Undead COBOL celebrates (another) 50th birthday

The name. Not the language.

By Cade Metz in San Francisco - The Register.

COBOL is celebrating its 50th birthday. Or at least the name is.

In May 1959, during a meeting at the Pentagon in Washington, D.C., the US Department of Defense organized a committee charged with developing a "short range" approach to a common business computing language. And on September 18th of that year, the new Short Range Committee coined the name COBOL, short for Common Business-Oriented Language.

The committee represented six big-name computer manufacturers (Burroughs Corp., IBM, Minneapolis-Honeywell, RCA, Sperry Rand, Sylvania Electric Products) and a trio of government agencies. By the end of the year, specifications for the new language were complete, and in 1960, they were approved by the Defense Department-backed Executive Committee. Some celebrated in May. Other are celebrating today. And no doubt, someone will celebrate sometime next year.

In any event, COBOL's range was longer than anyone could have expected.

According to November 2008 stats (PDF) from Datamonitor - the international research firm headquartered in London - the world is still running 200 billion lines of COBOL code and about 5 billion lines are added to live systems every year. Believe it or not, between 1.5 and 2 million developers are still working with the 50-year-old programming language.

In other words, little has changed since the days of Y2K.

So many other languages have come and gone over the past five decades - including MANTIS, FORTRAN, MUMPS, Forte, and Smalltalk - but COBOL refuses to die. In May, the UK-based business software outfit MicroFocus said the average American relies on COBOL at least 13 times a day while making phone calls, using credit cards, and commuting to work - among other mundane tasks.

Of course, much of this down to inertia. COBOL has long run systems inside banks and network operators, so it continues to run systems inside banks and network operators.

"COBOL can trace its origins to the very start of the computer age, yet its applications continue to deliver to businesses and the public sector every single day," reads a birthday card from MicroFocus CTO Stuart McGill.

"In an industry constantly driven by innovation and the ‘next big thing,' it is a real testament to the language’s resilience, flexibility and relevance to the task at hand that it is still so widely used today. Customers come to us to modernise their business critical applications – not rip them out – because they hold deep business intelligence and continue to deliver value every single day. The vast majority of these applications have been written in mature languages, such as COBOL."

COBOL was inspired by the FLOW-MATIC language, invented by a Navy officer named Grace Hopper and the COMTRAN, developed by IBMer Bob Bemer.

Brute-force attacks target two-year hole in Yahoo! Mail

By Dan Goodin in San Francisco - The Register

Scammers are exploiting a two-year-old security hole in Yahoo's network that gives them unlimited opportunities to guess login credentials for Yahoo Mail accounts, a researcher said.

The vulnerability resides in a web application that automates the process of logging in to the widely used webmail service. Because it fails to carry out a variety of security checks followed by the login page Yahoo! Mail users typically use, it's providing criminals with a backdoor through which user accounts can be breached, said Ryan Barnett, director of application security research at Breach Security.

"If the front gate of your castle is your login page to Yahoo Mail, they've done a good job of securing it," he told The Register. The web application amounts to "some sort of water tunnel that the bad guys are walking right through."

Over the past seven weeks, a sensor deployed by WASC, or the Web Application Security Consortium, has detected "a few thousand" or more attempts to use the unprotected web application to carry out brute-force attacks on user passwords, Barnett said. Because the sensor is installed on just one of a massive number of open proxies, the honeypot is likely detecting only a small fraction of the overall activity, he added.

The data is some of the first to confirm what security professionals have suspected for almost a decade: A major contributor to the steady stream of account hijackings on a wide range of sites is overlooked backend web applications that aren't properly locked down.

"I fought these exact kinds of attack when I was at eBay," said Laura Mather, a former security employee at the online auction house who is now VP of product marketing at a company called Silver Tail Systems. "Almost every site I can think of has this problem."

Jeremiah Grossman, CTO of White Hat Security, concurred. "Every major social network and portal is seeing this brute-force attack," he said. "Now that Ryan has put this out, it's exposing what we already knew to be true."

