If you’ve ever struggled with your PC’s BIOS, or been knee-capped by a rootkit that assailed the BIOS, you undoubtedly wondered why this archaic part of every PC wasn’t scrapped long ago.

Well, be of good cheer: Windows 8 will finally pull the PC industry out of the BIOS generation and into a far more capable — and controversial — alternative, the Unified Extensible Firmware Interface.

To best understand where we’re headed, it’s helpful to look at where we’ve been. An integral part of every PC, the Basic Input/Output System spans the entire history of the personal computer — more than 30 years. The very first IBM PC had a BIOS. And despite extraordinary advances in hardware and software, the BIOS we still puzzle over today is not much different from the one in that original PC.

Essentially a miniature OS, the BIOS has a simple but critical function — when a PC powers up, the BIOS checks that all hardware is in order (the POST or “power-on self-test” sequence); fires up the full operating system on the machine, such as Windows (using OS loader code); and then hands all control of the computer over to the OS.

Although older operating systems (such as DOS) relied on the BIOS to perform input and output functions, modern OSes (including Windows) have their own device drivers and completely bypass the BIOS after they’re up and running.

These days, it’s rare that a PC user is forced to invoke the BIOS’s cryptic and somewhat enigmatic user interface. Usually, it’s in response to some near-catastrophic system failure.

The Unified Extensible Firmware Interface (UEFI) is essentially the next generation of BIOS. It’s a system that potentially offers new and more advanced control of the boot-up process. If your PC is less than two or three years old, chances are good that it already has UEFI capabilities. Chances are very good that you didn’t know that, because the hardware manufacturers have been carefully keeping the old BIOS interface as your default boot system. But that will change with Windows 8.

How UEFI is different from/better than BIOS

The standard BIOS has all sorts of problems, not least of which is its susceptibility to malware. For example, there are rootkits that hook themselves into the BIOS OS-loader code, permitting them to run underneath Windows. They’re difficult to remove and will reinfect Windows over and over.

And because the BIOS sits on a chip on the motherboard, it’s more difficult to update than an operating system or an application. So most PC users never update their BIOS, leaving the PC possibly incompatible with newer operating systems. (The early PC BIOS was hard-coded on a chip, so upgrading required replacing the entire chip or PROM.)

The UEFI is a more sophisticated system that runs before your primary OS kicks in. Unlike the BIOS, UEFI can access all PC hardware, including the mouse and network connections. It can take advantage of modern video cards and monitors. It can even access the Internet.

And as you can see in Figure 1, UEFI offers a modern, easy-to-decipher user interface. It could make dual-booting simpler, more visual, and controllable by mouse or touch. If you’ve ever played your BIOS, you discover that UEFI is in a whole new dimension.

Figure 1

Figure 1. The Asus.com website offers this view of a UEFI-interface screen — clearly, an improvement over the typical BIOS UI we’re faced with today.

Unlike the BIOS, the UEFI can exist on a disk, just like any other program — or in nonvolatile memory on the motherboard or even on a network share.

At this point, it’s important to note that systems can run either the BIOS or the UEFI — or both. When they’re both used, the BIOS goes first to run POST, then the UEFI takes over and hooks into any calls that may be made to the BIOS. (Windows typically doesn’t make calls directly to the BIOS, but other operating systems might — and the UEFI will handle them, not the BIOS.)

The UEFI can also run without the BIOS — it can take care of all OS loading/interface functions previously handled by the BIOS. The only thing the UEFI can’t do is perform the POST or run the initial setup (configuring the CPU, memory, and other hardware). PCs that have the UEFI but no BIOS have separate programs for POST and setup that run automatically when the PC is powered on.

As we all know, the BIOS initialization process — including POST — seems to take a long time. The UEFI, on the other hand, can run quickly.

Moreover, a BIOS is easily reverse-engineered and typically has no internal security protection, making it a sitting duck for malware. A UEFI can run malware-dodging techniques such as policing operating systems prior to loading them — which might make rootkit writers’ lives considerably more difficult. For example, the UEFI could refuse to run OSes that lack proper digital security signatures.

And that’s where the UEFI controversy begins.

