may the force be with you

Internet companies have taken to the skies in a battle for aerial supremacy.

On Monday, Microsoft introduced a preliminary online feature that combines street maps with photographs taken from airplanes and satellites. The product, MSN Virtual Earth, is intended to give users more detailed driving directions and an easier way to search for local businesses.

The release follows Google's recent foray into aerial imagery, including last month's preliminary introduction of a free three-dimensional mapping service, Google Earth. After downloading some software, users can zoom over cities and mountains like a bird.

Google, in Mountain View, also has made aerial photographs available in its maps area. A new hybrid button introduced Monday allows the maps to be overlaid on satellite and airplane imagery, similar to what is available on Microsoft's Virtual Earth.

Both Google's and Microsoft's services allow users to enter search queries by address and business type and have those locations indicated on an aerial image. Roads and driving directions also can be overlaid on the photographs.

Additional features are available on Microsoft's Virtual Earth to save and share searches. Wireless Internet users can automatically have their location plotted for them on a map based on their proximity to wireless access points or based on their Internet IP address.

MSN Virtual Earth is available at virtualearth.msn.com.

Gary Price, a librarian who is an editor for SearchEngineWatch.com, said that the focus on aerial imagery is more of a case of companies trying to impress users with gee-whiz technology than anything else, at least for now. He said the feature would be a lot more useful if users could click on an image for data such as census information about the neighborhood shown.

"I've been a map geek since I was only 3 years old," Price said. "It's cool stuff, but I don't think that seeing an image from the air is going to make me go to a store and buy something."

Google and Microsoft are engaged in a major battle over Internet users. Each has unveiled a series of features designed to keep users loyal and grab a bigger share of the lucrative search-engine market.

Yahoo, in Sunnyvale, also is a major competitor, though its executives have yet to express any interest in aerial images. Amazon.com offers street- level photographs of businesses through its A9.com search engine.

Aerial mapping isn't new to the Internet. TerraServer, a Microsoft-owned site, has been available for years, and so has another Web site, TerraFly.

The point of aerial images on the Internet -- in addition to the utility for users -- is the potential for local advertising. For example, a user who types in a search for cars while looking at a view of the Bay Area gets a sponsored link for a car rental company below Yellow Pages listings for different automotive related businesses.

Aerial photographs used by Microsoft and Google can be outdated. On Microsoft's service, an overhead view of Apple Inc.'s headquarters in Cupertino showed only one building instead of the sprawling campus of 11 buildings.

Microsoft spokesman Chris Warfield explained that Virtual Earth is being released as a test and that images will be updated regularly. Images of Cupertino, he said, come from the U.S. Geological Survey and were taken in 1991 and 2004.

"That wasn't a prank or anything intentional," Warfield said.

In the fall, Microsoft plans to make 45-degree views of some cities available on Virtual Earth to give users a better sense of individual neighborhoods.

source:http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2005/07/26/BUGM6DTAOU1.DTL&type=business

# posted by dark master : 7/26/2005 01:38:00 PM  0 comments

Microsoft has gone live with its blocking technology that will require people to validate their copies of Windows before being allowed download access to updates.

The novelly titled Genuine Advantage 1.0 program will check that anyone accessing Windows Update, Microsoft Update for Windows or the Microsoft Download Center has a genuine Windows operating system before allowing any downloads. Security updates will however be exempt from the ban.

Microsoft has been testing the program since September and has validated more than 48 million systems so far, said David Lazar, director of Genuine Windows for Microsoft. Until now the program has been voluntary.

Customers who discover they have a counterfeit copy of Windows will either be given a free version of the operating system or can purchase it for a discounted price, he said.

To get the free version of Windows, a customer must fill out a counterfeit report identifying the source of the software, provide a proof of purchase and send in a counterfeit CD of the software. If customers don't have all of that information, they can still fill out a counterfeit report and receive a copy of Windows XP Home Edition for $99 or a copy of Windows XP Professional Edition for $149, Lazar said.

Windows XP Home normally sells for $199 and Windows XP Professional Edition usually costs $299.

The move to lock out pirated copies of Windows from the download sites is part of Microsoft's effort to fight software piracy, a major issue for the software vendor.

Bonnie MacNaughton, senior attorney for Microsoft, said the company estimates that more than one-third of all copies of its software are counterfeit, based on a recent joint report released by the Business Software Alliance and research firm IDC. The study found that 35 percent of software worldwide is pirated. In North America alone, the piracy rate for software is 22 percent. "We consider that to be a staggering number," said MacNaughton.

One issue the software maker faces in fighting piracy is that many users don't know that their copy of Windows is illegal. Windows Genuine Advantage allows customers to solve this problem in a few minutes through the automatic validation, Lazar said.

The Windows Genuine Advantage checking mechanism is anonymous, and includes an ActiveX control on the client side and the Windows Product Activation service on the Microsoft side. During the testing process, a user had to install the ActiveX control and enter the Windows product key, which on new PCs bought with the operating system is typically found on a sticker affixed to the PC. However, providing a Windows product key is no longer required in the live program, Lazar said.

