corigin.com

I Don’t Believe in Imaginary Property sends us news from F-Secure of what they claim is the first rogue cleaning tool for the Mac. MacSweeper is a Mac version of Cleanator, hosted from a colo somewhere in the Ukraine. The article points out that the company’s About page is lifted verbatim from Symantec’s site. With the Mac’s market share closing in on double digits, perhaps it’s not surprising to see the platform targeted with crapware as PCs have been for years. The F-Secure author adds as a footnote that a journalist said to him something you don’t hear every day: “I visited the macsweeper.com website. I know I probably shouldn’t have but I used a Windows PC so I knew I wouldn’t get infected.”

Read more of this story at Slashdot.

It used to be that if you avoided sketchy Web sites and were very careful about clicking on links in e-mail messages, your odds of acquiring a nasty worm or trojan through a drive-by download were pretty low. That may…

Anonymous writes “Security researchers Greg Hoglund and Gary McGraw poked around in World of Warcraft and other online games, finding vulnerabilities and exploiting the system using online bots and rootkit-like techniques to evade detection. Their adventures in online game security became fodder for the book, Exploiting Online Games. McGraw discussed with securityfocus the state of security in modern video games, cheating and anti-cheating systems, how the market for cheats, exploits, and digital objects is growing, what we could learn from the design of these huge systems, and how game developers react to submissions of security vulnerabilities.”

Read more of this story at Slashdot.

The agency’s proposed “server in the sky” database would share biometric data on the world’s most-wanted criminals.

sjbe sends in an old story with a poetic justice ending. Almost a year ago Chris Soghoian blogged about multiple security holes exposing visitors to a TSA site to possible identity theft. Wired and others picked up the story and the TSA took down the insecure site and fixed the problems. On Friday the US House of Representatives Committee on Oversight and Government Reform released a report (PDF; HTML summary) finding that the TSA contractor, Desyne Web Services, had received a no-bid contract for the faulty site from a former employee who was then a TSA project manager. TSA has taken no action to sanction the responsible parties for the vulnerabilities. The poetic justice is that Soghoian had been investigated for 6 months by the FBI and TSA because he pointed out a vulnerability in the US air transport system; no charges were ever filed.

Read more of this story at Slashdot.

An Anonymous reader noted that some folks at GNU Citizen have been researching UPNP Vulnerabilities in home routers, and have produced a flash swf file capable of opening open ports into your network simply by visiting an unfortunate URL. Looks like Firefox & Safari users are safe for now.

Read more of this story at Slashdot.

Linden Lab, the company that runs the popular virtual world Second Life, announced Tuesday that all in-world “banks” must now be registered with real-world banking regulators:

As of January 22, 2008, it will be prohibited to offer interest or any direct return on an investment (whether in L$ or other currency) from any object, such as an ATM, located in Second Life, without proof of an applicable government registration statement or financial institution charter. We’re implementing this policy after reviewing Resident complaints, banking activities, and the law, and we’re doing it to protect our Residents and the integrity of our economy.

This is a significant step. Thus far Second Life, like other virtual worlds, has tried to avoid entanglement with heavyweight real-world regulatory agencies. Now they are welcoming banking regulation. The reason is simple: unregulated “banks” were out of control.

Since the collapse of Ginko Financial in August 2007, Linden Lab has received complaints about several in-world “banks” defaulting on their promises. These banks often promise unusually high rates of L$ return, reaching 20, 40, or even 60 percent annualized.

Usually, we don’t step in the middle of Resident-to-Resident conduct – letting Residents decide how to act, live, or play in Second Life.

But these “banks” have brought unique and substantial risks to Second Life, and we feel it’s our duty to step in. Offering unsustainably high interest rates, they are in most cases doomed to collapse – leaving upset “depositors” with nothing to show for their investments. As these activities grow, they become more likely to lead to destabilization of the virtual economy. At least as important, the legal and regulatory framework of these non-chartered, unregistered banks is unclear, i.e., what their duties are when they offer “interest” or “investments.”

This was inevitable, given the ever-growing connections between the virtual economy of Second Life and the real-world economy. In-world Linden Dollars are exchangeable for real-world dollars, so financial crime in Second Life can make you rich in the real world. Linden doesn’t have the processes in place to license “banks” or investigate problems. Nor does it have the enforcement muscle to put bad guys in jail.

