With Security at Risk, a Push to Patch the Web

By JOHN MARKOFF

Published: July 30, 2008

Since a secret emergency meeting of computer security experts at Microsoft’s headquarters in March, Dan Kaminsky has been urging companies around the world to fix a potentially dangerous flaw in the basic plumbing of the Internet

Dan Kaminsky, a Web security specialist, showing a list of servers and whether they are patched.

While Internet service providers are racing to fix the problem, which makes it possible for criminals to divert users to fake Web sites where personal and financial information can be stolen, Mr. Kaminsky worries that they have not moved quickly enough.

By his estimate, roughly 41 percent of the Internet is still vulnerable. Now Mr. Kaminsky, a technical consultant who first discovered the problem, has been ramping up the pressure on companies and organizations to make the necessary software changes before criminal hackers take advantage of the flaw.

Next week, he will take another step by publicly laying out the details of the flaw at a security conference in Las Vegas. That should force computer network administrators to fix millions of affected systems.

But his explanation of the flaw will also make it easier for criminals to exploit it, and steal passwords and other personal information.

Mr. Kaminsky walks a fine line between protecting millions of computer users and eroding consumer confidence in Internet banking and shopping. But he is among those experts who think that full disclosure of security threats can push network administrators to take action. “We need to have disaster planning, and we need to worry,” he said.

The flaw that Mr. Kaminsky discovered is in the Domain Name System, a kind of automated phone book that converts human-friendly addresses like google.com into machine-friendly numeric counterparts.

The potential consequences of the flaw are significant. It could allow a criminal to redirect Web traffic secretly, so that a person typing a bank’s actual Web address would be sent to an impostor site set up to steal the user’s name and password. The user might have no clue about the misdirection, and unconfirmed reports in the Web community indicate that attempted attacks are already under way.

The problem is analogous to the risk of phoning directory assistance at, for example, AT&T, asking for the number for Bank of America and being given an illicit number at which an operator masquerading as a bank employee asks for your account number and password.

The online flaw and the rush to repair it are an urgent reminder that the Internet remains a sometimes anarchic jumble of jurisdictions. No single person or group can step in to protect the online transactions of millions of users. Internet security rests on the shoulders of people like Mr. Kaminsky, a director at IOActive, a computer security firm, who had to persuade other experts that the problem was real.

“This drives home the risk people face, and the consumer should get the message,” said Ken Silva, chief technology officer of VeriSign, which administers Internet addresses ending in .com and .net. “Don’t just take for granted all the things that machines are doing for you.”

When Mr. Kaminsky, 29, announced the flaw on July 8, he said he would wait a month to release details about it, in the hope that he could spur managers of computer systems around the world to fix them with a software patch before attackers could figure out how to exploit it.

Last week, however, accurate details of the flaw were briefly published online by a computer security firm, apparently by accident. Now security experts are holding their breath to see whether the patching of as many as nine million affected computers around the world will happen fast enough.

“People are taking this pretty seriously and patching their servers,” Mr. Silva said.

Major Internet service providers in the United States this week indicated that in most cases, the software patch, which makes the flaw much more difficult to exploit, was already in place or soon would be.

Comcast and Verizon, two of the largest providers, said they had fixed the problem for their customers. AT&T said it was in the process of doing so.

But the problem is a global one, and the length of time required to fix it could leave many Web users vulnerable for weeks or months. And there are millions of places around the world where people might find themselves vulnerable to potential attacks, ranging from their workplaces to an airport lounge or an Internet cafe.

Individuals and small companies with some technical skills can protect themselves by changing the network preferences of their computer settings so that they use the domain name servers of a Web service called OpenDNS (www.opendns.com).

Some computer systems are immune to the flaw. About 15 percent of domain name servers in the United States and 40 percent in Europe, including those at major Internet providers like America Online and Deutsche Telekom, use software from a Dutch company called PowerDNS, which is not vulnerable.

Still, much of the Internet remains vulnerable. “I’m watching people patch, and I realize this is not an easy thing to do,” Mr. Kaminsky said in an interview.

The flaw, which Mr. Kaminsky stumbled across in February, had been overlooked for more than two decades. The eureka moment came when he was idly contemplating a different security threat. He suddenly realized that it would be possible to guess crucial information about the protocol that domain name servers use to convert the numerical Web addresses.

Mr. Kaminsky worried about his discovery for several days and then contacted Paul Vixie, a software engineer who runs the Internet Systems Consortium and is responsible for maintaining a widely used version of software for domain name servers, known as BIND. Almost immediately, software engineers who looked at the vulnerability realized that Mr. Kaminsky had found a significant weakness.

