Vulnerability Arbitration – Neat Idea For Responsible Vulnerability Disclosure

Vulnerability disclosure is a method of publishing information about a problem, often related to computer security which if gone unreported can result in serious consequences. One of the contentions involving disclosure is often up to what amount of information need to be disclosed. Too little information might result in the disclosure being brushed off, and too much disclosure gives people willing to exploit the vulnerability a head start in causing some serious damage with it.

Vulnerability Arbitration( is a neat concept by Zed Shaw which aims in helping security researches, consumers, and the affected companies deal with security vulnerabilities in a timely and a responsible manner.

Vulnarb helps

  • Security researchers to disclose the vulnerabilities that they found in a responsible way
  • Consumers get to know which products are affected, but not know what the vulnerability is
  • Incentive for companies to fix security holes

The concept with Vulnarb is to use a site’s public SSL certificate and a generated  random key to encrypt the vulnerability disclosure. The affected company can then use their private SSL certificate to decrypt the encrypted message and act upon it. Once the vulnerability has been fixed, the company can then publish the decrypted disclosure indicating that it has been fixed or indicate that the disclosure is incorrect.

For the time being, Zed has indicated this is a concept and has invited people to test it out and see if it can work. Indeed, this looks like a great idea. Do feel free to head over to Vulnarb, check it out and drop in a comment or two about this.

Tivo, Walgreens, Citi Amongst Others Hit By Epsilon Security Breach

Epsilon, a marketing firm acquired by Alliance Data which handles loyalty marketing of  several  big brands, was hit by a security breach.  This security breach resulted in infiltration of their email systems. Epsilon maintains that only a subset of their user data was harvested and as of now, only the email address and usernames were gathered.

Security Now which  initially reported that only  Kroger, United States’ largest traditional grocer was hit, now has confirmed that several big brands were also affected. Some of the brands hit include

  • Brookstone
  • Citi
  • Home Shopping Network
  • JP Morgan Chase
  • Kroger
  • Marriott Rewards
  • McKinsey & Company
  • New York & Company
  • Ritz-Carlton Rewards
  • The College Board
  • TiVo
  • US Bank
  • Walgreens

Epsilon’s  assessment has determined that no other personally identifiable information is at risk and are currently investigating the matter.

Citi tweeted about the breach with a link to the message on Citi’s site, calling upon users to be careful about phishing scams via email.

Please be careful of phishing scams via email. Statement from Citi for our valued Customers regarding Epsilon & email than a minute ago via CoTweet

TiVO has also issued a public interest message, maintaining that no Credit Card details and other such personally identifiable information was available to Epsilon and as such, such data is safe.

While it might be conceived that customer names and email address harvesting does not pose much of threat, such data in the hands of spammers is likely to result in a much more personalized phishing attack  attempts.

To be safe from phishing, never click on links or open email attachments from unknown sources. Remember: No one will ever ask to confirm your password/Credit Card details by entering them in a webpage! Snaps Dimdim, Won’t Update It’s OSS Codebase Anymore

I had a rude awakening this morning, as I sipped my coffee and glanced at my email Inbox. The first thing that caught my was the email from dimdim stating

Dimdim acquired by

That’s neat, I thought. Proceeded to look at the mail contents.

Dimdim email

So, if you have an account on dimdim, you’ll be able to use it till March 15. Beyond that ?

I am interested in upgrading my account or extending my subscription, can I do this?
Account upgrades and renewals are no longer available.

All accounts will be maintained with full functionality until their expiration dates. We will not issue refunds.

The open source code made available by Dimdim remains available on Dimdim will no longer be contributing to this project.

So, dimdim will not extend subscriptions, will no longer maintain the open source codebase, will not give refunds. Great!

Sad to see another great web conference service shutdown.

Complete Guide to Rooting Nexus S

Earlier we had posted a guide on Rooting the Nexus S. While the guide works well on 32-bit Windows systems, the USB drivers for 64-bit OS are flaky and more often than not, putting the device in fastboot mode will result in a cryptic “waiting for device” error message.  The information for fixing this is available on the web, but scattered. So here’s a complete guide to help you root your Nexus S.


Before we start, you’ll need the below software

  • Android SDK Download the Android SDK From here. Don’t download the drivers, we’ll download them from the SDK
  • PDANet drivers these are required to detect the Nexus S in fast boot mode.
  • Clockwork Recovery Mod We’ll use this to install Superuser which provides root access
  • Superuser application This grants super user access ( aka root access) to the applications which require them.