Expect this trend to continue. As virtual world “games” are played for higher and higher stakes, the regulatory power of national governments will look more and more necessary.

Share This

Google is hiring an “investigator/threat analyst” in what could be an indicator that it is worried about insider threats.
The job posting, pointed out by Barry Schwartz at SearchEngineLand, outlines the following role:
Working with the Director of Corporate Safety & Security, the Investigator/Threat Analyst will be responsible for investigating deviations from company policies or acts against […]

Coverity is claiming they have found and helped to fix more than 7,500 security flaws in open source software since the inception of the governmentally backed project designed to harden open source software. The company has also identified eleven projects that have been especially responsive in correcting security problems. “Eleven projects have been awarded the newly announced status of Rung 2, including those known as Amanda, NTP, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba, and TCL.”

Read more of this story at Slashdot.

Bruce Schneier, cryptography king, keeps his home network open. And despite what Tim Lee wrote in support of the idea, please don’t listen.

The justification is that the risk of someone using your network for illegal means is very low, while the risk of you getting hacked at the local coffee shop is potentially higher. Hence, worry about your machine, not your home connection.

I say BLAH! This piss poor argument ignores two significant points:

1) There is little or no benefit to you from opening your network; and

2) It takes minimal effort to secure your network with a password.

The risks may be low, but meanwhile you have nothing to gain. Meanwhile, the effort necessary to provide that little extra layer of protection likely outweighs the cost of that single long tail incident - one that could potential cause you tons of legal hassles.

If you are hell bent on providing web access to home visitors, I’ll take for granted that you trust them. Give them the key, like I do. Or if you’re wearing a tinfoil hat as you hand them their coffee, ask them to allow you to type it in yourself.

Tagged: Bruce Schneier, passwords, security, Tim Lee, wireless, wireless access point



On today’s TechNet radio, we learn more about the support IIS7 has for running PHP applications on Windows Server 2008 as a first class application citizen. We will also cover how to run PHP on IIS6, a new addition.  We also have our January 2008 Security Bulletin with Kai Axford and Tim Rains.

Listen to the podcast(MP3)
Listen to the podcast(WMA)

The Electronic Privacy Information Center and Privacy International just published its 1,000-page “Privacy and Human Rights Report,” which assesses the state of surveillance and privacy protection in 70 countries.
Following are the key findings from the report. Needless to say, privacy is eroding in most parts of the planet. The lowest ranking countries included Malaysia, Russia […]

For the average Windows Vista session, the “Needs your permission to continue” prompts are just momentary, occasional annoyances which can be disabled or by-passed. But if you’re planning to do a lot of tweaking or installations, having a dedicated Administrator account—like the kind available in XP—can be mighty helpful. The How-To Geek blog shows how to enable (and disable) the account from the log-in screen:

• First you’ll need to open a command prompt in administrator mode by right-clicking and choosing “Run as administrator”
• Now type the following command:
  net user administrator /active:yes

Log out and you should see an “Administrator” account available. Un-doing the tweak requires running nearly the same command, but with /active:no at the end. Like the Geek, we’ll note here that only experienced users who know exactly what they’re doing should use this type of account, and that Microsoft obviously doesn’t want you to do this as a normal thing. All the same, it could be a boon for easier troubleshooting.

Ads by Pheedo

Paul sends us word on a new exploit seen in the wild that attacks Windows systems completely outside of the control of the OS. “Unfortunately, all the Windows NT family (including Vista) still have the same security flaw — MBR [Master Boot Record] can be modified from usermode. Nevertheless, MS blocked write-access to disk sectors from userland code on VISTA after the pagefile attack, however, the first sectors of disk are still unprotected… At the end of 2007 stealth MBR rootkit was discovered by MR Team members (thanks to Tammy & MJ) and it looks like this way of affecting NT systems could be more common in near future if MBR stays unprotected.”

Read more of this story at Slashdot.

