Come 2 Web

A big outage at Google Tuesday

2009-02-24T20:12:00.000-08:00

A big outage at Google Tuesday. Things go dark early while most of the U.S. is sleeping. Still, the Internet is without borders and so the glitch leaves millions of people who use Google Web mail and Google Apps, high and dry.

It was mild melodrama for a few hours but things returned to normal after a few hours. It's still unclear what happened, though Google says it's investigating the problem.

Truth be told, the walls of Jericho did not crumble, though the outage nonetheless triggered the (now thoroughly predictable) hand-wringing and bloviating from the usual cast of characters. Amusing to watch, but after this incident, there's also the wider context to consider.

Any outages are embarrassing. But while Gmail did crash a few times in 2008, this is the first time the service has gone down in quite a while. (As my colleague Stephen Shankland noted, Google extends a guarantee to corporate customers paying for any of its business Apps services, which rely on the cloud. The promise: they will be able to access Gmail at least 99.9 percent of the time every month. If not, Google pays them a penalty fee. So far Google says it hasn't fallen below that mark.)

If these sorts of outages occurred with more regularity, I suppose that would seriously retard cloud computing's growth. Google and Salesforce.com and Amazon and any other purveyors of cloud-based services obviously cringe when their connections fail. Not to underplay the anguish customers and vendors find themselves dealing with, but the real news here is how rare these cloud-computing outages have become.

A few years ago it seemed that eBay's Web site was seizing up all of the time. The reality was less severe but merchants and bidders would scream bloody murder. At the same time, eBay, Yahoo, Amazon, and Buy.com were dealing with repeated denial-of-service (DoS) attacks. Things got so bad that some even feared for the future of e-commerce.

We now know how the story turned out. Fact is that there are no 100 percent guarantees anymore, not in a world in which applications increasingly get hosted on the Internet. When things go bump in the night, as they inevitably will, there is going to be a commotion, albeit a temporary one. Get over it, already.

This is computing, after all.

Indian outsourcers, Microsoft top the list of H-1B users in '08

2009-02-24T02:45:00.000-08:00

Microsoft Corp. was the top U.S.-based recipient of H-1B visas in 2008, receiving approval for 1,037 visas, slightly more than in 2007. But the largest users of the program remain the major Indian offshore IT services firms -- and their use of H-1Bs appears to be increasing, according to government data.

(See a searchable listing of the companies receiving H-1B visas in 2008.)

The importance of the H-1B visa program to India-based outsourcers is clear from the fiscal 2008 approval list compiled by the U.S. Citizenship and Immigration Service (USCIS). That fiscal year ended Sept. 30.

The H-1B visa program has been one of the most controversial issues in the IT industry. High-tech firms argue that the visas are needed so they can recruit talented graduates from U.S. universities. But opponents say the program is being used to push down wages and enable the offshoring of IT jobs.

The program is currently capped at 65,000 annually, with another 20,000 set aside for advanced-degree graduates of U.S. universities.

In the latest listing of visa holders, Infosys Technologies Ltd. remained the top user, receiving approval for 4,559 -- the same number it got in fiscal 2007. Otherwise, the numbers for other major users varied, with some of the offshore firms showing sizable increases in their use of the program.

In second place after Infosys was Wipro Ltd., which received approval for 2,678 H-1B visas in 2008. The year before, Wipro got 2,567.

Even though Satyam Computer Services Ltd. revealed late last year that it had substantially misreported its financial statements, leading to a scandal that has put its future at risk, it received approval for 1,917 H-1B visas. That's far in excess of the 1,396 it got in fiscal year 2007.

Fourth on the list was Tata Consultancy Services Ltd., which used 1,539 visas last year, almost double the 797 it got in 2007. Microsoft was fifth on the list, winning approval for 1,018 visas, 59 more than it got in 2007. Among other U.S. firms, Google Inc., which publicly complained in a blog post last year about the H-1B system, received 248 visas -- far less than it wanted. And Lehman Brothers Inc., which failed late last year, received 130 visas.

There has been a recent backlash in Congress over the use of the visas. The $787 billion federal stimulus bill it approved earlier this month imposed restrictions on H-1B use by financial services firms that receive bailout funds.