Windows 8 will implement UEFI in new ways

Back in September, Microsoft wrote voluminously about the UEFI in Windows 8. The first post, “Reengineering the Windows boot experience,” talks about the basic ways Windows 8 will use the UEFI. (If your PC doesn’t support a UEFI, Win8 should still work fine.)

The article shows how current text-based, boot-time options, such as system repair store and image recovery, can be made more usable with a new graphical interface. The story goes on to describe how system startup could go, in seconds, from power-on to Windows Desktop without so much as flickering the screen. It also shows how dual-boot will work with a graphical face-lift.

The changes appear to be largely cosmetic, but they’re long overdue and a welcome improvement to the constrained, DOS-era recovery environments under which Windows operates.

The second article, “Protecting the pre-OS environment with UEFI,” shows how the UEFI secure boot — using Public Key Infrastructure (PKI) digital certificates — validates programs, peripherals, and OS loaders before they can run. The system can go out to the Internet and check whether the UEFI is about to run an OS that has had its certificate yanked.

If it sounds a lot like Secure Sockets Layer protection — no stranger to controversy — there certainly are similarities.

Microsoft states it will let the hardware manufacturers struggle with the difficult question of who controls the digital-signature keys. “Microsoft supports OEMs having the flexibility to decide who manages security certificates and how to allow customers to import and manage those certificates, and manage secure boot. We believe it is important to support this flexibility to the OEMs and to allow our customers to decide how they want to manage their systems.”

Still, Microsoft is ensuring that anyone buying a certified Windows 8 PC can rely on a certain level of protection from rogue OS loaders. “For Windows customers, Microsoft is using the Windows Certification program to ensure that systems shipping with Windows 8 have secure boot enabled by default, that firmware not allow programmatic control of secure boot (to prevent malware from disabling security policies in firmware), and that OEMs prevent unauthorized attempts at updating firmware that could compromise system integrity.”

The controversial side of dual boot

When those details first hit, the Linux community flew up in arms. Dual booting between Windows 8 and Linux might require a digital signature from a recognized certificate authority. That authority might be Microsoft, through its Windows Certification program, and Linux folks would have to pay the piper.

That controversy went on for a while but eventually died down (though it never disappeared) when it became clear that putting together the signature is relatively easy and not very expensive.

Then another conflagration started last week. To understand why, you have to understand that UEFI secure boot has two bail-out options. First, most PCs let you turn off UEFI secure boot entirely. You have to be sitting at the computer and do it manually, but it’s easy enough. In one of the Microsoft postings mentioned previously, the company acknowledged that hardware manufacturers could “allow customers to … manage secure boot.”

Second, there’s a provision for something called “custom secure boot mode” in which you, as a customer, can sit at your computer and type in a signature for any OS loader you darned well like. This manually created whitelist overrides the Windows 8 or third-party check, letting the UEFI run OS loaders unhindered.

You must also understand that Windows 8 will run on two entirely different hardware platforms — Intel/AMD platforms spanning the range from (ponderous!) tablets to full-size desktops, and the svelte, tablet-friendly ARM platforms. If you use Win8, one of your first decisions will be which platform you choose.

The Linux world was taken aback when researcher Glyn Moody and the Software Freedom Law Center announced last week in a blog that Microsoft is making specific demands from hardware manufacturers who intend to sell Windows 8 bundled with their ARM machines — that is, those lightweight Windows 8 tablets. The Microsoft restrictions prevent hardware manufacturers from disabling secure boot and also prevent hardware manufacturers from implementing “custom secure boot” whitelists — but again, only on ARM hardware.

In other words, if at some point in the future you buy an ARM-based tablet with Windows 8 preinstalled, you won’t be able to dual-boot with Linux or any operating system other than the ones that pass the security check. Presumably that could mean Windows 8 or some later version of Windows that Microsoft might ordain in the future.

Aside from the fact that the restrictions fly in the face of what Microsoft specifically said in September, it’s hard for me to get too worked up about them. If you buy a Win8 (ARM) tablet, you won’t be able to root it (Wikipedia definition), and you may not be able to upgrade it. You’ll just have to take that into account when you think about buying one — assuming Microsoft is up-front about the limitation and mentions it to consumers.

