Correction posted: SANS updated their post to reflect the fact that it was in fact MS05-012 that had been exploited. That's good news, but get patched before it's here...

If you think you can wait to apply patches til it's convenient, think again. According to an update from the Handler's Diary at SANS, the first instances of code exploiting MS05-051 have been detected in the wild on the Internet:

Trend Micro reports that they spotted a POC for MS05-051 in the wild. They found it included  as a new exploit in other malware. We don't have any details yet beyond what can be found in at Trend Micro. If you find a copy of this malware, please forward it.

Trend Micro states that the malware was written in Visual Basic, which usually indicates some low skilled bot-kid. Kind of odd to see it surface this way, but having it included as a new warhead in existing malware matches past patterns.

Trend Micros virus statistics do not report any "captures" of this exploit in the wild. Not exactly sure if this is just a lab sample, or if it was actually seen in the "wild".

We will update this diary as we learn more.

Rich Claussen has the low-down on a new pact between Microsoft and the government of Nigeria to combat fraud:

Not well publicized is how this came to be. Unknown to most, Microsoft's Chief Software Architect, Bill Gates, received the following (condensed) email from the government of Nigeria soliciting his and his company's assistance.

FIRST, I MUST SOLICIT YOUR STRICTEST CONFIDENCE IN THIS TRANSACTION. THIS IS BY VIRTUE OF ITS NATURE AS BEING UTTERLY CONFIDENTIAL AND 'TOP SECRET'. I AM SURE AND HAVE CONFIDENCE OF YOUR ABILITY AND RELIABILITY TO PROSECUTE A TRANSACTION OF THIS GREAT MAGNITUDE INVOLVING A PENDING TRANSACTION REQUIRING MAXIIMUM CONFIDENCE.

Read more on Rich's blog here. Nice sense of humor there, man.

Seriously though - Read the news about the *actual* agreement (for real) between the company and the country here.

Microsoft on Tuesday released nine security patches that are intended to alleviate 14 problems in various versions of the Windows operating system. Today the company issued an advisory to its enterprise customers via email that the MS05-051 patch, which is considered to be the most critical of the bunch, may cause problems on some computers where it is applied. However, Microsoft if still strongly encouraging everyone to apply the patch and has published a knowledge base article describing the issue with the patch and explaining how to resolve the associated problem, should it come up.

•	The Windows Installer service may not start.
•	The Windows Firewall Service may not start.
•	The Network Connections folder is empty.
•	The Windows Update Web site may incorrectly recommend that you change the Userdata persistence setting in Microsoft Internet Explorer.
•	Active Server Pages (ASP) pages that are running on Microsoft Internet Information Services (IIS) return an “HTTP 500 – Internal Server Error” error message.
•	The Microsoft COM+ EventSystem service will not start.
•	COM+ applications will not start.
•	The computers node in the Microsoft Component Services Microsoft Management Console (MMC) tree will not expand.
•	Authenticated users cannot log on, and a blank screen appears after the users apply the October Security Updates.

For a complete description and resolution instructions, read KB article 909444.

If you happen to have the .NET Framework 2.0 pre-release installed on a Tablet PC and you've noticed reliability and/or stability problems using the Microsoft Ink functionality on your Tablet, Microsoft has released an update to fix some compatibility problems:

"Compatibility issues (events not firing, classes being disfunctional) with CLR2.0 have been found in Windows XP SP1/SP2 versions of Microsoft.Ink.dll on Tablet PCs. Since this dll is a system file on these configurations, they require update through Windows Update."

So negative you are. Lighten up you must.

So - Before you say Microsoft sucks one more time, just let yourself laugh at what some of its employees manage to come up with from time to time.

Case in point: YODA, the programming language

Matt Warren posted his idea to build a programming language in Yoda-like English (can't quite call it plain English, can you?).

From Matt's post:

---

 

Instead of the cryptic c-like syntax below:

 

 

public void Main(string[] args) {

   Console.WriteLine(“Hello World”);

}

 

 

We will now have eloquent YODA-like syntax:

 

 

(args of string many are they) Main is what they seek yet return they do not.