Federal enforcement of visa laws related to the use of H-1Bs may be growing as well. Earlier this month, federal agents said they had arrested 11 people in six states in a crackdown on H-1B visa fraud; unsealed documents showed how the visa process was used to undercut the salaries of U.S. workers.

At one point, Microsoft's H-1B hiring drew the attention of Sen. Charles Grassley (R-Iowa), who last month wrote to the company and urged it to give U.S. workers priority over H-1B visa holders in its plan to layoff 5,000 employees.

The USCIS distributes H-1B visas via a lottery system because applications have been exceeding the visa cap routinely in recent years.

The USCIS will begin taking applications for the next fiscal year on April 1 and will distribute the new visas on Oct. 1, at the start of the 2010 fiscal year.

Microsoft tells laid-off workers to keep extra severance pay

2009-02-24T02:44:00.000-08:00

Microsoft Corp. will let about two dozen laid-off workers who were overpaid severance keep the money, the company's head of human resources said Monday afternoon.

The decision was a quick turn-about for the company, which last week sent letters to some of the 1,400 employees who were laid off in late January, asking them to return some of their severance because of an "administrative error." The demand received wide coverage after TechCrunch posted a copy of one such letter over the weekend.

"In the normal course of business, we may underpay or overpay in a bonus situation," said Lisa Brummel, the senior vice president of human resources for Microsoft. "If we overpay, we ask that the money be returned. Severance is not unlike that.

"But this is a unique time and our normal practice didn't make sense," she said.

Of the 25 people who were overpaid, Brummel said she had reached 17 by telephone as of mid-afternoon, and left messages for the others, telling them that they could keep the money. "This first came to my attention two days ago," she said, "and I immediately told my staff to stop following through. Since then, I have called each one, to let them know they do not need to repay the money, and apologized to them."

Most of the overpayments were in the $4,000 to $5,000 range, Brummel said, though "there were a couple who were over that." By her figures, Microsoft overpaid between $100,000 and $125,000.

An additional 20 former employees were initially underpaid, but have since been paid what they were owed.

She said the people she had talked with were "very pleased that the company did the right thing. They were quite impressed that I picked up the phone and called them personally."

Earlier today, a Seattle employment lawyer questioned whether Microsoft could make its payback demand stick. Calling the law unclear, attorney D. Jill Pugh said she would advise anyone who received such a letter to call on a lawyer to negotiate with the company.

Later in the day, Brummel dismissed the idea that Microsoft's decision was based on any legal second thoughts. "I wasn't deeply involved in the legal [discussions], but we rarely do anything without thinking of the legal implications," Brummel said. "I think that any company has the right to retrieve any overpayment."

For the future, Microsoft has put a process in place to notify her sooner of such overpayment requests. "We'll be double-checking our accounting, too," she said.

Microsoft laid off approximately 1,400 employees worldwide on Jan. 22, part of a $600 million cost-cutting move this quarter and the first wave of a planned 5,000-worker reduction during 2009. According to reports, the company offered severance packages that equaled a minimum of 60 days salary.

Adobe flaw has been used in attacks since early January

2009-02-24T02:43:00.000-08:00

A dangerous and unpatched vulnerability in Adobe Systems Inc.'s PDF-reading software has been around a lot longer than previously realized.

The Adobe Reader flaw, which was first reported late last week, has caused concern because the bug is easy to exploit and Adobe isn't expected to patched it for several weeks.

A vulnerability researcher at intrusion-prevention vendor Sourcefire Inc. posted a patch for the flaw on Sunday. But the unsupported patch applies only to the Windows version of Adobe Reader 9.0 and comes with no guarantees that it will actually work.

Security researchers at Symantec Corp. told Adobe about the flaw, which also affects the vendor's Acrobat software, on Feb. 12. But today, Sourcefire said an analysis of its malware database showed that attackers have been exploiting the flaw for more than six weeks.

Sourcefire has found samples of exploit code dating back to Jan. 9, said Matt Watchinski, the company's senior director of vulnerability research.

