Microsoft TechDays Singapore 2011

The premier technical conference is coming to Singapore!

TechDays Singapore 2011 provides IT Professionals and Developers with comprehensive insights on Microsoft cloud technology and learning opportunities to manage cloud infrastructure, integrate with cloud platforms and develop modern applications.

Check out the details here:
http://www.microsoft.com/singapore/techdays/

Register by 30 September 2011 to enjoy early bird pricing at S$69! (Standard pricing at S$99 applies thereafter). Click here to register now.

Facebook pays bug hunters $40,000 in three weeks

The recently introduced Facebook bug bounty program has proved to be a great success, says Joe Sullivan, the company’s chief security officer.

"We know and have relationships with a large number of security experts, but this program has kicked off dialogue with a whole new and ever expanding set of people across the globe in over 16 countries, from Turkey to Poland who are passionate about Internet security," he added. "The program has already paid out more than $40,000 in only three weeks and one person has already received more than $7,000 for six different issues flagged."

He also pointed out that $500 was the minimum sum received for a discovery of a bug, but that one particular report brought $5,000 to its author. Unfortunately, he didn't disclose how the Facebook security team rates the discoveries and decides on the payout.

In spite of many requests to include bugs found in third-party applications and websites that can be connected to the users' Facebook identity, the bug bounty program remains limited only to bugs that could compromise the integrity or privacy of Facebook user data.

Bug bounty programs have previously been instituted by Google and Mozilla. And even though Adobe and Microsoft still decline to make that step, Microsoft has instituted a competition that aims to amply reward security researchers who develop innovative computer security protection technologies.

Linux source code repository compromised

The Kernel.org website - home to the Linux project and the primary repository for the Linux kernel source code - sports a warning notifying its users of a security breach that resulted in the compromise of several servers in its infrastructure.

The discovery was made on August 28th, but according to the current results of the investigation mounted by the site's team, the break-in seems to date back to August 12 or even earlier.

The attackers are thought to have gained root access on a server via a compromised user credential, and to have escalated their privileges from there. How did they managed to do that, it is still unknown.

After having done that, they proceeded to modify files belonging to ssh (openssh, openssh-server and openssh-clients) and add a Trojan to the system start up scripts so that it would run every time the machine was rebooted.

Luckily for everyone, the Linux kernel source code is unlikely to have been tampered with.

"That's because kernel development takes place using the git distributed revision control system, designed by Linus Torvalds," it is explained. "For each of the nearly 40,000 files in the Linux kernel, a cryptographically secure SHA-1 hash is calculated to uniquely define the exact contents of that file. Git is designed so that the name of each version of the kernel depends upon the complete development history leading up to that version. Once it is published, it is not possible to change the old versions without it being noticed."

"Those files and the corresponding hashes exist not just on the kernel.org machine and its mirrors, but on the hard drives of each several thousand kernel developers, distribution maintainers, and other users of kernel.org. Any tampering with any file in the kernel.org repository would immediately be noticed by each developer as they updated their personal repository, which most do daily."

The 448 users of the site have been notified of the breach and have been advised to change their login credentials and SSH keys.

According to the notice, US and Europe authorities have been notified about the breach and asked to help with the investigation. The administrators have, in the meantime, proceeded to take the servers offline and reinstall them, and to make a thorough analysis of the code within Git (the distributed revision control system) in order to make absolutely sure that nothing was modified.