Intel-based Windows 8 machines — even tablets (including tablets that run only the Metro interface) — aren’t hobbled by those ARM restrictions. At least at this point, Intel/AMD machines are, in fact, required to allow multibooting (with signed operating systems) and even to replace Windows 8 with an OS of your choice. It remains to be seen whether Microsoft’s going to change its mind about that distinction.

Related Article: Windows 8 hardware rules ‘derail user-friendly Linux’

Source: © 2012 Windows Secrets

When your having a bad day or feel that you may be a little bit strange or weird, see what other people have to say. What is your little secret?

Twitter spam is probably the most common (and annoying) out of all the social networks. Below is an infographic showing the types of spam to affect Twitter and a little description about each one.

Twitter really needs to do more to stop the spamming from idiot users, unwanted business products, DMs and bots.

If you’re used to working with version control systems like CVS, Subversion or Git in order to keep track of changes to your code, then you will be well aware that changes to binary files such as images, just can’t be tracked in the same way.

Sure, there is no problem storing your binary data within any of these version control systems, but existing strategies either simply store the whole binary file in a single chunk, or store binary deltas. Both approaches consume significant amounts of disk space, and obscure the actual changes that have been performed within the file, defeating the real advantage of using any revision control system.

That’s why I was really excited to see the Microsoft Research group hard at work on the problem. Actually, probably the most refreshing thing about their research is that they are using the open-source graphics editor, GIMP, as their tool of choice in order to perform their research.

The Microsoft team set about tracking changes made to an image within a DAG (directed acyclic graph). This allowed them to track the individual editing operations, as well as the spatial and temporal relationships between each operation. These graphs could then be converted to standard RevG (revision graph) format.

This provides an intuitive interface to perform all of the common revision control operations including things like ‘review’, ‘replay’, ‘diff’, ‘branch’ and ‘merge’. It also provides a neat way to track creative processes within digital artwork.

The general approach that the team took involved developing a plugin for GIMP that could keep track of operations on-the-fly and built the DAG as different actions were performed. This, in itself, is not so exciting. After all, nearly every image editing application these days records your session history, making it possible to undo and redo actions.

Exporting this information as a graph that can be integrated into a functioning revision control application so that it is possible to open a version of the image at any point during its development, however, is definitely new. What is significant here is that the DAG only contains a faithful history of the operations performed by the user, and not any of the binary data itself.

While the DAG file itself can grow quite large and complex, so that it may not make sense to anybody reviewing the version history of a particular image, the team have worked out a way to represent the information within a revision graph which can be exposed to the user with a thumbnail of the image during each phase of its history.

The revision graph is capable of presenting non-linear information such as revision branching in a coherent and unified display. This means that by using the revision graph, you are able to perform all of the major functions that are available to you through any normal revision control system.

The RevG representation of the image data has been built into a very user friendly and intuitive interface that allows an end-user to quickly navigate through the entire revision history of an image, with the option of exploring different levels of detail in terms of the different operations performed at any point within the history. This UI has been built tightly integrated into GIMP so that when you click on any revision node within the graph, it highlights the areas of the image that were affected by that revision.

In order to display differences between revisions, you can either rely on this mechanism itself, or you can take advantage of a separate diff tool that actually play through both revisions in order to see the different changes that were made in each image. This will certainly help in collaborative environments where it is possible that you may need to perform merges and conflict resolution.

In fact the team have also developed a ‘merge UI’ that allows you to see each of the images that you intend to merge, and a preview of the resulting merged image. This really opens up the possibility of proper collaborative image editing, so that two artists can work on different portions of the same image at the same time and then simply merge their changes.

Unfortunately, the work that has been done so far has been so deeply integrated with GIMP that it does not provide a universal mechanism that can be used by any arbitrary image editing software. Nonetheless, the groundwork has been done, and certainly if the major software vendors can get it together to agree on a standard based on this research, the way is paved to finally bring realistic revision control to image editing software and this will transform the way that designers work within any commercial studio.