 

Brace you must

     Written it is, the Console. “Hello World”

 

 

I know it’s difficult to believe, as strange as it seems. Yet, sometime in the future, everyone will be writing software this way. Knowing this, it makes my work so much more invigorating. I can literally feel the electricity in the air around here. It’s like some queer energetic force.

 

---

Go read the comments. They're just as good.

And by the way, for the record it only takes a little looking around to find out that Matt Warren isn't 100% joker. His real job has had him working at Microsoft with a supremely talented team on LINQ, which is "a set of extensions to the .NET Framework that encompass language-integrated query, set, and transform operations. It extends C# and Visual Basic with native language syntax for queries and provides class libraries to take advantage of these capabilities." I barely understand that, but I know it lets me (well, more like those code artists around me) do some cool querying of data in XML file, relational databases, in-memory data stores, whatever - which is cool. It's kinda like SQL syntax in .NET, is what it looks like to me. Linq is short for "language-integrated query." Makes sense. It's all for the next versions of C# and VB.NET.

[via Philippe Cheng [who also taught me some mad new beginner programming skillz today], via analog data transfer by Matt Lapworth]

It must be true. I read it on the Internet. On a blog even.

It looked pretty convincing, really. Someone started a blog called Google Tooth in September, under the guise of being Google's first live-in, on-site dentist. A plausible possibility, when you consider the benefits Google offers its employees.

But it's not for-real.

Google has already confirmed it's a fake, but the real fun is in figuring it out without asking the newest Internet giant for their two cents on the matter. Of course, the one group you can count on to do just that is a bunch of weblog readers. Not to mention real Google employees.

The most obvious tell-tale giveaway was an image that was posted on the Google Tooth blog, ostensibly of the new office space (click the image below to go to the blog entry):

Nice use of color and open space, eh? Only problem with the image is this photo from the SUNY Stony Brook web server (click the image to load it from the sunysb.edu server):

Amazing and uncanny resemblance. What do you figure the odds are?

This was a harmless enough - and even amusing - fake blog. Don't be surprised though if it ends up rubbing some people the wrong way. Fake blogs threaten some and amuse others. I thought it was creative and funny.

But people do get fooled:

• Silicon Beat - "Google's live-in dentist"
• Silicon Beat again - "Actually, we were just testing you"
• Google Blogoscoped makes it clear: "Google Dentist?"

Or maybe it's real and the trick is that people are saying it's not real, but what they're saying is actually the part that's not real.

Yeah, that's it.

Interested in checking out and beta testing the next version of Hotmail (code-named Kahuna)? Willing to provide feedback? Microsoft's newest web-mail client is in testing and the poll of testers is being expanded. You can sign up to be considered for testing here:

http://www1.imagine-msn.com/minisites/hotmail/Default.aspx

You can also see a few scrren snips and descriptions of some of the new features here.

Omar Shahine (Hotmail "front door" program manager and all-around good guy) posted the link to the signup on his weblog.

None last month, but nine security patches were released today for Patch Tuesday - three critical, four important and two moderate severity. So, do your testing where needed and then go get all patched up.

November Security Bulletins:

Critical
MS05-050 - Vulnerability in DirectShow Could Allow Remote Code Execution
MS05-051 - Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution
MS05-052 - Cumulative Security Update for Internet Explorer

Important
MS05-046 - Vulnerability in the Client Services for Netware Could Allow Remote Code Execution
MS05-047 - Vulnerability in Plug and Play Could Allow Remote code Execution and Local Elevation of Privilege
MS05-048 - Vulnerability in the Microsoft Collaboration Objects Could Allow Remote Code Execution
MS05-049 - Vulnerabilities in Windows Shell Could Allow Remote Code Execution

Moderate
MS05-044 - Vulnerability in the Windows FTP Client Could Allow File Transfer Location and Tampering
MS05-045 - Vulnerability in Network Connection Manager Could Allow Denial of Service

Note: The Dyn-O-Mat web site is now a different product, so all links have been removed from this article.

