After the secret source code for its then-unreleased shooter Half Life 2 showed up on file sharing services in 2003, game-maker Valve Software cooked up an elaborate ruse with the FBI targeting the German hacker suspected in the leak, even setting up a fake job interview in an effort to lure him to the United States for arrest.

The gambit ultimately failed, and Axel "Ago" Gembe remained safely in Germany. He was indicted last month in Los Angeles on new charges of creating the Agobot malware, and sharing it with a crew of U.S. hackers who used it to stage denial-of-service attacks in 2003.

In their paper, Practical attacks against WEP and WPAPDF, Martin Beck and Erik Tews have published details about their attacks on WPA secured networks. The attack is essentially a variant of the chopchop attack used against WEP secured networks, which surfaced in early 2005. The name "chopchop attack" is a nod to the KoreK-developed chopchop tool, which allows the user to decrypt an arbitrary encrypted data packet without having to know the WEP key.

The program slices off the last byte of a WEP packet. Under the assumption that the final byte was the zero byte, it attempts to reconstruct a valid checksum with an XOR link from the last four bytes to a specific value. Then it sends the packet to an access point and observes whether it is accepted. If not, it assumes that the sliced off byte was a 1 – in the worst case it continues this process all the way to 256. This process is then repeated for every other byte in the packet. Once finished, the attacker has the packet in plain text.

Google also added an additional feature that lets people verify their actual information by checking the data against phone records or credit card records.  Here's what Google had to say about the verify procedure.

"Profiles will display a 'verified name' badge, if the user has verified their name through Knol. Any user can go through Knol's interface to obtain the verified badge," Google said in a statement.

They are etched into the conventional wisdom of IT security, but are these 12 articles of faith (to some) actually wise, or are they essentially myths? We've assembled a panel of experts to offer their judgments.

The Mozilla Foundation has released Firefox version 3.0.4 to close nine security holes. The developers rated four of the holes as critical because they allow attackers to execute arbitrary code on the victim's system. One of the critical holes is a classical buffer overflow that can be triggered via specially crafted server responses.

A flaw in the way the browser restores a session after a program crash can cause Firefox to violate the same-origin policy when executing JavaScript code, which could be exploited to execute the code in the context of a different website. Attackers could remotely trigger a crash and subsequent restart to steal a user's access data to other web pages, for example.

Internet hosting site McColo disappeared on Tuesday. Along with it went thousands of pieces of spam, thanks, in part, to investigative work by Washington Post reporter Brian Krebs.

For about four months, security experts have been collecting data about McColo Corp., a San Jose, Calif.-based Web hosting service that may have been used by by the cyber underground, according to the The Washington Post. Krebs said that the McColo hosting company had been responsible for up to 75 percent of all spam spent.

Equifax on Thursday introduced it's first information card or I-card, Equifax Over 18 card. I-cards are envisioned to be the online equivalent of a driver's license, passport, or similar ID. The basic idea is that customers would have an electronic wallet with various information cards that would allow customers to bypass typing in user names and passwords.

In this case, the Equifax card proves--via a trusted third party--that you are over 18 when accessing specially marked Web sites. "With fraud and identity theft on the rise, companies need better, more secure ways to conduct transactions online and take their identity management practices to the next level," said Steve Ely, president of Equifax Personal Information Solutions, in a statement.

I’m happy to announce that Microsoft has released MS08-069 today. It’s got a lot of changes in it, but one in particular that I’ve been tracking for about a year now. MSXML has made a change so that HTTPOnly cookies cannot be read by XMLHTTPRequest within IE. Why is that good? It makes it so that JavaScript can no longer steal cookies that try to protect themselves. That’s a good thing.

It might seem like a big thing that that was even possible, but really it’s not as bad as it sounds, making this issue a lower priority in my mind. Cookies are rarely sent from the server to the client on every request and typically do require some information to be sent (like a username and password) before the Set-Cookie header is sent. So XMLHTTPRequest was really only useful for stealing cookies if the Set-Cookie header was sent on every request. Maybe there are some sites out there that do that, but it’s not that common. Either way, I’m glad MS got around to fixing it.