If you want to read the actual research paper, you can pick it up at Microsoft Research. That reminds me, the next time I hear any geeks openly bashing Microsoft, this is the paper I will point them to.

Last night at roughly 8:17pm New Yorkers got a chance to experience ‘Manhattanhenge‘, the semiannual occurrence where the setting sun aligns perfectly with east-west streets.  If you missed it don’t worry though, a second date this year is expected to take place on Monday, July 11 at 8:25 p.m.

I so wish I lived in New York.

For anyone familiar with the movie The Day After Tomorrow you will have seen the effects of Supercooling.  This happened thousands of years ago in Antarctica. It happened before, It will happen again.

The annual mean temperature of Antarctica is below 0c (freezing temperature of fresh water). Salt water has a lower freezing point, depending on the concentration. Antarctica is by far the coldest continent and some places reach -90c. So imagine how cold it must have been to have frozen this salt water instantly.

More cool Photo’s Here.

Mozilla has released the first publicly available beta of Firefox 5, which acts as a halfway house between the final stable, final release of Firefox and the developmental version, Firefox Aurora. The beta version offers a more stable environment than Aurora in which to road-test developmental features before they’re implemented into the next final release.

On the surface there’s little to differentiate Firefox 5 from Firefox 4 in this beta release, which installs over the top of any existing stable release, but it does feature the new Firefox Channel Switcher that allows users to move between developmental and stable versions of Firefox from a convenient dialog box.

At time of testing, the Firefox Channel Switcher only works when switching users from the Beta channel to the Aurora alpha channel. However, while Firefox Aurora is designed to be installed alongside the beta or stable version, switching to Aurora from the Firefox Channel Switcher actually overwrites the Beta version.

The Beta version also showcases the same Feedback button that’s present in Aurora, and which is designed to encourage users to report bugs as well as general feedback about the build they’re currently using.

The final release of Firefox 5, scheduled for late June, will also coincide with Mozilla’s decision to forcibly upgrade the 12 million remaining Firefox 3.5 users to version 3.6 in a move that effectively signals the end-of-life for version 3.5 of the browser. In the meantime, Firefox 5 Beta is a free download for Windows, Mac and Linux users, but remember that it will install over the top of any existing stable Firefox application, so use with caution. To revert to an earlier stable version, simply install this over the top of the beta version.

Download Firefox 5 Beta

Firefox 5 Beta and add-on compatibility

When Mozilla push an update containing Firefox 5 to users on the beta channel, one major concern is add-on compatibility for existing Firefox users. If all your addons are up to date then you simply need to turn off the Add-on Checking. Here’s how:

By default Firefox 5 will not allow you to install these incompatible add-ons (this is the same for all previous versions). But you can install them using the small hack in the config file for Firefox 5. To do that, type about:config into the address bar, and hit Enter or Go. When promoted with a “This might void your warranty!” warning, click on I’ll be careful, I promise! button.

Now right click on any open space and then select New -> Boolean.

This will bring in a popup and in the box enter extensions.checkCompatibility.5.0 as the preference name.

In the Boolean value, select false and click OK.

Now try installing the add-on which was not compatible, you can see add-ons work perfectly now. Be warned that incompatible add-on can cause Firefox to crash or become unstable.

If your add-ons are not compatible after this, then you will need to alter the max version number in the actual add-on:

Open the file xpi extension with WinRar, then extract the file install.rdf (but keep the WinRar window open) and open the .rdf file in notepad; where is says ‘maxversion’ change it from 1.0 (or whatever version it says) to 5.0. Save this change,  then drag the file back into the open WinRar window. Then drag the file into Firefox to install it.

Most people will never be exposed to photos of children being sexually abused by predators. But images of that abuse can be found in dark corners of the online world, where networks of child abusers and child-pornography consumers produce and propagate photos of children being victimized.

This week, Microsoft is donating a new technology to the National Center for Missing & Exploited Children (NCMEC) that has the potential to make a drastic difference in the fight against the spread of child pornography online.

The technology, called PhotoDNA, was initially created by Microsoft Research. It was further developed by Hany Farid, a leading digital-imaging expert and professor of computer science at Dartmouth College, to help NCMEC in its efforts to find hidden copies of the worst images of child sexual exploitation known today.