An anonymous reader writes “Tens of thousands of Web sites have been compromised by an automated SQL injection attack, and although some have been cleaned, others continue to serve visitors a malicious script that tries to hijack their PCs using multiple exploits, security experts said this weekend. Hacked sites included both .edu and .gov domains, the SANS Institute’s Internet Storm Center reported in a warning posted last Friday. The ISC also reported that several pages of security vendor CA’s Web site had been infected. Roger Thompson, the chief research officer at Grisoft, pointed out that the hacked sites could be found via a simple Google search for the domain that hosts the malicious JavaScript. On Saturday, said Thompson, the number of sites that had fallen victim to the attack numbered more than 70,000. ‘This was a pretty good mass hack,’ said Thompson, in a post to his blog.” By Sunday a second round of the same attack had infected over 90,000 servers.

Read more of this story at Slashdot.

palegray.net writes “An article posted yesterday on Wired.com notes that ‘Boeing’s new 787 Dreamliner passenger jet may have a serious security vulnerability in its onboard computer networks that could allow passengers to access the plane’s control systems, according to the U.S. Federal Aviation Administration.’ They’re already working on solutions to the problem - including placing more physical separation between aircraft networks and implementing more robust software-based firewalls.”

Read more of this story at Slashdot.

Windows only: Freeware application Secunia Personal Software Inspector is sort of like Windows Update for your installed software, monitoring your installed apps and notifying you of available security updates. When you run your first scan after installing Secunia, you’ll be presented with a list of insecure apps that have available updates, “end-of-life” apps that are no longer being supported by the developer, and patched apps that have the latest security updates. Keep in mind that Secunia is not an anti-virus software, but more of a preventative tool for ensuring that your software is secure as it can be. For a less security-focused angle, check out mass-update apps File Hippo Update Checker or UpdateStar. Secunia PSI is freeware, Windows only.

Web site Ars Technical discusses the ethics of “stealing” a Wi-Fi connection, discussing whether or not piggybacking Wi-Fi is actually something that should be considered stealing based on several practical illustrations, arguing, for example, that:

If the WiFi waves come to you and can be accessed without hacking, there should be no question that such access is legal and morally OK. If your neighbor runs his sprinkler and accidentally waters your yard, do you owe him money?

The above example is just the tip of the author’s argument, and you should really read the article for a fuller examination, but I’m curious about a couple of things:

Gawker Media polls require Javascript; if you’re viewing this in an RSS reader, click through to view in your Javascript-enabled web browser.

Fact is, as the article discusses, some people intentionally run an open wireless access point because that’s just the kind of friendly folk they are (in fact, some people advertise their open Wi-Fi hotspots). So I’d also like to know:

Gawker Media polls require Javascript; if you’re viewing this in an RSS reader, click through to view in your Javascript-enabled web browser.

As always, if I left out your answer, feel free to give us your viewpoint along with your take on the ethics of Wi-Fi “stealing” in the comments. Photo by frozenmeat.

eldavojohn writes “As more and more businesses become dependent on barcodes, people are pointing out common problems involving the security of one- or two-dimensional barcode software. You might scoff at this as a highly unlikely hacking platform but from the article, ‘FX tested the access system of an automatically operated DVD hire shop near his home. This actually demanded a biometric check as well, but he simply refused it. There remained a membership card with barcode, membership number and PIN. After studying the significance of the bar sequences and the linear digit combinations underneath, FX managed to obtain DVDs that other clients had already paid for, but had not yet taken away. Automated attacks on systems were also possible, he claimed. But you had to remember not to use your own membership number.’ The article also points out that boarding passes work on this basis — with something like GNU Barcode software and a template of printed out tickets, one might be able to take some nice vacations.”

Read more of this story at Slashdot.

A New York Times story at News.com notes the efforts of American security organizations to help the Chinese government prepare for the coming Olympic games. Critics argue this assistance violates the spirit of Congressional sanctions, and that the technology left behind after the games are over could be used to track dissident elements. “‘I don’t know of an intelligence-gathering operation in the world that, when given a new toy, doesn’t use it,’ said Steve Vickers, a former head of criminal intelligence for the Hong Kong police who now leads a consulting firm. Indeed, the autumn issue of the magazine of China’s public security ministry prominently listed places of religious worship and Internet cafes as locations to install new cameras. “

Read more of this story at Slashdot.

Gary may just save your skin with this security tip…

Good morning, afternoon, or evening whatever it happens to be in your area. I don’t know if you’ve heard of these 2 accessories that Paypal uses but I know from your eBay videos that you and your family have both eBay and Paypal accounts. Paypal has 2 new items the first Item I’d like to mention is the Paypal Security Key. This item adds an extra level of security to both your Ebay and Paypal account. You must purchase it through one of the sites however it can be activated on both services.