In March, Microsoft held the secret meeting at its headquarters in Redmond, Wash. Sixteen representatives from security organizations and companies, including Cisco, talked about ways to combat the potential threat.

But after several delays while vendors fixed their software, Mr. Kaminsky went public.

For Mr. Kaminsky, the discovery and his subsequent warning to the Internet community were the culmination of an almost decade-long career as a security specialist. He was spotting bugs in software for Cisco and contributing to a book on computer security while still in college.

“I play this game to protect people,” he said.

He thinks that it is necessary to publish information about security threats to motivate system operators to protect themselves. Otherwise, “You don’t get to tell the river you need more time until it floods,” he said.

He said that he had initially hoped to give the Internet community a head start of a full month to fix the problem, but his plan was foiled when technical details were briefly posted online last week. “I would have liked more time, but we got 13 days and I’m proud of that,” he said.

The new flaw has sharpened the debate over how to come up with a long-term solution to the broader problem of the lack of security in the Domain Name System, which was invented in 1983 and was not created with uses like online banking in mind.

While Mr. Kaminsky is being hailed as a latter-day Paul Revere, Internet experts like Bruce Schneier, a member of the insular community that guards online security, said flaws like this were a routine occurrence and no reason to stay off the Internet.

“If there is a flaw in your car, it will get fixed eventually,” said Mr. Schneier, the chief security technology officer for British Telecom. “Most people keep driving.”

Source: New York Times

Head of Microsoft’s Online Efforts Departs

Kevin Johnson, the executive in charge of Microsoft’s struggling online business, is leaving the company. Microsoft announced Wednesday evening that Mr. Johnson was departing to become chief executive of Juniper Networks.

Mr. Johnson, 47, is leaving as his boss, Steven A. Ballmer, Microsoft’s chief executive, is shaking up the senior management ranks in an effort to improve the fortunes of the company’s Internet search and advertising business. Microsoft is a distant third behind Google, the leader, and Yahoo in this field, having been unable to catch up despite heavy spending.

The change also comes after Microsoft’s failed bid for Yahoo. Mr. Johnson played a central role in negotiations with Yahoo.

Under the new plan, responsibility for the two businesses overseen by Mr. Johnson — online services and the Windows operating system unit — will be separated.

Microsoft, in a statement, acknowledged that it needed new leadership to lift the performance of the online services business. The company said it would “create a new senior lead position and will conduct a search that will span internal and external candidates.”

In Microsoft’s most recent quarter, which ended June 30, revenue from online services increased 24 percent from the year-earlier quarter, to $838 million. But the business’s loss for the quarter more than doubled to $488 million.

Microsoft’s lackluster performance in online services, analysts note, began well before Mr. Johnson took over in September 2005, with the title of president of the platforms and services division.

“But he didn’t turn it around either,” said Charles di Bona, an analyst at Sanford C. Bernstein. “There are a lot of questions to be answered about Microsoft’s online services business, particularly because the company has spent so much there without much to show for it.”

After joining Microsoft in 1992 from I.B.M., Mr. Johnson rose steadily, serving mainly in sales and marketing positions. He was a member of the 10-person senior leadership team at the company.

A colleague who declined to be named said Mr. Johnson wanted to become a chief executive someday — an unlikely prospect at Microsoft, given that Mr. Ballmer is 52.

Mr. Johnson championed Microsoft’s $44.6 billion bid for Yahoo in February as the best way to gain ground quickly in online services. The offer had the support of the activist investor Carl C. Icahn, a Yahoo shareholder who threatened a proxy fight to get control of Yahoo.

But the two sides, after a series of talks, failed to reach agreement, though Microsoft has said it remains interested in Yahoo’s search business, if not the entire company. Mr. Icahn is likely to continue agitating for a deal.

Source : New York Times

Teaching Large Groups

By: Peter Cantillon.

Lecturing or large group teaching is one of the oldest forms of teaching. Whatever their reputation, lectures are an efficient means of transferring knowledge and concepts to large groups. They can be used to stimulate interest, explain concepts, provide core knowledge, and direct student learning.
However, they should not be regarded as an effective way of teaching skills, changing attitudes, or encouraging higher order thinking. Large group formats tend to encourage passive learning. Students receive information but have little opportunity to process or critically appraise the new knowledge offered.
How can lectures be used to maximise learning and provide opportunities for student interaction? This article will supply some of the answers and should help you to deliver better, more interactive lectures.

