New submitter ancientt writes "As a thought experiment, what if the constitution of the U.S. was amended so that no idea (with exceptions only for government use, like currency) could be protected from copy or use beyond January 1, 2035 for more than a five-year period. After a five-year span, any patent, software license, copyright, software NDA or other intellectual property agreement would expire. (This is not an entirely new idea, but would have had significant recent ramifications if it had been enacted in the past.) Specific terms are up for debate, but in this experiment businesses must have time to try to adjust to sell services and make the services good enough to compete with other businesses offering the same basic products. Microsoft can sell a five-year-old variant of OSX, Apple can sell Windows 2030. Cars, computers and phones would, or at least could, still be made, but manufacturers would be free to use any technology more than five years old or license new technology for a five-year competitive edge. Movie, TV and book budgets would have to adjust to the potential five-year profit span, although staggered episode or chapter releases would be legal. Play 'What if' with me. What would be the downsides? What would be the upsides?"

Read more of this story at Slashdot.

Fluffeh writes "In Australia, we have the right to record TV and play it back at a later date; we also have the right to transcode from one format to another, so anyone with a media server can legally back up their entire DVD collection and watch it without all those annoying warnings and unskippable content — as long as we don't break encryption (please stop laughing!). Optus, Australia's second largest Telco, has been raising ire though with the new TV Now service they are offering and Big Media is having a hissy fit. The service does the recording on behalf of the customer. Seems like a no-brainer right? Let the customer do what they are allowed to legally do at home, but charge them for it. Everybody wins! Not according to Sports Broadcasters, who made this statement when Optus said they would appeal their recent loss in an Australian Court to the highest court in the land: 'They are a disgusting organization who is acting reprehensibly again and now putting more uncertainty into sports and broadcast rights going forward I'm really disappointed and disgusted in the comments of their CEO overnight.' Is this yet another case of Big Media clutching at an outdated business model, or should consumers be content with just doing their own work?"

Read more of this story at Slashdot.

TheGift73 tips an article discussing a new study (PDF) which found Americans are now more worried about cybersecurity threats than they are about terrorism. Here's Techdirt's acerbic take: "Well, it looks like all the fearmongering about hackers shutting down electrical grids and making planes fall from the sky is working. No matter that there's no evidence of any actual risk, or that the only real issue is if anyone is stupid enough to actually connect such critical infrastructure to the internet (the proper response to which is: take it off the internet), fear is spreading. Of course, this is mostly due to the work of a neat combination of ex-politicians/now lobbyists working for defense contractors who stand to make a ton of money from the panic — enabled by politicians who seem to have no shame in telling scary bedtime stories that have no basis in reality."

Read more of this story at Slashdot.

Dr Caleb writes "According to the Globe and Mail, 'The Internet surveillance legislation sponsored by Public Safety Minister Vic Toews has disappeared down a dark legislative hole. For all intents and purposes, the bill is dead. If the Harper government still wants to pass a law that would make it easier for police to track people who use the web to commit crimes, it will have to start from scratch.' The bill has been sent to a public safety committee for extensive revision, but it must be debated for five hours on the House floor first, and that won't happen before summer recess. This is a followup to the story we discussed in February titled 'Against Online Surveillance? You Must Be "For" Child Porn.'"

Read more of this story at Slashdot.

New submitter HarryatRock writes with news that former News of the World editor Rebekah Brooks and five others have been charged by police for their involvement in intercepting voicemail messages left for a murdered girl. From the article: "She is charged with conspiring with her 49-year-old husband, personal assistant Cheryl Carter, chauffeur Paul Edwards, security man Daryl Jorsling, and News International head of security Mr Hanna to "conceal material" from police between 6 and 19 July. In a second charge Mrs Brooks and Ms Carter are accused of conspiring to remove seven boxes of material from the News International archive between 6 and 9 July. In a third charge, Mr and Mrs Brooks, Mr Hanna, Mr Edwards and Mr Jorsling are accused of conspiring to conceal documents, computers and other electronic equipment from police officers between 15 and 19 July."

Read more of this story at Slashdot.

New submitter davegravy writes "Byron Sonne, the Toronto-based security consultant, chemistry hobbyist, and geek who was arrested leading up to the Toronto G-20 for alleged plans to bomb the event, has been found not guilty of all charges. Sonne was held in prison for 11 months without receiving bail, and the ruling comes two years after his arrest. Sonne is considered by many in the Toronto security community as a champion of civil rights and a sharp critic of security theatre."

Read more of this story at Slashdot.

Posted by Jelmer Kuperus on May 15

Liferay 6.1 json webservices are subject to cross-site request forgery attacks

Description:

Liferay Portal is an enterprise portal written in Java

If a user is currently logged in to the portal (or has ticked the
remember me box) then with a
little help of social engineering (like sending a link via
email/chat), an attacker can read most
data the logged in user is priviliged to see. The reason for this is
that the new json webservices
let you...

Posted by security on May 15

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2012:075
http://www.mandriva.com/security/
_______________________________________________________________________

Package : ffmpeg
Date : May 15, 2012
Affected: 2010.1
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been...