To get it go to www.paypal.com/securitykey or www.ebay.com/securitykey. The device costs you $5 - this includes shipping. What you get is a small little device with a keychain attachment at the end of it. How it works is simple each time the button is pressed the small LCD on the device will generate a random 6-digit #. You first activate it by going to the sites I mentioned above and following the instructions under activating it. Once you do this after entering your Ebay or Paypal user ID and password you get presented with a 3rd screen which tells you to enter the 6-digit code from the security key and click the button. Then you are logged into the respective account.

This helps protect you if you gave your information to a fraud email or a virus or Trojan happens to get your information They may have your ID and Password but they can’t use the same 6-digit code the key generated the last time you logged in. The 2nd thing I’m mentioning is the Paypal toolbar. This Feature helps you when you are buying stuff online it allows you to use your PayPal address and contact information to fill in order forms when on a shopping website. The toolbar also allows to generate Single or mult-use MasterCard #’s which are tied to your Paypal account thus allowing you to use your Paypal funds on a site where paying with Paypal isn’t an option. Anyone wanting the Paypal toolbar can just go into their Paypal accounts and under enhance account click Paypal toolbar. Hope these items help you or follow lockergnome subscribers or YouTube subscribers alike.

Dude, that’s an amazing tip! Thanks!

Related Content:

• The Blogosphere Has Jumped the Shark
• A Victim of eBay Fraud
• PayPal Fraud Protection
• N'awlins
• Be My Pal

If you’ve thought about the damage of having your Google account disabled or hijacked—like with the script vulnerability that left one designer completely out of the loop—it might be time to do something to ensure all your Google tools can’t be taken away in one fell swoop. The Google Operating System blog recommends a few moves to ensure uninterrupted access to your web apps, such as cloning your email into a new account, sharing Google Calendar and Reader, and creating extra authorized accounts. It’s not a total solution, but as the author points out:

… You’ll still be able to read your email, send messages, post blog posts, check your calendar, add new events, access important documents etc.

Those who want physical copies of their Google data should check out Adam’s guide to backing up your Google apps.

Firefox only (Windows/Mac/Linux): Firefox extension NoScript prevents unauthorized web sites from running JavaScript, Java, Flash, or other plug-ins to keep your browsing sessions safe. The main purpose of NoScript is to protect yourself from browser or web vulnerabilities along the lines of this Gmail exploit by blocking untrusted scripts from executing in your browser. Granted, it may seem like a bit of a pain to enable all your trusted sites (though NoScript makes it simple to add sites to your whitelist in two clicks), but in the end an extension like NoScript turns Firefox into a very safe little browser. NoScript is free, works wherever Firefox does.

greg65535 writes “Today Microsoft launched a blog about the internals of their IT security research and patch development process. There are already some posts that you will not find in the official security bulletins or KB articles. One of the posts says, ‘We periodically identify workarounds or mitigations like this that we can’t use for official guidance because they’re either too nuanced or have some exception cases. When we discover something potentially useful but are uncomfortable listing it in the bulletin, we’ll do our best to describe it here in this blog.’ It looks like Microsoft is making an effort to become more ‘open’ in the area of security research and communication.”

Read more of this story at Slashdot.

yali writes “The U.S. Transportation and Security Administration has issued new rules limiting travel with lithium batteries. As of January 1, no spare lithium batteries are allowed in checked luggage. Batteries carried in the cabin are subject to limitations on per-battery and total lithium content, and spare batteries must have the terminals covered. If you’re returning home from the holidays with new toys, be sure to check out the new restrictions before you pack.”

Read more of this story at Slashdot.

Ponca City, We Love You writes “Daily Domainer has a story alleging that there may be a leak that allows domain tasters to intercept, analyze and register your domain ideas in minutes. ‘Every time you do a whois search with any service, you run a risk of losing your domain,’ says one industry insider. ICANN’s Security and Stability Advisory Committee (SSAC ) has not been able to find hard evidence of Domain Name Front Running but they have issued an advisory (pdf) for people to come forward with hard evidence it is happening. Here is how domain name research theft crimes can occur and some tips to avoiding being a victim.”

Read more of this story at Slashdot.