Hurricanes are certainly a hot topic these days, and the destruction that they can cause we've all come to see and know. A company called Dyn-O-Mat has developed a product that absorbs water into a gel, then drops to the ground. One cool thing about their product is that when it hits salt water, it liquefies again and dissipates, supposedly harmlessly.

Apparently the company already used the formulated polymer product to take a thunderstorm off the radar back in the summer of 2001, and they hope now to use it to combat hurricanes, probably in their early stages, or to reduce the severity of an existing one.

"The way the Dyn-O-Mat team is going after the storm is by using what is called a 'Venturi Action.' The Venturi Action can be described as a pie-shaped piece that will be cut from the outer band into the eye of the storm. The intended result of this action is to allow the system to use it's own strength on itself. Essentially disrupt the cell, in hopes of significantly weakening the devastating power of the storm."

I saw the product demo'ed on a television news show this morning, and it looks very interesting. It does what they say - load a bunch of water into a bowl with a little bit of the Dyn-O-Mat product in it, and the water is instantly sucked into the gel. Someone should load a bunch of C130s or C5s up with that stuff, drop it over a section of big storm out in the middle of the ocean somewhere, and see what happens. What the heck.

Now, I don't know how I feel - ethically that is - about shutting down random storms on a whim, since they're a part of how the world works and all. But I suppose if there was a bad one that was clearly going to kill lots of people, this product could prove to be a very good thing. The hard-core Darwinians among us may disagree, but my opinion is that if it's safe and saves lives, it's worth checking out.

Dyn-O-Mat storm-fighting web page: (removed as expired)

Sounds like tomorrow will be the day DirecTV announces their own branded and created PVR/satellite receiver combo unit, thereby leaving TiVo behind as their PVR enabler. Subscribers who already own DirecTiVo devices don't need to worry (they'll keep working), and it sounds like customers of the company may still be able to order TiVo-enabled receivers if they specifically ask for them (TiVo's the only option for recording DirecTV's HD programming, although there's not a whole lot of HD channels available, even nowadays... Can someone bring back VOOM?).

From nytimes.com: "DirecTV's standard DVR, originally set to be released this past June, will be introduced in late October, and another model featuring high-definition service will be introduced in mid-2006. The standard DVR will feature up to 100 hours of recordable space, compared with TiVo's 70 hours."

DirecTV will be spending some $30 million promoting their new PVR. I hope it's better than the crippled DirecTiVo units, but I'm not holding my breath. Mostly I just want one company to give me a really good, solid reason to fire DishNetwork as my service provider.

How to do that? Well here's a start:

• Receive and record HD programming. Including locals over the satellite. Seriously. I live just outside the range where I can receive OTA locals, and you already provide the standard def signal. Help a guy out, here.
• Record by program name and subscriptions to record all episodes of a program (like the season pass). Dish promised this on the HD PVR receiver I have, then didn't deliver. Ugh.
• Longer Live-TV replay/pause buffer (I hear rumor the new DTV receiver will have this feature)
• Give me native MediaCenter PC compatibility, damn it - I'm sick and tired of these won't-work-together, closed systems. It freakin' sucks dealing with virtual brick walls between all my technology devices, and I don't like it enough to where I won't buy unless you fix this problem.

But I don't want to switch from one inadequate provider to another. You have to convince me for real this time. In this market space, the historically slow-moving development and general mediocrity of it all is rather - uhhh - underwhelming. Someone "wow" me - please...

A friend asked me the other day about credit counseling, because she's trying to get her financial life squared away after some hard times. I figured this was a good place to put down some related thoughts, even though it's not tech-related. It's an important topic for many. You have to be very careful these days what you're getting yourself into, especially now that the new federal "Bankruptcy Abuse Prevention and Consumer Protection Act" is about to go into effect (November 17th). The act requires participating in some form of credit counseling (no one if sure what that means yet, of course) before one can declare bankruptcy. It also changes who can file which forms of bankruptcy based on median income levels, ability to pay and other factors. It's probably a good thing, but the whole credit counseling requirement is a potentially confusing and fraudulent mess.

