FOSS Week in Review
Credit card breach at Target affects over 40 million
Merry Christmas. Your bank account has been drained.
This week’s holiday cheer was marred for millions as they learned that their banking information might be in the hands of hackers.
Target has announced that over 40 million customer credit card transactions have been hijacked since Black Friday. The data was stolen from transactions at the retailer’s brick and mortar stores. Online transactions are evidently not affected. All information contained in a credit card’s magnetic stripe has been compromised, enough information to make counterfeit cards.
The story was originally made public on Wednesday by security expert Brian Krebs on his site KrebsonSecurity. This afternoon, Krebs wrote in an update that information pilfered from Target was making its way to the black market.
“At least two sources at major banks said they’d heard from the credit card companies: More than a million of their cards were thought to have been compromised in the Target breach. One of those institutions noticed that [illegal] one card shop in particular had recently alerted its loyal customers about a huge new batch of more than a million quality dumps that had been added to the online store. Suspecting that the advertised cache of new dumps were actually stolen in the Target breach, fraud investigators with the bank browsed this card shop’s wares and effectively bought back hundreds of the bank’s own cards.
“When the bank examined the common point of purchase among all the dumps it had bought from the shady card shop, it found that all of them had been used in Target stores nationwide between Nov. 27 and Dec. 15. Subsequent buys of new cards added to that same shop returned the same result.”
A source known to us, with helpdesk experience at a Target data center in Texas, has told FOSS Force, “I’m not sure about the entire area but I know that the data center I serviced deployed Windows 2007 SP2. What they used nationally, I really don’t know.”
We imagine that a retail giant like Target might have an assortment of server operating systems deployed. Our guess is they might now be wishing they had a stronger presence on the Linux side of the street.
Former Google patent lawyer takes over U.S. patent office
We’re keeping our fingers crossed that this will be good news as far as software patents are concerned.
Reuters reported last week that former Google executive Michelle Lee will take over as deputy director of the U.S. Patent and Trademark Office (USPTO) on January 13. She will run the agency until a new director is found.
“The USPTO has been without a director since David Kappos, a former International Business Machines Corp executive, departed on February 1 to return to private practice. Acting director Teresa Stanek Rea has also left the agency.”
Apparantly, we’re not the only ones who are hoping that this will be a positive sign. In reporting the story for Wired, Klint Finley wrote:
“The United States Patent and Trademark Office is getting closer and closer to the more progressive patent attitudes that dominate Silicon Valley.”
Before this appointment, Ms. Lee headed the Silicon Valley office of the patent agency. At Google, she had been deputy general counsel and head of patents and patent strategy.
Is the NSA ready to grant amnesty to Snowden?
We don’t watch 60 Minutes much anymore, but we’ve learned from the AFP news agency that an official for the NSA told the news magazine show that he was willing to consider a deal that would result in amnesty for Edward Snowden.
“Rick Ledgett, who heads the NSA’s task force investigating the damage from the Snowden leaks, told CBS television’s “60 Minutes” program that some but not all of his colleagues share his view.
“‘My personal view is, yes, it’s worth having a conversation about’ a possible deal, said Ledgett, according to excerpts of the interview due to air [last] Sunday.
So, if Snowden was able to return home without wearing handcuffs, what would our spy agency get in return?
“But Snowden would have to provide firm assurances that the remaining documents would be secured.”
Oh, they’d just want to make sure he’d keep his mouth shut.
On Tuesday we learned from the BBC that a federal judge has ruled that the NSA’s collection of telephone data is “probably unconstitutional.” That’s good to know.
We’ve read estimates that only about 1% of the data Snowden downloaded has been released so far. The last we heard, our favorite whistle blower was petitioning Brazil to grant him amnesty.
IBM sued by shareholders over PRISM
Meanwhile, we learned on Sunday from CNET that due to the Snowden leaks, IBM is facing some problems of it’s own.
“In a complaint filed [last] Thursday in Manhattan federal court, the Louisiana Sheriffs’ Pension and Relief Fund accused the company of defrauding investors by concealing its involvement in the agency’s PRISM program, leading to a dramatic drop in sales in China. The program, which was revealed in classified documents leaked to the press by former NSA contractor Edward Snowden, allowed the agency to collect and process foreign intelligence that passed through servers belonging to US tech companies.”
So, what does IBM have to say for itself?
“‘This lawsuit seeks to confuse IBM’s support for a U.S. cybersecurity legislative proposal — which has yet to be enacted — with the completely unrelated NSA surveillance program called PRISM,’ IBM general counsel Robert Weber said…. ‘Even a cursory reading of the legislative proposal, known as CISPA, makes clear that it has nothing to do with the recently disclosed NSA surveillance program.’”
This is another of those times when we will say, “Stay tuned…”
Red Hat and Dell form cloud pact
Our favorite billion dollar Linux company has teamed up with Dell to jointly develop private clouds running the later’s hardware and the former’s Red Hat Enterprise Linux OpenStack Platform. According to a report by The Register, benefits from this deal should eventually trickle down to open source at large.
“The duo will also contribute code to the OpenStack community for the next edition of Red Hat’s OpenStack Platform, 4.0 in beta, that’ll run on the Havana release of Open Stack.”
We’ve been hoping that the privatization of Dell would move the company to more fully embrace open source. Could this be a step in the right direction?
Google joins board of Open Invention Network
On Wednesday, we learned from CNET that Google has become a board member of the Open Invention Network, which cross-licenses patents in an attempt to thwart patent threats against Linux.
In a blog post, Google’s director of open source, Chris DiBona, explained how the move benefits Linux.
“Linux now powers nearly all the world’s supercomputers, runs the International Space Station, and forms the core of Android. But as open source has proliferated, so have the threats against it, particularly using patents. That’s why we’re expanding our participation in Open Invention Network (OIN), becoming the organization’s first new full board member since 2007.
OIN protects the open-source community through a patent cross-license for Linux and related open-source technologies. The license is free and available to companies, organizations, and individual developers if they agree not to assert their own patents against Linux. OIN also defends against anti-open-source patent aggression through education, reform efforts, and its own defensive patent portfolio.
Although only a few years back Google held hardly any patents, an aggresive effort on their part to beef-up their patent portfolio for their own protection has resulted in them now holding a huge patent portfolio. It will be interesting to see how this plays into the Rockstar suit against numerous makers of Android handsets.
Antivirus that makes a computer sick
There’s a malware spreading bogus antivirus program on the loose that’s utilizing stolen signed certificates in order to get past Windows security. Called Antivirus Security Pro, we first learned of the program on Monday from PCWorld after Microsoft had posted about it on their site. The digital certificates issued by Certification Authorities are supposed to assure that downloaded software is from a legitimate developer or distributor.
“One of the certificates was issued just three days before Microsoft picked up samples of Antivirus Security Pro using it, indicating ‘that the malware’s distributors are regularly stealing new certificates, rather than using certificates from an older stockpile.’
“Microsoft noticed another fake antivirus program, which is called ‘Win32/FakePav,’ is also rotating stolen certificates.”
We’re sure there may come a day when Linux may be vulnerable to attacks such as this, but we don’t see that happening any time soon.
Have a happy holiday everybody. Until next week, may the FOSS be with you…