Actual Steps

Enable USB debugging mode in your Nexus S. To do this tap on the grid icon > Settings > Applications >   Development. Now ensure checkbox against USB debugging is checked. Now, extract the compressed SDK files to a directory ( say, c:\android). Now, launch SDK Manager.exe from c:\android. Click on Available Packages and install Google USB driver package. Now connect the Nexus S to your computer. When prompted, do not Enable USB storage on your Nexus S. Right click on My computer,   then click on Manage & double click on Device Manager. The Nexus S should show up as an unidentified device

Right click on it , then click on   Update drivers and Browse My Computer

Now, point to the location of the USB drivers. It should be C:\android\google-usb_driver assuming that the Android SDK is installed at c:\android. Click Next, and proceed with installation of drivers. Now open a command prompt, type the following:


adb devices
adb devices should show a serial number indicating that the device has been identified.

Now, we’ll install PDANet drivers to ensure that Nexus S gets identified during fastboot mode. Follow along the instructions during PDANet installation. You’ll be warned about unverified drivers, ignore it and choose to install the drivers. Once installation is complete, head back to the command prompt.

Put the device in fastboot mode by typing in

adb reboot bootloader

Your Nexus S is now in fastboot mode. The PDANet drivers should get installed automatically now and Windows should identify the device ( instead of the waiting for deviceprompt).

Next, unlock the bootloader by typing

fastboot oem unlock

You should get feedback similar to the one in the below screenshot.

Next, we’ll install the Custom recovery which will setup up root access. Copy the clockwork image file to c:\android\tools. Flash the recovery mod by typing

fastboot.exe flash recovery <name-of-the-recovery-mod>

Now, move the superuser application to the phone by typing

adb push <>   /sdcard/

Replace <> with the actual location of the file.

Now, start your Nexus S in recovery mode by first switching it off, and then holding Volume up+Power key. The device will boot in fastboot mode, and choose the recovery mode. Once in recovery mode, navigate to Mounts & Storage menu & then choose mount /sdcard. Go back now,   and choose apply   /sdcard/ Choose Yes Install in the next menu. You should see install from sdcard complete! message. Choose reboot now.

Congratulations, your Nexus S is now rooted.


The steps are little bit verbose since I’m writing this from a Android newbie point-of-view ( I’m an Android newbie). Looking back it really isn’t that complicated I had to look at several sources and pester fellow Techie-Buzz author Rajesh to get it done. I hope this article will help you root your Nexus S without having to hunt & peck for information. Drop a comment if you have any questions.

Oracle Reaches For The Cloud With Cloud Office

In an effort to catchup with Microsoft, Google, Zoho and other online document suite providers, Oracle announced the availability of their online office suite, dubbed as Oracle Cloud Office.
Oracle Cloud Office features a web-based Word Processor, Spreadsheet & Presentations software which are capable of viewing, edition, and exporting to Open Document Format(ODF) as well as Microsoft Office formats. Oracle Cloud Office also integrates well with Oracle Open Office, allowing you to publish documents from your local desktop to the cloud with where you can edit with Oracle Cloud Office.

Oracle Cloud Office is available in Software as a Solution (SaaS) architecture, and also allows for custom branding & deployments.

Parrotfish raises #newTwitter’s inline media providers to 165

One of the things that I really love about #newTwitter is the inline display of media via oEmbed. In simple terms, #newTwitter displays media from some of the most common media providers inline in the tweet details. For instance, here’s how twitpic looks like.


As of now, #newTwitter supports 31 providers. Till now, that is. Enter Parrotfish. Parrotfish augments #newTwitter’s default providers to 165 sites, including WordPress, ESPN, Posterous, Tumblr amongst others. If this wasn’t good enough, Parrotfish also has Instapaper support, so you can mark it as Read Later and it will get added to your Instapaper’s Read It Later list.


Parrotfish is currently available as a Chrome Extension ( Chrome v4+) and is a must-have extension if you spend loads of time on twitter and is a worthy addition to some of the best Chrome extensions list.

Hotot – The Best Native Twitter Client For Linux

There are quite a few twitter clients for Linux some native ( Gwibber, choqoK, Qwit) others based on Adobe Air ( Tweetdeck, twihrl, DestroyTwitter ). However, I’m not entirely happy with most of them. The problem with Air based clients is that they often bog down the system or just look.. different in Linux. When it comes to native clients Gwibber seems just too buggy, and choqoK & Qwit don’t exactly have the best looking UI. Hotot is poised to change this scene.

Hotot is an soon-to-be-released twitter client being actively developed by Shellex and few other developers. What makes this project even intriguing is the variety of languages used for developing Hotot uses a combination of Python, JavaScript with the GTK toolkit & WebKit. The result is one fantastic looking application.