It seems like everyone is just dying to add social features to their online tools these days. One example: Google recent move to expose your “shared” items from Google Reader to your Gmail contacts. Actually, I don’t think that this is such a bad idea, but there are other opinions about that. […]

spinctrl links to an interesting story in the L.A. Times about the cloak-and-daggerism of fighting online scams in Romania, summing it up like this: “The country is the top source of auction site scams. One company is trying to do something about it, with increasing collaboration from local law enforcement over recent years. Ebay has sent over equipment and a team to help the authorities combat this form of cyber crime, which is run with all the organization of an industrial-scale business.”

Read more of this story at Slashdot.

IPU = Imaginary Property Unicorn writes “The proposed Australian ‘Access Card’, a universal ID that would be required for any Australian wishing to use Medicare, Centrelink, the Child Support Agency, or Veterans’ Affairs, has been scrapped by the incoming Rudd Labor Government. The card would have contained an RFID tag with the person’s name, date of birth, gender, address, signature, card number, card expiration date, and Medicare number, but there were also provisions to add more personal data later on. It seems that Rudd Labor is not eager to copy the American REAL ID Act.”

Read more of this story at Slashdot.

Keith writes “Tens of thousands — or maybe more — accounts to adult websites were recently declared compromised and apparently have been that way since some time in October 2007. The break occurred when the NATS software used to track and manage sales and affiliate revenues was accessed by an intruder. The miscreant apparently discovered a list of admin passwords residing on an unsecured office server at Too Much Media, which makes and maintains NATS installations for adult companies. It would appear that Too Much Media knew of the breach back in October, and rather than fixing the issue tried to bury it by threatening to sue anyone in the adult industry who talked about it.” The article gives suggestions for anyone who opened an account at any adult website in the last several months.

Read more of this story at Slashdot.

SJ2000 writes “Windows Explorer was quarantined last week by Kaspersky Lab’s antivirus software after being falsely identified as malicious code. The security company’s systems had decided that a virus called Huhk-C was present in the explorer.exe file, leading to its confinement or, in some cases, deletion. The bug was only live in the wild for two hours, and ended up affecting just one corporate customer and a handful of home users.”

Read more of this story at Slashdot.

Scrabblous sends in this analysis of the Pushdo Trojan downloader’s backend code and control server. Pushdo is a complex Trojan downloader that meticulously tracks its victims; much of its innovation is not in the Trojan itself but in its control infrastructure. Quoting: “The Pushdo controller also uses the GeoIP geolocation database in conjunction with whitelists and blacklists of country codes. This enables the Pushdo author to limit distribution of any one of the [421 different] malware loads from infecting users located in a particular country, or provides the ability to target a specific country or countries with a specific payload. Pushdo keeps track of the IP address of the victim, whether or not that person is an administrator on the computer, their primary hard drive serial number…, whether the filesystem is NTFS, how many times the victim system has executed a Pushdo variant, and the Windows OS version.”

Read more of this story at Slashdot.

An anonymous reader writes sends us to The Register for this security news. The problem is compounded by the fact that some of the most popular Web development tools for generating SWF produce files containing the recently disclosed vulnerabilities. “Researchers from Google have documented serious vulnerabilities in Adobe Flash content which leave thousands of websites susceptible to attacks that steal the personal details of visitors. A web search reveals more than 500,000 vulnerable applets on major corporate, government and media sites. Removing the vulnerable content will require combing through website directories for SWF files and then testing them one by one. Updates in the Adobe software that renders SWF files in browsers are also likely, but they probably wouldn’t quell the threat completely… No patch in sight from Adobe, that’s the price to pay for depending on proprietary solutions.”

Read more of this story at Slashdot.

Windows only: Free encryption program Cryptainer LE offers an automated, one-container method of securing those files you’d rather others not take a peek at. The application creates a virtual drive on your hard drive, thumb drive or anywhere you want it to, and files placed in that drive are automatically secured with 128-bit encryption. Turn the program off and the drive disappears; turn it back on, enter a password, and you’ve got your files back. Cryptainer can also send files through encrypted email with decrypting .exes attached, although I question how many email filters that would get through. While the free trial version limits the encryption “vault” sizes to 25MB, you can create an unlimited number fo them. Cryptainer LE is a free download for Windows systems only.