The problem is this - While the "consumer credit counseling" industry has many worthwhile players, it is also plagued by a whole slew of useless, harmful and downright fraudulent thieves. Not all companies that offer "credit counseling" are legitimate. When it comes down to brass tacks, if you owe someone money, you owe the money. Negotiating settlements is always a possibility, but you do so at a cost, and unless an organization has a program to work with you to change your financial habits and learn how to budget, it's a big waste of time - and potentially a rip-off in the making.

Chances are very good that any company that promises to "repair" your credit score/record, when the entries that appear in your credit report are accurate and valid, is counting on the possibility that you're a sucker and is trying to take advantage of your emotional situation. Unfortunately, these rip-off businesses charge people who are already in financial straits serious amounts of money for a service and promises that they almost certainly can't deliver on. Don't do it.

Only false information can be reliably removed from a credit report, and even that often takes a bit of effort and a chunk of your time. If you want to "fix" your credit, there's one way to do it: Pay off your debts, pay the bills yourself (firms that offer to make payments for you are notorious for being late, which shows up as a black mark on your credit report), and make all of today's and tomorrow's payments early or on-time. It takes an extended period of time (like as in months or years) for a credit score to improve, and there is no overnight repair possible when you've made bad financial decisions. It sucks to hear that, but it's the truth. Most people who end up in credit hell are also the people who can't stand the thought of putting a few years of effort in to improve their situation. They want results right now, or in the very near future. Sorry, it doesn't work that way. Come to grips with that fact and accept that you can start making a difference today and see some very real long-term results down the road.

Most importantly, don't fall prey to "credit repair" and "credit counseling" companies that want to take your money up front and make promises they can't deliver on. Check out any companies you think you might want to work with in depth and before you engage them. Non-profit organizations are out there to help, but unless you're careful it might be difficult to tell them apart from the sharks. Don't fall prey.

NOTE: The United States Dept. of Justice has a list of approved credit counseling agencies by state. They also have information online about choosing a credit counselor.

My broadband phone service, which is purchased through Vonage, is better than ever after they recently sent me a new Linksys terminal adapter to replace the old Motorola one. Turns out that old device was wreaking havoc on call quality and reliability (big time). It even prevented my non-voice traffic from working reliably. But with the new hardware in place, all is well.

In fact, it's so good I actually completely forgot it was VoIP service for a while. I think that's saying something, really. When you can call and download and everything just works, you know someone's done something right.

So, for now you can chalk me up as one happy guy when it comes to my phone service. And that's better than it used to be, for sure.

Yahoo! and Ipsos Insight just published a study that shows there are more than six times as many unaware RSS users as there are people who know they're using it. These are some numbers that are worth thinking about.

In the report, "RSS - Crossing into the Mainstream," here's what we find out:

• 12% of users are aware of RSS.
• 4% of users have knowingly used RSS.
• There's some interesting information hidden in the demographics of different RSS users (aware, unaware, podcast consumers, etc.).
• One figure that stands WAY out: Of "unaware" RSS users, 72% get their RSS through My Yahoo! and 41% through My MSN.
• "Aware" RSS users subscribe to an average of 6.6 feeds each. Ummmm, more proof that I'm an addict I guess???
• and lots more...

It's clear that when you have an app that by its very nature makes it easy to consume RSS content, it no longer matters to the end user that RSS is the delivery vehicle. Many of the people benefiting from RSS don't even know what RSS is. All that matters to those kinds of people is the content. And believe it or not, we're not all uber-geeks.

So, it's a very good thing^(TM) that IE7, Safari, Firefox and even the new versions of the operating systems we all use will support RSS natively (or already do). And with more browsers right around the corner, the line between app and content is getting blurrier all the time.