Hotot features the standard tabs the main timeline, mentions, direct messages & a search pane for looking up on profiles & other general searches.


Activating each of these tabs results in a slick sliding transition which makes you click on the tabs every few minutes. Even better is that each of these tabs features threaded replies ( which you can expand/collapse), inline display of media and other features which most twitter clients skimp on – such as Reply To All, old-style retweets, ReTweets (including your tweets, retweeted by others).


To make things even better Hotot has support for extensions, supports native desktop notifications in both Gnome & KDE SC, extensively customizable and is open source.



Hotot is currently at version 0.9, and should be out soon. If you’re itching to try it out do check the instructions here to see how you can install it. Trust me, it’s worth the install.

Oracle Rolls Out The First Beta Version of VirtualBox 4

VirtualBox, one of the best ( and my personal  favorite) virtualization applications has just gotten a new lease in life. The developers of VirtualBox have uploaded the first beta version of their next major release, VirtualBox 4.

One of the notable changes seems to be the way features are going to be available.

As of version 4.0, certain features of VirtualBox are shipped as part of external packages (extpacks).

As of now there is one such extension pack, the PUEL extension pack which features support for USB 2.0, RDP server and the PXE bootloader with E1000 support. It would seem like Oracle intends to ship only one version of VirtualBox, with extra (closed-source ?) features added on as extra packs. And given the way Oracle has acted previously it wouldn’t be surprised if some paid extrasget tacked on.

Some of the new features included this major release include:

  • Support for resizing existing virtual hard disk images ( Finally!)
  • Support for copying files into guest filesystem
  • Support for auto-update of Guest additions ( Windows only, as of now)
  • Intel HD Audio is available as one of the audio hardware on the guest.

For a detailed list of changes do check out VirtualBox forums. You can grab the downloads from here.   And as with any beta software don’t use it in your production environment!

Google Chrome Brings in Sandbox for Adobe Flash Content

Over time, Google Chrome has achieved a reputation for being one of the fastest and most secure browsers. Chrome attributes much of it’s security due to the sandboxing model, which ensures that each tab runs in a separate process and cannot interfere with each other.

Google Chrome Sandbox

Google Chrome has gone the extra step to ensure that one of the most vulnerable software, Adobe Flash, gets constantly updated with bundling and auto-updating the Flash Player automatically. Extending this further, with the latest dev channel editions, Chrome also sandboxes Adobe Flash content. Chrome developers state that Chrome is the first browser under Windows XP which sandboxes Adobe Flash content and hopes this will protect users again most common malware.

For whatever reason, if you want to disable Flash sandboxing, add –disable-flash-sandbox as a command line parameter to your Chrome shortcut and you’re set.

Linux Kernel Attracts 5 patches per hour – The Linux Kernel Report

The Linux Foundation has published their annual document highlighting the state of the Linux kernel development.

This year, the number of commits have decreased by 18%, in comparison to the increase by significant number. The report highlights that the previous year’s increased commit amounts can be attributed to the release of 2.6.30 kernel which brought in new additions such as Btrfs filesystem and perf. This year, however, saw a decrease due to maturity of existing components such as the ext4.

Release Frequency & Rate of Change

Over the past year, 3 versions have been released – 2.6.33 , 2.6.34 & 2.6.35 with each version being in development for 84, 81 & 77 days respectively.

2.6.33, 2.6.34 & 2.6.35 brought in 10.8k, 9.4k and 9.8k patches respectively – resulting in an average of 5 patches per hour. 2.6.35 currently stands at about 13.5 million lines of code, up from about 1.5million lines since the last year’s update.

Who’s doing all this work ?

2.6.35 attracted a total of 1,187 different individuals and 184 different companies working on it. David S. Miller, Ingo Molnar & Al Viro constitute the top individual contributors at 1.3%, 1.2% and 1.2% each of the overall total. It’s interesting to note that Linus doesn’t feature in top-30 list of contributors w.r.t patches – this is  primarily due to Linus’ role as a reviewer and handling patchmerges.

How many sponsors?

Interestingly, the people who have no  financial backing from any company constitutes for 18.9% of the total commits. Red Hat comes in second at 12.4% and  Novell  at about 7%.  Amongst companies involved in embedded & mobile devices development, Nokia contribution weighs in at about 2.3%. Although Google employs some senior kernel developers such as Theodore Ts’o, the contribution is about 0.6%.

These are some of the excerpts from the published paper – you can grab the full details over here [PDF link] for the full details.