Lucas123 writes “Computerworld has a story about the possibility and the potential ramifications of an IRS data loss similar to the UK’s recent mishap. According to one World Bank executive, it could have already happened, ‘and we don’t know about it.’ While the IRS does offer data encryption to its workers, more than half of its 94,000 employees have permission to take taxpayer information to locations outside the IRS offices. In the 2007 filing season, roughly 128 million individual tax returns were filed. In addition to the basic personal information on those forms, an IRS breach could also jeopardize the banking information of the 46% of filers who requested direct deposit refunds. This is not the first time that IRS security has been called into question, and the Department of Treasury’s progress in that arena is dubious. [PDF]”

Read more of this story at Slashdot.

Filed under: Misc. Gadgets

The Army’s been poking around with OS X for a while — Xserves have run army.mil for a couple years now — but it looks like it’s about to deploy even more Apple machines in an effort to diversify its install base and frustrate would-be attackers. The move is partially due to the upcoming release of software that will allow OS X machines to work with the Army’s Common Access Card smart card system, but the Army’s experience with the Xserves seems like it’s really the deciding factor: “[The Army’s Xserves] are some of the most attacked computers there are,” according to Lt. Col. C.J. Wallington, of the Army’s office of enterprise information systems. “But the attacks used against them are designed for Windows-based machines, so they shrug them off.” Outside security consultants say that diversity isn’t enough, though — while OS X may be difficult to break, hackers will simply learn to target the Army’s Windows machines. “In the story of the three little pigs, did diversifying their defenses help? Not for the pig in the straw house,” according to one analyst interviewed by Forbes. That’s a good point — but we’re also a little concerned that all that white, aluminum and glass might clash with the Army’s color scheme.

Read | Permalink | Email this | Comments

By Michael Santo
Executive Editor, RealTechNews
Linux users might actually agree with this “false positive”. On the other hand Microsoft breathes a sigh of relief, as for once the antivirus software in question is not Windows Live OneCare.
Kaspersky Labs, a smallish but well-respected (in fact, many believe it to be the most effective AV solution) […]

Filed under: Misc. Gadgets

Believe it or not, devices used to see through walls are far from revolutionary, but hey, we’ll take every one we can get. Reportedly, Physical Optics Corporation has concocted a prototype gun that utilizes the same method of viewing that a lobster does to see what’s ahead in murky waters. The LEXID (Lobster Eye X-ray Imaging Device) functions by “radiating objects with tiny amounts of X-ray energy,” subsequently allowing its user to see behind steel, wood or concrete. According to David Throckmorton, a project manager in Homeland Security’s Science and Technology division, the resulting images aren’t exactly drool-worthy, but they do allow you to make out a stash of weapons or a crouching enemy. Unfortunately, completion is too far out to estimate a price, but its creators are hoping to one day make it cheap enough for exterminators and contractors to purchase and use. ‘Course, we could imagine middle schoolers getting into all sorts of trouble if one of these floated into the locker room.

[Via The Raw Feed, image courtesy of POC]

Read | Permalink | Email this | Comments

Windrip writes “A judge in the case covering the nature of the database used in Diebold Gems software during Pima County, Arizona elections has ruled the DB is not a computer program (pdf). The result is that the Arizona Democratic party will have the chance to review previous elections for transparency and accuracy. ‘’The Pima County Democratic Party sued the county this year for the electronic databases from past elections. The party requested the databases and passwords be released according to Arizona public-records law. Pima County denied that part of the request, while turning over other records the party asked for. In closing arguments of the four-day trial that began Dec. 4, Pima County argued the databases meet the definition of a computer program, which is protected by state law, said Deputy County Attorney Thomas Denker.”

Read more of this story at Slashdot.

rdmreader writes “RDM has a point by point disassembly of the security vulnerability story phenomenon. We regularly see these, comparing various vulnerability lists for different operating systems. ZDNet’s George Ou, for example, condemns Linux and Mac OS X by tallying up reported flaws and comparing them against Microsoft’s. What he doesn’t note is that his source, Secunia, only lists what vendors and researchers report. Results selectively include or exclude component software seemingly at random, and backhandedly claims its data is evidence of what it now tells journalists they shouldn’t report. Is Secunia presenting slanted information with the expectation it will be misused?”

Read more of this story at Slashdot.