To date, the flaw has been used in small-scale attacks targeted against specific individuals, according to security researchers. Symantec, for example, says it has tracked only 100 attacks thus far. But that number has been increasing since exploit code for the flaw, which affects both Windows and Macintosh users, was made public.

Sourcefire has also posted an analysis of the flaw on its Web site, which a hacker using the name k'sOSe credited with helping him write a proof of concept attack that exploits the bug.

"We're starting to see more exploit code show up," said Andre DiMino, co-founder of The Shadowserver Foundation, the organization that made the first public disclosure of the flaw last Thursday.

"This developed legs last week," DiMino added in an instant message. "I think our blogging the vulnerability and Sourcefire blogging the exploit details got it going."

The vulnerability involves the way that Adobe Reader opens files that have been formatted using the JBIG data compression algorithm. Adobe says it plans to patch the bug by March 11.

Security experts say that users can mitigate the possibility of attacks by disabling JavaScript within their Adobe software, but doing so could break corporate applications that rely on the scripting software.

Yahoo may overhaul top management this week, report says

2009-02-24T02:42:00.000-08:00

Yahoo Inc. CEO Carol Bartz may be ready to announce a major reorganization of the company's executive ranks next week, according to a news report.

Bartz is expected to name a new senior management team to help turn around the troubled Internet company and to roll back organizational changes made by former CEO Jerry Yang and President Sue Decker, according to a report Friday evening in "All Things Digital," a news blog affiliated with The Wall Street Journal.

The changes are likely to be announced on Wednesday, though they may be rolled out in pieces over the following week, the report said. It cited unnamed sources inside and outside of Yahoo and a memo to the company's staff from Bartz on Friday that pointed to a "big week" ahead.

Bartz, a former executive chairman at software company Autodesk Inc., took on the Yahoo CEO job six weeks ago. She replaced Yang, who stepped down in November after buy-out talks with Microsoft Corp. collapsed and an online advertising deal with Google Inc. fell apart.

Last month, she acknowleged "fundamental issues" that need to be addressed at Yahoo to sharpen its focus and speed up decision-making. "I intend to move quickly to tackle these core issues," she said.

The changes may include a revamped management team with a chief operating officer, chief technical officer and a new, more-powerful chief marketing officer all reporting directly to Bartz, Friday's report said. The structure would be similar to the one Bartz employed to revitalize Autodesk, it said.

Last month, Yahoo reported a net loss of $303 million for the fourth quarter of 2008, down from a profit of $206 million a year earlier. Revenue slipped 1% to $1.81 billion.

Mozilla backs move to decriminalize iPhone jailbreaking

2009-02-17T22:44:00.000-08:00

Mozilla Corp. is backing a move that would nullify copyright infringement charges against people who "jailbreak" their iPhones, a practice that Apple Inc. considers against the law.

In comments submitted to the U.S. Copyright Office, the maker of Firefox said it supports the Electronic Frontier Foundation (EFF) in its request for an exemption to the Digital Millennium Copyright Act (DMCA). The EFF wants the Copyright Office to let users jailbreak their phones without fear of copyright infringement penalties.

Apple opposes the exemption, and in its own filing with the Copyright Office, has said that jailbreaking is a violation of copyright laws that protect its software.

"This is not us criticizing Apple," John Lilly, Mozilla's CEO, said in an interview Monday. "But it's the principle of the thing. Choice is good for users, and choice shouldn't be criminalized. The Internet is too important for all of us for that."

"Jailbreak" is the term used to describe circumventing the digital rights management (DRM) technology on a cell phone so that the user can install third-party applications not authorized by the phone's maker or the mobile carrier. The term was popularized by iPhone owners after several groups of programmers figured out how to hack the first-generation iPhone's operating system.

Although it never mentioned the iPhone by name in its comments, Mozilla made no bones about the danger it sees if a company like Apple is the sole gatekeeper of a smartphone. "By controlling the software that can be installed on these cellular phones, these companies can limit and control the type of programs and functionality that is available to users of their devices," Mozilla's general counsel, Harvey Anderson, wrote in the comments submitted to the Copyright Office (download PDF).

Anderson said that the DRM technology used to prevent people from installing software has a "chilling effect on users and innovation" because they are afraid that jailbreaking their phones is illegal.