Ernie Allen, president and CEO of NCMEC, says child porn is a problem that had all but disappeared in the late 1980s — the U.S. Supreme Court had ruled that it was not protected speech, but instead constituted child abuse. Law enforcement had cracked down on its distribution and importation.

Then along came the internet.

“Twenty years ago we thought this problem was virtually gone,” Allen says. “As wonderful and powerful as the Internet is, it has created an opportunity for people to network with others of like interest, and to access content in the privacy of their own homes that would have formerly put them at risk to acquire.”

Today, says Allen, the problem is exploding. Since 2003, NCMEC has reviewed and analyzed almost 30 million images and videos of child pornography. These photos of sexual abuse are seized from pedophiles who both trade in the illegal images and form communities that reinforce their shared interest in children.

Allen says that the NCMEC cyber-tip line has handled 750,000 reports of child sexual exploitation and child pornography from the public and Internet service providers. “We’re currently reviewing 250,000 images every week,” Allen says. “So this is a massive problem.”

Tracking the Traffic With PhotoDNA

NCMEC has worked with law enforcement to identify many of the worst images of child sexual abuse and exploitation. As they are passed from pedophile to pedophile, many of these images surface repeatedly during child pornography investigations. “Our goal is to stop that victimization,” Allen says. “Using PhotoDNA, we will be able to match those images, working with online service providers around the country, so we can stop the redistribution of the photos.”

The basis for PhotoDNA is a technology called “robust hashing,” which calculates the particular characteristics of a given digital image — its digital fingerprint or “hash value” — to match it to other copies of that same image. “Like human beings, every photo is a little different,” Allen says.

The weakness in most common forms of hashing technology is that once a digital image has been altered in any way — whether by resizing, resaving in a different format or through digital editing — its original hash value is replaced by a new hash. The image may look exactly the same to a viewer, but there is no way to match one photo to another through their hashes.

During the course of working with NCMEC, Microsoft researchers became aware of that weakness in the hash value detection and resolved to overcome the obstacle in tracking down images of abuse. That’s when the company enlisted the help of Dartmouth’s Hany Farid, a noted expert in digital forensics technology.

For the past 10 years, Farid’s Dartmouth lab has been developing mathematical and computational tools to determine whether digital media is authentic. The expertise he’s developed has applications for the media, national security, law enforcement and consumers themselves.

“Everybody’s aware that you can manipulate digital images, sounds and video. What we’ve been trying to do is bring some trust back to that underlying media. That’s been the thrust of my lab here at Dartmouth,” Farid says.

Microsoft Research created the underlying technology for PhotoDNA. It then collaborated with Farid to further develop the technology for use by NCMEC and online service providers.

“The problem was that that the signature was extremely fragile — the tiniest change to the image and the signature would be completely different,” Farid says. “The PhotoDNA technology extends the signature to make it robust and reliable, so that even if you change the image a little bit, we can still find it.”

Farid says another challenge to the task faced by NCMEC is simply finding the images among the billions of pictures floating around the Internet. But he says PhotoDNA’s ability to automate the search will help NCMEC and online service providers get over that hurdle as well. Because the amount of data in the PhotoDNA is small, it allows large data sets to be searched for matches very quickly.

“If I laid down in front of you a couple of billion images and ask you to hand me the ones that are inappropriate, you can imagine the scope of that problem,” Farid says. “And so we have been developing technology that can pluck out those inappropriate images from a sea of billions in a very fast, very reliable way.”

Giving Law Enforcement New Leads

Once NCMEC assigns PhotoDNA signatures to known images of abuse, those signatures can be shared with online service providers, who can match them against the hashes of photos on their own services, find copies of the same photos and remove them. Also, by identifying previously “invisible” copies of identified photos, law enforcement may get new leads to help track down the perpetrators.

“NCMEC is equipped to make the PhotoDNA tool available to law enforcement agencies, online service providers and others working with NCMEC to disrupt the ability of predators to use the Internet to exploit children or traffic in child pornography,” Allen says.