This is not the first time that Microsoft is checking whether installed copies of Windows are legitimate. Windows Update already checks for certain volume licence keys that are known to be used illegally to activate copies of Windows.

Microsoft also has a Web site, www.howtotell.com, providing customers with information on how they can discover whether or not they have a genuine copy of Windows.

While counterfeit copies of Windows will be prevented from downloading updates, Lazar said Microsoft is not including security updates in the lock-out. Even customers who do not check their copies of Windows for authenticity will be allowed to download security updates through Windows Update, Microsoft Update for Windows and the Download Center, he said.

"Those are available to all Windows users with or without validation," Lazar said. "We think of it like public health. We want to make sure no one gets infected by another system on the Internet because of our program."

source:http://www.techworld.com/applications/news/index.cfm?NewsID=4102

# posted by dark master : 7/26/2005 09:39:00 AM  0 comments

Google Hacking for Penetration Testers (Google Hacking for short) is Johnny Long and company's tome on the subject of using what is widely considered to be the web's only worthwhile search engine and the myriad of ways that you can get very specific information out of it. Not just for web pages, you can find Excel spreadsheets, Word documents, and all sorts of information that the owners thought was hidden. This is what makes Google hacking, as an activity, so interesting.

The Google Hacking book starts with Google search basics, which is usually way more than most people do in a given week of using Google. With nary a pause, Chapter 2 covers advanced Google search operators, such as exclusions, file types, and restrictions like "inurl:" and "phonebook:". By this point, you should be sufficiently armed to do some serious Google hacking. Together with the skills and the imagination to phrase what it is you're looking for, you can mine the web.

Chapter 3 provides a simple, fast-paced introduction to using Google to do more than find porn and stalk potential mates. You can dig around in sites to find, for example, backup scripts (which may expose database parameters, useful for SQL injections later on) and eve use Google to hide your tracks as a proxy server (note this only partially works).

The next few chapters focus on the Penetration Testers portion of the title. Chapter 4 starts with the preassessment of the target (of your pen-test), including digging around for information left by employees (ie mails that reveal employee lists), information about the company leaked in job postings (which may include technologies used), and all the kind of stuff you want to know before you start knocking around. Chapter 5 shows you how to use Google and a few other sites to map the target. After all, Google's indexed their site, why not use the data they gathered. Chapter 6 has some real meat in it, including how to find vulnerable CGI programs via Google queries (ie looking for formmail.cgi scripts).

Chapter 7, which is described as "Ten Simple Security Searches That Work", is surprisingly succinct and effective. It basically helps you map the restrictions you learned earlier into queries and data to help you penetrate a target's security without ever leaving Google. Chapters 8 and 9 help you understand how to use Google to enumerate what you can about resources and authentication credentials, and Chapter 10 describes how to pull up documents for your perusal, some of which may be real gems.

Chapter 11 is another interesting chapter, where you learn how to use these same techniques on your own site to determine what kinds of exposures you have. This can include private communications, confidential memos, and even internal configuration information. What doesn't get stressed too clearly at all is that some sites don't respect "robots.txt", for example, and will archive pages indefinitely even if they weren't supposed to. As such, even if you are protected from Google you may not be entirely protected. Now is a good time to learn how to use other major search engines.

I liked where Chapter 12 is headed with automated Google searches via the API and page scraping, but I think more could have been done here to show better, more useful code. As it stands, you'll have to expend some more elbow grease to translate a lot of what you learned earlier into a useful tool for yourself (if you want to write your own). The two appendices on "Professional Security Testing" and "An Introduction to Web Application Security" seem out of place, though, and could have been bridged into the whole book much more cleanly.

Overall I'm not as thrilled with this book as I would have liked to have been for a few key reasons. First, I found the presentation of the book, specifically organization, language and screenshot displays, to be only average. The organization of the book itself seems to jump around sometimes, going from recon work to attacks and then back to basic outside recon work. This becomes a burden when you want to refer back to the book to find a useful portion or to understand the progression of an idea.

Secondly, I found the writing to be heavy with all kinds of 'Leet Hacker' types of references, which get old pretty quickly and only drown out useful information. At over 500 pages, you'd think this book was truly bursting at the seams with information, but a lot of it is redundant or hidden under excess fluff.

Finally, a number of the screenshots are full screens when they could have been only pieces of a screen or a window to achieve an improved effect. This matters because the halftone printing process leaves the images blurry, and a large window or screen is blurry at the book's printing resolution. This is something I've found in common between a bunch of Syngress books, and I hope they'll address it shortly by reviewing their screenshot design.

In conclusion, there's nothing too significantly special about Google hacking. With a bit of elbow grease, some example code for the Google API, reading Google's own docs, and some experimentation you can find yourself at the same level you'd be at with the book, and about $40 heavier, too. However, Long and co-authors have assembled a good number of Google methods together, and if you're the kind of person who prefers to get right to productive work with a book, it's probably the best book I've seen on using Google for more than simple searches.

source:http://books.slashdot.org/article.pl?sid=05/07/25/200221&tid=172&tid=6

# posted by dark master : 7/26/2005 09:27:00 AM  0 comments