He went on to argue that smartphones are akin to a computer, and because they can be used to access the Internet, should not be limited to the software authorized by the handset maker and/or the mobile service provider. "These devices contain Internet Web browser, and are therefore effectively users' doorway to the Internet -- a public commons," Anderson said. "Consumers should be entitled to use any software program they choose to access the Internet."

Apple includes a version of its own Safari browser on the iPhone, and decides which third-party applications can be downloaded from its App Store online mart, the only authorized distribution channel. In the past, Apple has rejected programs it says duplicate its own iPhone software, a notion that is reportedly spelled out in the iPhone's software development kit (SDK) licensing agreement. So far, no major rival to Safari has been offered to users through the App Store.

As things stand now, Mozilla would be unlikely to craft a version of Firefox for the iPhone, said Lilly. "The SDK is very clear, that Flash and Firefox and other runtimes are not welcome on the iPhone," he said. "Given the choice, would we work on a platform where the sole company controlling it makes us unwelcome, or would we work on a platform, like Linux, where we are welcome? The answer is going to be easy for us."

Mozilla is currently working on a mobile browser based on the same code that drives Firefox. Codenamed "Fennec," the browser is in the preliminary stages of development. The first build for Windows Mobile-powered phones, for instance, was released only last week.

Although he declined to get into product development specifics, Lilly said he doubts Mozilla would venture into the iPhone even if the Copyright Office grants the DMCA exemption over jailbreaking.

Opera Software ASA, a Norwegian company noted for its mobile browser, has come to the same decision. According to CEO Jon von Tetzchner, Opera considered, then abandoned development for the iPhone when it realized that Apple's SDK license barred other browsers.

Mozilla wasn't the only technology company or developer who weighed in on the side of the EFF. Skype Communications, the eBay Inc. subsidiary known for its voice-over-Internet Protocol (VoIP) software, for example, also backed the exemption request. "Copyright law should not interfere with a user using his or her phone to run Skype and enjoy the benefits of low- or no-cost long-distance and international calling," Skype said. So did Jay Freeman, the developer of Cydia, the open-source application installer that acts as an App Store substitute for jailbroken iPhones.

Claiming that his program is installed on 1.6 million iPhones worldwide, a quarter of them in the U.S., Freeman wasted no time blasting Apple's software restrictions. "They have denied competing mail applications, competing camera applications and competing mapping systems," Freeman said in comments he submitted supporting the EFF request (download PDF). "They also have exerted control over what they [feel] to be acceptable content, sometimes vacillating (first denying any application using the word 'fart,' then allowing one in, which rapidly becomes the #1 most popular application in the store."

The danger of a gatekeeper like Apple on the iPhone is that innovation is stifled, Lilly argued. "These vertical silos don't enable innovation," he said. "And technology diffusion takes much longer, if it ever happens."

Why Toshiba is buying Fujitsu's HDD business

2009-02-17T22:42:00.000-08:00

With the acquisition of Fujitsu's hard-disk drive (HDD) business, Toshiba would position itself to become a leading contender in the enterprise-class solid-state disk (SSD) drive market, as well as initially leap to the head of the pack in the 2.5-inch HDD space, say industry observers.

Toshiba and Fujitsu said today they had signed a provisional agreement under which Toshiba will acquire 80% of Fujitsu's hard-disk drive business. The deal is expected to close during the April through June quarter.

Fujitsu said it would hold onto 20% of its hard drive business for a not yet determinined period of time to smooth the transition of the business to Toshiba, which will make it a subsidiary.

Fujitsu is a leader in enterprise-class 2.5-inch HDD market, as well as in mobile devices.

The fast growing 2.5-in hard drive marketplace includes Hitachi, Seagate, Western Digital, Fujitsu, Toshiba and Samsung. Fujitsu ranks third in number of units shipped, ahead of Seagate, says Tom Coughlin, an analyst with Coughlin Associates.

Last year, Fujitsu shipped 38.6 million 2.5-in HDDs. Only Hitachi, with 50.4 million, and Western Digital, with 50.3 million, lead it. Toshiba followed Fujitsu with 34.5 million, and Seagate trailed with with 29.8 million units shipped.