GETTING YOUR BEARINGS

It is important to find out as much as possible about the context of the lecture that is, where it fits into the course of which it is part.
An understanding of the context will allow you to prepare a lecture that is both appropriate and designed to move students on from where they are.

Helping students to learn in lectures

An important question for any lecturer to consider when planning a teaching session is, "how can I help my students to learn during my lecture?" There are several different techniques you can use to aid student learning in a large group setting.

Planning your lecture

It is important to distinguish between the knowledge and concepts that are essential (need to know) and those which, though interesting, are not part of the core message (nice to know).
The aims of the lecture should be clearly defined ("what do I hope to achieve with this lecture?"). These will help to define the teaching methods and the structure. If, for example, the purpose of the lecture is to introduce new knowledge and concepts, then a classic lecture structure might be most appropriate.
On the other hand, if the purpose is to make the students aware of different approaches to a particular clinical problem, a problem oriented design in which alternative approaches are presented and discussed might be a more appropriate format.

Choosing teaching media

When you have selected the content of the lecture and placed it into a working structure, the next consideration is how to deliver the message. Which teaching media should be used (for example, slides, overheads, handouts, quizzes)? The most appropriate media will differ depending on the venue, class size, and topic.

Getting started

In the first moments of a lecture it is important that the students are given some sense of place and direction. Thus a brief summary of the previous lecture and an indication of the major themes and learning objectives for the current session provide both you and the students with a relatively easy start. If you are working with a new group it may be useful to indicate the ground rules for the session-for example, "switch off mobile phones," or "ask questions at any time."

Encouraging students to interact

Students learn well by "doing." Yet there is an understandable tendency for students to regard lectures as an opportunity to sit back, be entertained, and "soak up" the learning. However, you can use various methods to encourage students to take a more active part in the learning process.
Students' attention (and recall) is best at the beginning and end of a lecture. Recall can be improved by changing the format of your lecture part way through. It is also important when planning a lecture to think about activities and exercises that will break up the presentation

Ask questions

It is useful to ask questions of the group at various stages in the lecture, to check comprehension and promote discussion. Many lecturers are intimidated by the silence following a question and fall into the trap of answering it themselves. Wait for the answers to come. It takes time for students to move from listening to thinking mode. A simple tip is to count slowly to 10 in your head-a question is almost certain to arrive.

Get students to ask you questions

An alternative to getting students to answer questions is to ask them to direct questions at you. A good way of overcoming students' normal fear of embarrassment is to ask them to prepare questions in groups of two or three. Questions can then be invited from groups at random. When asked a question, you should repeat it out loud to ensure that the whole group is aware of what was asked. Seeking answers to the question from other students, before adding your own views, can increase the level of interaction further.

Brainstorming

Brainstorming is a technique for activating the students' knowledge or current understanding of an issue or theme. The lecturer invites answers to a question or problem from the audience and writes them, without comment, on a board or overhead. After a short period, usually about two or three minutes, the lecturer reviews the list of "answers" with the class. The answers can be used to provide material for the next part of the lecture or to give students an idea of where they are before they move on. By writing answers in a way that can be seen by everyone in the audience, you allow the students to learn from each other.

Buzz groups

Buzz groups also encourage interaction. They consist of groups of two to five students working for a few minutes on a question, problem, or exercise set by the lecturer. Buzz group activity is a useful means of getting students to process and use new information to solve problems. At the end of the buzz group session, the teacher can either continue with the lecture or check the results of the exercise by asking one or two groups to present their views. Remember that in an amphitheatre lecture hall, students can sit on their own desks to interact with the students behind them.

Mini-assessments

Mini-assessments and exercises are used in lectures to help students to recognise gaps in their learning and to encourage them to use new material in practice. Brief assessments can also allow the lecturer to measure how well the messages are being understood. Students could be asked, for example, to complete a brief, multiple choice questionnaire or a "one-minute" paper. The timing of quizzes and exercises will depend on what is required. An assessment of prior learning would be best at the start of a lecture, whereas an estimate of learning from the current session might be best carried out towards the end of the lecture.