The web application in this case appears to be a backend application programming interface that allows customers of Yahoo partners to check their Yahoo Mail without having to leave the partner website. Because it contains the text "config/isp_verify_user" in URLs, it's easy to track it using search engines. This Google search, for instance, showed hundreds of locations on Yahoo's network where it was deployed.

Among the security lapses leading to abuse of the API is its failure to implement what are known as access control lists, which restrict the computers that are allowed to use the service. While best practices dictate that only qualified partners have access to it, at time of writing, anyone could tap into it and plug in usernames and passwords to authenticate Yahoo Mail accounts.

Another failure is the wealth of information the app returns when invalid information is entered. When a user enters the wrong password for a valid username into Yahoo Mail's front end system, it returns a terse error message that says only that either one of them is incorrect.

By contrast, plugging a valid user ID and wrong password into the API returns a message that indicates the username is valid. And that gives attackers information that proves invaluable in further compromising the account. Armed with that information, criminals can run a long list of the most commonly used passwords against the user IDs. Because Yahoo has virtually no rules barring the use of weak passwords - "123456" is perfectly acceptable, for instance - a decent percentage of credentials can be deduced.

What's more, the front end presents Yahoo Mail users with a captcha if they've entered incorrect passwords an excessive number of times, a measure designed to thwart automated cracking scripts. The API, by contrast, never implements a captcha no matter how many incorrect credentials are entered.

"They're cycling through different common usernames, different common passwords," Barnett said, describing the modus operandi of many password crackers. "At least if a web application locks out an account or does something if it's under attack, that might buy you some more time. If they have unrestricted access to run these kinds of scams, then it's just a matter of time."

Once breached, the accounts prove to be a spammer goldmine, since spam filters typically give webmail services the green light. Even worse, criminals can use the accounts to break in to other, more lucrative accounts, such as those used for bank accounts and other financial services.

Barnett, who earlier this week blogged about the vulnerability here, said he's known of the flaws in the Yahoo API for years. He brought them to the attention of Yahoo officials in 2007, but as of Friday it still hadn't been fixed, he added.

"Yahoo! takes online security very seriously," a company spokesman said. "We are investigating the situation and will take appropriate action."

What is a pixel shader?

A pixel shader is a type of shader program, often executed on a graphics processing unit. It is typically used for scene lighting and related effects such as bump mapping and color toning, which provide crisper and more realistic graphics. Microsoft's Direct3D and Silicon Graphics' OpenGL support pixel shaders. In OpenGL, however, a pixel shader is called a fragment shader.

A pixel shader is a set of program codes which is usually built into a video graphics chipset and drivers. Its purpose is to enable more lifelike lighting effects on 3d models, usually for gaming. Pixel shader technology has been instrumental in recent advancements in 3d graphics technology. Many new games require a certain level of pixel shader technology. While it is possible to emulate this using software, it is much more stable, and results in much better performance if the system is upgraded with a new video card with built-in pixel shader technology.

Pixel Shader is a hardware capability. Therefore, it is not possible to download it - it must be supported by the graphics card.

To answer your question directly, you will need to install a graphics card that supports Pixel Shaders to be able to run games which need it. Most modern games utilize Pixel Shader 2.0 or greater, so it would not be advisable to purchase older ones.

The following cards support Shader Model 1.x:

- ATI Radeon 85xx Series (1.4)

- ATI Radeon 9000 Series (1.4)

- ATI Radeon 9100 Series (1.4)

- ATI Radeon 92xx Series (1.4)

- NVIDIA GeForce3 Ti (1.1)

- NVIDIA GeForce4 Ti (1.3)

The following cards support Shader Model 2.0:

- ATI Radeon 95xx Series

- ATI Radeon 96xx Series

- ATI Radeon 9700 Series

- ATI Radeon 9800 Series

- ATI Radeon X7xx Series (2.0b)

- ATI Radeon X8xx Series (2.0b)

- NVIDIA GeForceFX Series (2.0a)

The following cards support Shader Model 3.0:

- ATI Radeon X1x00 Series

- NVIDIA GeForce 6 Series

- NVIDIA GeForce 7 Series

Some laptop have in board cards that do as well.