to keep the Osprey in the skies. While not exactly new to problems in its development, this is certainly no boon for the V-22.