Read the full 12-page report here, or the one-page brief synopsis here (both links are PDF docs).

And you thought GMail was a good deal...

MailNation is offering ad-free email accounts, ONE TERABYTE in size. That's 1,000 GIGABYTES. GMail's accounts are like 1/400th the size of that. And you don't need an invitation. Uh, wow. I just signed up for mine.

Web mail, POP3, IMAP - you choose. Sign up here.

(click to enlarge)

Here's the feature list from the MailNation site:

• FREE 1000GB Email (POP3/IMAP Access)
• 10MB attachment limit!
• Address Book/Notes/Tasks Spam Preventing Features For Your Protection
• WAP Access - Mobile Device (http://www.mailnation.net:90/mail/wap)
• Auto Message Responders & Auto Forwarders
• Multiple Web-Interface Styles & Multiple Languages Supported
• Always Count On Our Highly Ranked Email System & Server Reliability
• Sophisticated Search For Email Messages
• Never Have To Delete Again (Large Email Box)
• HelpDesk Ticket System For User Help, Comments, And Updates
• All emails (outgoing/incoming) are protected by TrendMicro Server Protect and Avast! AntiVirus (Dual Protection)
• Support Hotline

(via TechBlog)

Got a Tablet PC and wondering about games on the platform? Yeah, me too. Recently I've been thinking about the Tablet PC platform in general (I have had four different models in the past few years) and what could make a difference in terms of more real reasons to need one (as opposed to want one, but hey - I suppose 'want' counts for something, too).

Some games have incidental (as opposed to direct and intentional) support for the Tablet PC, but what games are out there that are designed specifically for the Tablet? I know it's hard to design and build expensive games for an audience that won't let you recover your dev costs, but someone has to start somewhere. Microsoft should really push this envelope harder.

I did some searching around, and discovered one that I missed before. It's called Arcs of Fire - and appears to be written in C#. It's made up of a game engine, the Tablet Game SDK, and the Tablet PC SDK. Tied together, the combined platform makes for a game environment that lets you leverage all kinds of features of the Tablet PC - like pen pointing, ink and drawing, and screen rotation. On the web site, there are whitepapers, video tutorials and overviews (see the documentation section), and a whole slew of other technical information about the game.

Heck, the Arcs of Fire web site is cool in and of itself - when I go to provide my info to download the game package (which weighs in at 50MB), I am presented with text input boxes that sense my Tablet pen input device. I write in ink, and the web site code leverages the Tablet bits (the TIP, I imagine?) to convert my ink to text by default - very cool.

The site's ink-enabled forums allow you to write handwritten forum posts. It's a bit hard (read: impossible) to index those in search engines (including the forum search), but the concept and execution are quite well done. The ASP.NET source for the ink forums is also available for download.

Granted, you have to use IE to do these fancy things, but hey - someone should be able to fix that problem...

The Game

Oh, that's right - there's a game on this site... The source code for the game is available on the download page for anyone who wants to tackle that. After downloading and running the MSI installer, which includes a distribution of the required DirectX 9, you're presented with a rather nifty game. It's simple, to be sure, and it takes some getting used to. But for a tank-vs-tank battle, it's an interesting gameplay experience.

It's not much more than what you're used to in shoot-the-other-tank games with third-person, cross-section view. The difference here is that you use the pen to fire your ammo at the other side. Pressure, speed and inking gestures all make a difference in how your rounds get fired at your enemy. Background music and sounds effects make it more fun.

I'd say this is a good start to something bigger and better, for sure. I was mostly (and pleasantly) surprised to find a site and game that are geared directly at the Tablet PC user. Makes me wonder what other games would lend themselves well to Tablet PC deployment. Maybe use the pen to draw your strategy plan for the Terrans to annihilate the Zergs? Or maybe draw your next play from the virtual huddle?

Check it out at http://www.arcsoffire.com/

Choose your player name (click to enlarge)

Game screen (click to enlarge)