The latest versions of Ubuntu have an urgent security issue that must be patched immediately.

Other Linux distributions are not affected.

The problem is how Ubuntu developers assigned excessive access rights to pam_motd for it to access the file motd.legal-notice in a user’s local cache directory. This file just exists to create user’s file stamp but root level rights were given to the module. Big oops.

A local attacker only needs to create a symlink from a user cache to the password file to gain root access.

Patches can be found here.

The BBC says the European Parliament bans illegal timber

The new law will force companies operating in the EU to produce “chain of supply” documentation so that, in principle, each piece of timber can be traced right back to its source.

This extends a rapidly growing field in security. The first thing that comes to my mind is that this ban will increase pressure to devise ways to prevent illegal goods from being injected into and masked by legal shipments. Already there is huge demand for skills and technology to securely identify and transport military, food and pharmaceutical goods.

The Forestry Department offers a document called Best practices for improving law compliance in the forest sector that indicates log tracking is still very primitive.

Oregon State University issued a press release a few years ago with examples of how well security technology works and could be improved.

“At the moment, we have ways of tracking logs that are only partially effective,” Murphy said. “Bar coding is awkward and leaves plastic tags or metal staples that can cause problems in mills. Radio frequency identification tags are very expensive; with some pulp logs they might cost more than the product you are selling. So we need improved technologies.”

Aroma tagging, Murphy said, is already being used in the marketplace – some manufacturers have used it to help prevent brand piracy. The food industry uses electronic nose systems to measure freshness, the medical profession to detect disease, natural gas companies to detect leaks and in law enforcement to identify drugs or explosives.

Interesting problems to solve. It also brings to mind political issues related to Chinese industry regulation and the relationship with Africa.

China’s failure to take meaningful action against illegal logging and timber imports, failure to meet existing commitments or even to adopt meaningful policies is alarming. China’s continuing spectacular increase in imports of logs and timber, much of it illegal in origin, to either manufacture for re-export to the United States and other countries or for its domestic use and the large scale Olympics building program underway is, in effect, fuelling a crisis that the United States and other G8 nations have given increasing priority, including in the Gleneagles Summit in the UK last month when commitments were made to end imports of illegally logged products.

China’s role in Africa’s illegal logging crisis is predatory in nature and poses a threat to forests, the communities that rely on them and weak governments susceptible to corruption.

The New York Times has posted a story of how schools are implementing technology to try and fight high-tech cheating on tests.

Here is an example of how procedures and controls are put in place to make it difficult for students to cheat on a computer test without detection.

No gum is allowed during an exam: chewing could disguise a student’s speaking into a hands-free cellphone to an accomplice outside.

The 228 computers that students use are recessed into desk tops so that anyone trying to photograph the screen — using, say, a pen with a hidden camera, in order to help a friend who will take the test later — is easy to spot.

Those who run the system boast about its success, strictly from a measure of investigations.

Taylor Ellis, the associate dean who runs the testing center within the business school at Central Florida, the nation’s third-largest campus by enrollment, said that cheating had dropped significantly, to 14 suspected incidents out of 64,000 exams administered during the spring semester.

This all begs a giant question of what is really being accomplished.

Tests are setup in an automated fashion to reduce cost (e.g. standardized and multiple-choice), which naturally makes cheating easier and adds cost right back in — to implement anti-cheating measures.

What if the cost was shifted back? Move it from security controls and into a more dynamic test and instruction model that makes cheating irrelevant. Pay teachers to be more involved, in other words, and hire more of them.

An even more radical question on this issue is whether individualized standardized tests are outdated in a world where technology-based collaboration skills are essential. Solutions will come more from group and crowd approaches instead of sole contributor. Why not let students practice this on tests? Certain exams thus could be setup to allow technology collaboration on tests, an updated version of open-book.

Bruce has posted on his blog today a link to a philosophical review of surveillance in the context of morality. It evaluates the concept of surveillance as a form of guidance using Kantian reasoning. I replied to him in the comments section.