Let's make a deal

Western Digital Corp. had been in talks with Fujitsu to buy its HDD business. That deal was estimated to be worth $945 million. The value of Toshiba's Fujitsu buyout was not disclosed.

Coughlin and Gregory Wong, an analyst with the research firm Forward Insights, said the deal between Western Digital and Fujitsu likely fell through because there was not enough cultural synergy between the two companies. Coughlin said the ease with which two Japanese companies could deal with the same currency also probably had an impact on U.S.-based Western Digital's proposed buyout. Both analysts speculated that Japan's government may have helped broker the deal between the two native companies.

While a leader in the hard disk drive market, Fujitsu has been loosing money on its products because its cost to produce drives are too high, Coughlin said. "It has some similarities to the issues Hitachi has having. They had a high cost structure for building drives, which put them at a disadvantage to a Western Digital or Seagate."

Toshiba, on the other hand, has been profitable in the HDD marketplace for the past 30 years. This year will be its first unprofitable year, the company said.

With the acquisition of Fujitsu's 2.5-in HDD business, Toshiba, which sells its hard drives mainly into the consumer laptop marketplace, will effectively be catapulted into first place in unit shipments, Coughlin said. And, with Fujitsu's 20% to 25% share of the enterprise 2.5-inch HDD space, Toshiba gets an instant business customer base.

Scott Maccabe, general manager of the Americas for Toshiba's storage business, said, "We have been investigating entering the enterprise space for some time. We did our due diligence of what it would take to expand our market share. The logic made it more reasonable for us to acquire that rather than develop it in-house." "It really lines up from a strategic as well as tactical perspective for us," Maccabe said.

A solid win on SSD

One market that has escaped Toshiba is in enterprise-class SSD drives, the fastest growing segment of the flash drive marketplace. Toshiba invented NAND flash memory, but for all of its innovation in the space, the company has only two SSD products based on NAND -- one for laptops, the other an enterprise-class drive.

Stec Inc. and Intel Corp. are the current leaders in the enterprise-class SSD space.

Maccabe said the Fujitsu acquisition would open an instant door into the enterprise-class SSD market because of the depth of Fujitsu's existing enterprise-class business customers. Wong agreed.

"I think for Toshiba, they need to make sure their solid-state disk unit and hard-disk drive unit work together. Currently, Toshiba's SSDs are basically being manufactured and sold by their NAND flash business unit. So, internally, I wouldn't be surprised if there isn't some friction there," Wong said. "Samsung has the same problem."

Maccabe, however, said Toshiba's HDD unit will focus on enterprise SSD sales because they have more experience in that sales space. Toshiba aims to build on the consolidation between the two companies to raise its share in the overall HDD market to over 20% by 2015, it said.

Even with the many synergies between the two companies, Maccabe said he didn't expect layoffs to result from the buyout. Fujitsu and Toshiba both sell into the mobile market place, but Maccabe said overlap was minimal.

Toshiba has a 1.8-inch hard drive line and Fujitsu does not. Fujitsu has an enterprise-class HDD product line; Toshiba doesn't. And, while both companies have 2.5-inch HDD lines, Maccabe said Fujitsu would "leverage any overlap into efficiency and scale and then have a broader set of products," Maccabe said. "We're committed to bringing everybody over," he said.

Experts weigh in on job boards

2009-02-17T22:41:00.000-08:00

There are more than 60,000 job boards on the Web. Which ones should you spend your time searching?

If you were among the millions of Super Bowl viewers last month, you might be thinking about looking at sites like CareerBuilder, Monster and TheLadders. All three aired attention-grabbing commercials during the big game.

To home in on the best employment sites, we asked career experts how the big job boards measure up for professionals and where else job seekers can look.

Let's start with the popular sites like Monster, CareerBuilder and HotJobs. Love them or hate them? "They do a nice job for very young, entry-level job hunters," says Michael Mellone, a senior consultant at ClearRock, a Boston-based outplacement firm. But for more experienced professionals, he says, industry-specific job sites such as Dice.com or the IEEE's job search page are more effective.