Brad Smith, Microsoft’s general counsel, says the company will be working to implement PhotoDNA in the coming months on online services such as Bing and Windows Live, along with other online service providers looking to help disrupt the spread of these photos online.

“We believe the ability to move faster and be more efficient can make a real difference in addressing the problem,” Smith says. “This is an opportunity for us across the technology community to partner closely with the National Center for Missing & Exploited Children to use this technology. By combining our efforts, we can have a much bigger impact.”

Phishing has been around for a while now. Longer than most of you think, and over the next year or so, its going to get worse. Can you detect a Phishing site or Scam? Are you protected…

What is Phishing

OK, for those of you who don’t know what phishing is, here’s a quick overview. This exploit originates via email and typically requests account information, such as usernames or passwords, a situation that could easily lead to identity theft. According to the United States Federal Trade Commission, nearly 255,000 cases of identity theft were reported in 2003, most of them attributed to the crime of phishing.

Phishing now crosses over to the web, where fake websites are created that look like legitimate sites like Banks. You fill in your details as usual to check your online banking account, only to be redirected to your original bank. Whats actually happened here is that you have entered all your information into a fake website that now has your login details. These are then used to steal your identity or funds from your bank.

What can be done to protect yourself?

Well, here’s a security concept for everyone: “if you can’t do it securely, then don’t do it at all.”

This particularly applies when it would be far more “convenient” to do it in an insecure fashion. I’m not talking convenience here, I’m talking security. So, how this applies to phishing is, don’t use email to send links or account information. Some sites are sort of getting around to this. One such is eBay. Now eBay will include a copy of all legitimate correspondence they send you in your email account at eBay.

Of course, the problem is if someone can match their website close enough to fool you into entering you eBay username/password on their server and do a man-in-the-middle attack on your account (and including their own phishing email in what you see) you’re still 100% compromised. And all that takes is time and skill to set up.

Given the limits of email right now (including SPF and such), it is impossible for the average user to know whether or not a specific email is legitimate or not. Sure, www.ebay.com is easy to verify, but is www.myebaysecurity.com also legitimate? Should I click on the enclosed link? SPF, rDNS, and everything else can confirm that that IP address is legitimately assigned to that name.

So, the easiest solution would be to not send email with links. Yes, I am aware that this will mean the end of the cute HTML email ads that you send/receive. That’s the part about “if you can’t do it securely then don’t do it at all.” There’s no use in crying about what you can’t do if you can’t do what you want to do in a secure fashion.

It’s 2005 and the technology has advanced enough for any financial site (that means any site that involves money being exchanged) to run its own web-email-type system. They wouldn’t even need it to be SMTP-capable. It would only be used for outside people reading their email from that business and sending email to employees inside that business and for employees at that business to send/receive email from the clients connected to it.

This isn’t to say that you’d have to check that email account all the time to see if you have email. Again, this is 2005. We have all kinds of means of alerting people when they need to check something. We can send a text message to their pager or mobile phone, we can leave a voice message on their pager, cell phone or home phone. It would even be possible to send a text only email without any links telling them that they have email at such-and-such bank/auction site/wherever and that they should go there to check it. Since they should already know the web site name (they have used it before, right?) they shouldn’t need to have it spelled out for them in the email.

It is economical for a bank to have a computer call phones and leave voice messages if you need to contact the bank (they already do this) but it is not economical for the phishers to do that (even if they’re running Skype or whatever). And it gets even easier if the bank (or whatever) allows you to choose the text message to be sent to your pager/cell phone.

The best part is that this would not require 51%+ of the email servers to be upgraded or modified or anything else. For this to work for a specific bank/site it would only require that they change. And the technology is 100% available (and Open Source) today.

It should be noted that this does not in any way describe any method for securing financial transactions done over the Web. This is just a method to kill phishing attempts and the losses associated with successful compromises.

Read more about Phishing here: http://en.wikipedia.org/wiki/Phishing

Note: I published this article earlier in the year and I have decided to re-post it due to demands I’m getting from people finding me from this site: http://www.realtime-websecurity.com – Since I re-designed my blog, I had removed this article, hence the re-post.