Posted by Jelmer Kuperus on May 15

Liferay 6.1 can be compromised without having an account on the portal

Description:

Liferay Portal is an enterprise portal written in Java

Liferay in it's default configuration exposes a number of remotely
accessible webservices.
Access to these services is restricted by an ip block.

It is possible to circumvent this ip block in the following way :...

CWmike writes "The four-year-old saga of Psystar, a Florida Mac clone maker that was crushed by Apple, ended Monday when the U.S. Supreme Court refused to hear its appeal of a lower court ruling. The decision to not consider the case (download PDF) upheld a ruling last September by the U.S. Court of Appeals for the Ninth Circuit. That ruling confirmed a permanent injunction against Psystar that prevented the company from copying, using or selling OS X, and blocked it from selling machines with Apple's operating system preinstalled. 'We are sad,' said K.A.D. Camera of the Houston firm Camera & Sibley LLP, in an email reply today to a request for comment. Camera represented Psystar in its bid to get its appeal heard. 'I expect the Supreme Court will eventually take a case on this important issue.' Last year, Camera had said, 'This is far from over,' after the Ninth Circuit's decision. Apparently, it is."

Read more of this story at Slashdot.

Posted by Jelmer Kuperus on May 15

Guests can view names and emailadresses of all Liferay users in liferay 6.1

Description:

Liferay Portal is an enterprise portal written in Java

As an unauthenticated user it is possible to retrieve the names and
email adresses of all Liferay users.
To retrieve a list of all users simply issue the following request

http://vulnerablehost/c/search/open_search?p=1&c=5000&keywords=entryClassName:com.liferay.portal.model.User

Getting to...

Posted by Jelmer Kuperus on May 15

Multiple xss issues in Liferay

Description:

Liferay Portal is an enterprise portal written in Java

Multiple xss vulnerabilities where found in liferay. Because liferay
has a "remember me"
option in their login screen that stores an encrypted password in a
cookie this is more
problematic than it otherwise would be

1. xss vulnerability in upload_progress_poller.jsp...

John Anthony Borell III, 'Anonymous' Hacker Charged With Police Leaks in Utah ...
LA Weekly (blog)
Hacktivists claiming to be from the Anonymous offshoot "CabinCr3w" easily swamped the Los Angeles County Police Canine Association's site, extracting all sorts of juicy details about members of the association -- including officers from South Gate, ...

and more »

Posted by Apple Product Security on May 15

APPLE-SA-2012-05-14-2 Leopard Security Update 2012-003

Leopard Security Update 2012-003 is now available and addresses the
following:

Internet plug-ins
Available for: Mac OS X v10.5 to 10.5.8 Intel
Impact: Out-of-date versions of Adobe Flash Player are disabled
Description: This update disables Adobe Flash Player if it is older
than 10.1.102.64 by moving its files to a new directory. This update
presents the option to install an updated...

Posted by Apple Product Security on May 15

APPLE-SA-2012-05-14-1 Flashback Removal Security Update

Flashback Removal Security Update is now available and addresses the
following:

Malware removal
Available for: Mac OS X v10.5 to v10.5.8
Impact: A Flashback malware removal tool will be run
Description: This update runs a malware removal tool that will
remove the most common variants of the Flashback malware. If the
Flashback malware is found, it presents a dialog notifying the user...

Posted by Lists on May 15

Sense of Security - Security Advisory - SOS-12-005

Release Date. 13-May-2012
Last Update. -
Vendor Notification Date. 06-Mar-2012
Product. NETGEAR WNDRMAC
Platform. Hardware
Affected versions. 1.0.0.22 and below
Severity Rating. High
Impact. Exposure of sensitive information
Attack Vector. From remote without...

Posted by Stefan Kanthak on May 15

Hi @ll,

since Windows Vista resp. Windows Server 2003 Service Pack 2, the
command line tool to modify/set file/directory permissions is
ICACLS.EXE [0][1][2][3][4].

Main advantage over the previous command line tools CACLS.EXE [5],
XCACLS.EXE [6] and XCACLS.VBS [7] is the ability to specify
inheritance and to process/propagate inheritable permissions.

But exactly the handling of inheritance is severely broken: in an
objects security descriptor...

Posted by Nicolas Grégoire on May 15

Hello,

SVG is a XML-based file format for static or animated images. Some SVG
specifications (like SVG 1.1 and SVG Tiny 1.2) allow to trigger some
Java code when the SVG file is opened.

Given that I had to look at these features for a customer, I developed
some PoC codes which are now available online:
http://www.agarri.fr/docs/batik-evil.svg
http://www.agarri.fr/docs/batik-evil.jar

I published a more detailed article on my blog:...

Posted by Derek Martin on May 15

Actually, I have a patch for this. I'll be publishing it later this
week, when I can find some time to do it.

Posted by security on May 15

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2012:076
http://www.mandriva.com/security/
_______________________________________________________________________

Package : ffmpeg
Date : May 15, 2012
Affected: 2011.
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been...