How to end your lecture

At the end of a lecture it is important to summarise the key points and direct students toward further learning. You may present the key points on a slide or overhead. Alternatively, you may go through the main headings on a handout. Students are encouraged to learn more about a subject if they are set tasks or exercises that will require them to look further than the lecture notes for answers and ideas. The end of a lecture is also a common time for questions. Students may find the use of a one-minute paper a useful tool to help them to identify concepts and impressions that need clarification

Evaluating your lecture

Practice does make perfect, but the process of developing as a lecturer is greatly helped if some effort is made to evaluate performance. Evaluation involves answering questions such as "how did I do?" or "what did the students learn?"
A lecture can be evaluated in different ways. If the students are to be used as a source of feedback, the following methods are useful:

• Ask a sample of the students if you can read their lecture notes-this exercise gives some insight into what students have learned and understood
• Ask for verbal feedback from individual students
• Ask the students to complete a one-minute paper
• Ask the students to complete an evaluation questionnaire.

If you want to evaluate your teaching style and delivery, peers can be a useful source of feedback:

• Ask a colleague to observe part or all of a lecture and provide feedback afterwards. It is important to inform the observer what aspects of the lecturing process you want evaluated-for example, clarity, logical flow, effectiveness of the media used
• Videotape the lecture for private viewing, and arrange a joint viewing with a colleague later

Lectures are still a common teaching method in both undergraduate and postgraduate medical education. Their continued popularity is due to the fact that they represent an effective and efficient means of teaching new concepts and knowledge. This article has emphasised the importance of good lecture planning and of the inclusion of student interaction to ensure effective learning.


Recommended reading

• Newble DI, Cannon R. A handbook for medical teachers. 4th ed. Dordrecht, Netherlands: Kluwer Academic, 2001.
• Gibbs G, Habeshaw T. Preparing to teach. Bristol: Technical and Educational Services, 1989.
• Bligh DA. What's the use of lectures? San Francisco: Jossey-Bass, 2000.
• Brown G, Manogue M. AMEE medical education guide No 22: refreshing lecturing: a guide for lecturers. Medical Teacher 2001;23:231-44.

The ABC of learning and teaching in medicine is edited by Peter Cantillon, senior lecturer in medical informatics and medical education, National University of Ireland, Galway, Republic of Ireland; Linda Hutchinson, director of education and workforce development and consultant paediatrician, University Hospital Lewisham; and Diana F Wood, deputy dean for education and consultant endocrinologist, Barts and the London, Queen Mary's School of Medicine and Dentistry, Queen Mary, University of London. The series will be published as a book in late spring

Source: www.bmj.com

EASY WAY TO SHARE INTERNET CONNECTION

You have two PC, one of them using Windows Vista as its Operating System and connect to the internet, while the other not connected to the internet. You want all the computer connect to the internet. At the moment, You have two choice to connection. First, use new direct connection to her PC. But, of course this choice is not efficient. It will need extra cost.

The second choice is share the internet connection that have been exist the other PC through by using network. Share the existing internet connection can be done by using 2 ways.

First, you can use proxy utility.

You have to install proxy software in the PC that connected to the internet. On the other PC, you have to set up Internet Option (Tools[ Menu]à[Internet Option]à [Tab Connection]à [LAN Setting] if you use Internet Explorer, and Menu [Tools]à[Options]à[Advanced]à[Tab Network] à[Setting] if you are using Mozilla Firefox).

Give checked sign on the “Use proxy server for your L(These will not apply to dial-up or VPN Connection)” Or “Manual proxy configuration” on the Mozilla Firefox. Fill it with your proxy server address and it port.

Second, if you don’t want to install proxy software, you can use Windows Vista facility’s to share the internet access, by using the following step:

1. Click [Start] –[Control Panel] – [Network and Internet] – [Network and Sharing Center]

2. Choose option [Manage Network Connection] on the right of Tasks panel .

3. On the new window that just appear, you will see all of hardware in your PC, right click on the hardware that give internet access, and then choose Properties.

4. At window Properties, choose [Sharing] tab.

5. Give check sign on the [Allow other network users to connect through this computer’s Internet Connection] tab.

6. At Home Networking Connection, choose kind of network connection that you used. Is it a [Local Area Connection] or [Wireless Network Connection]

7. If you will network connection establish automatically every time a new request connection from a client, give a check sign in front of [Establish a dial up connection whenever a computer on my network attempts to access the internet].

8. Click [Setting] button that just active.

9. Give check sign in front of service option that will be shared. If you want share all kind of services on the internet, You can choose all services.

10. Click [OK] to save every change that you have done.

After doing all of step, make sure that your IP of your PC that connected to the internet ended by 1. For example, if you using IP 192.xxx.xxx.xxx, you have to set the PC that connected to the internet use 192.168.0.1. While, the other client, use IP number that same network with the 1^st PC, and set it DNS to IP of the 1^st PC.

Source: http://zhumphallabbu.blogspot.com