Visa is testing a new credit card that can generate a random-number passcode to help ensure it won't be used by unauthorized individuals.

In trials starting this week at four banks -- Bank of America UK, Corner Bank in Switzerland, Cal in Israel, and IW Bank in Italy -- Visa and EMUE Technologies are testing a Visa PIN card, an alternative to the "CCV" code currently printed on the back of most cards to help ensure that the individual is actually in possession of the card. The technology was first introduced in June.

After a Sunday virus definition update, AVG's antivirus software began to mistakenly warn users that their system had a virus entitled PSW. banker4.APSA and suggested it had to be removed. The file that was being flagged was actually "user32.dll," a key Windows file. Many users chose to delete the file, which resulted in their Windows systems going into an endless reboot cycle, or stopped them from booting at all. Only users of Windows XP Service Pack 2 and Service Pack 3 seem to have been affected (users who have moved to Vista can apparently breathe a sigh of relief). Both AVG 7.5 or 8.0 was affected by the flawed definition file.

1982: Fifteen-year-old Scott Safran of Cherry Hill, New Jersey, sets the world record score in the arcade game Asteroids — the longest-standing videogame high score in history.1

Safran, who had been practicing nonstop at the game for the previous two years, agreed to play a marathon session of Atari's popular outer-space shooting game as part of a charity event in Pennsylvania. His mother drove him to the event and lent him a quarter, which he dropped into the machine Nov. 13.

Pentagon mad-science division Darpa is helping build thought-controlled robotic limbs, artificial pack mules, real-life laser guns and "kill-proof" soldiers. So it comes as no surprise, really, that the agency is now getting into the flying-car business, too.

Darpa hopes its "Personal Air Vehicle Technology" project, announced yesterday, will ultimately lead to a working prototype of a military-suitable flying car -- a two- or four-passenger vehicle that can "drive on roads" one minute and take off like a helicopter the next. The hybrid machine would be perfect for "urban scouting," casualty evacuation and commando-delivery missions, the agency believes.

For the first time, astronomers have taken a visual image of a multiple-planet solar system beyond our own.

Using the Gemini North telescope and the W. M. Keck Observatory on Hawaii's Mauna Kea, researchers observed in infrared light three planets orbiting around a star about 130 light-years away from Earth, called HR 8799. The discovery, published today in Science Express, is a step forward in the hunt for planets, and life, beyond Earth.

Net eavesdropping firm NebuAd and its partner ISPs violated hacking and wiretapping laws when they tested advertising technology that spied on ISP customers web searches and surfing, according to a lawsuit filed in federal court Monday.

The lawsuit seeks damages on behalf of thousands of subscribers to the five ISPs that are known to have worked with NebuAd. If successful, the suit could be the final blow to the company, which abandoned its eavesdropping plans this summer after powerful lawmakers began asking if the companies and ISPs violated federal privacy law by monitoring customers to deliver targeted ads.

Google has fixed an a potentially devastating bug in its newly released Android operating system.

Some users of T-Mobile's G1 phone found that typing any word on the phone's keyboard — in any application — sent whatever they typed to the phone's command line shell.

Those commands were then executed with root user privileges, meaning there were no limitations on what the commands could do to the phone. For instance, texting the word 'reboot' would actually cause the phone to do so.

Steven Aftergood of Secrecy News dangles this tantalizing (if vague) tidbit about classification policy under the Obama administration:

    “I know things are going to change,” one executive branch official with national security classification responsibility said this morning.  “The folks that are inbound have a keen appreciation for the kind of things that need to occur,” the official said.

Aftergood notes that Center for American Progress honcho John Podesta, the Clinton White House alumnus who's heading up Obama's transition team, delivered a broadside against overclassification in testimony before Congress just a few months ago:

    Excessive secrecy conceals our vulnerabilities until it is too late to correct them. It slows the development of the scientific and technical knowledge we need to understand threats to oursecurity and respond to them effectively. It short-circuits public debate, eroding confidence in the actions of the government. It undermines the credibility of the information security system itself, encouraging leaks and causing people to second-guess legitimate restrictions.