Gerry Crispin, co-founder CareerXroads, a consulting firm in Kendall Park, N.J., says CareerBuilder lacks sophistication. Recently he saw a quiz on the site that promised to give job hunters insight into what career path they should pursue based on the colors they like. "I'd be embarrassed as an employer to work with a site that uses such unprofessional approaches to career management," he says.

In contrast, Sarah Hightower Hill, CEO of outplacement firm Chandler Hill Partners Inc. in Tucson, Ariz., says she likes CareerBuilder because it's easy to navigate. "The site drives you right in to the job search. It's no-nonsense," she says.

What are some of your favorite job sites? For Crispin, Jobing.com wins high marks. The site specializes in advertising local employment for job hunters in 41 metro areas across the country. "They have people who physically go out and meet with professional associations that are trying to get their members hired," he says.

Crispin also favors the site for the DirectEmployers Association, Jobcentral.com. Job hunters interested in positions advertised on the site can click on a link to be taken directly to the employer's Web site. "You apply to the company firsthand," he says.

Additionally, Crispin points to Craigslist because "it's the most open, honest and transparent site out there," he says. He also cites its simplicity and ease of use. "It's also one of the most responsive," he says, referring to the company's immediate action when complaints are made. He cautions, though, that job seekers should be aware of potential job scams among the listings.

Rich Gee, an executive coach in Stamford, Conn., recommends Execunet.com. "It's a serious job site," he says. "You cut right through the noise and get to the actual job."

Execunet charges a fee to respond to its help-wanted ads. So do TheLadders and some other job boards. Are they worth paying for? "It's not a lot of money for what you get in return, which is a great filter to get to serious jobs," says Gee.

Hightower Hill says many job hunters she's worked with complain that too many employment ads on TheLadders are anonymous, making research and due diligence difficult. "It's pretty hard to follow up because you don't always know the identity of the company," she explains.

But Roy Cohen, a career counselor and executive coach in New York, says fee sites market their services too aggressively, making them less worthwhile. "They're constantly selling," he says. "It feels like you are being bombarded to upgrade your service."

Are any sites better at keeping out misleading job ads than others? "There is no site that can promise to perfectly keep away somebody who has a malicious intent," Crispin says. "However, most of the major job boards have pretty good security in place to screen it out."

Crispin notes that Craigslist is particularly vulnerable to the problem because it's less expensive than most job boards for posting employment ads. "It has -- and should have -- a 'buyer beware' warning," he says. "It's one of the hardest sites to keep clean but, Craig himself works very hard to do that."

What advice do you have for job hunters searching employment boards? Don't put too much time into them, advises Cohen. He recommends investing heavily in networking in person and online.

Microsoft expected to wrap up IE8 within weeks

2009-02-17T22:39:00.000-08:00

Microsoft Corp. will finish Internet Explorer 8 (IE8) next month, according to a Web site that has accurately predicted other moves by the company.

TechARP.com, a Malaysian Web site that has reported on Microsoft's plans to offer free upgrades from Windows Vista to the newer Windows 7, said today that Microsoft will reach IE8's "release to manufacturing" milestone, also known as "RTM," in March.

"Microsoft will RTM Internet Explorer 8 in March 2009, most likely sometime during the last two weeks," the site said, citing unnamed sources. "This is because Microsoft plans to announce the final details of the IE8 RTM schedule and available language versions by March 5, 2009."

In development parlance, RTM means that the software has been finished and that the vendor is ready to ship it to partners, release it to the public, send it to duplicators for retail distribution, or all of the above.

Microsoft declined to confirm or deny the TechARP account. "Out timeline is driven by the quality of the product," said a spokeswoman today in an e-mail reply to a request for comment. "Microsoft is deliberate in our approach to releasing new products, and we feel a strong obligation to our customers to do so in a responsible manner that ensures they are getting the safest, most reliable product possible."

TechARP said that once Microsoft declares IE8 has reached RTM, it will offer it to computer makers, which can then add it to machines they ship with either Windows Vista or the older Windows XP operating systems. At the moment, the former comes with IE7, while the latter is bundled with IE6.

IE8 is also slated to be a cornerstone of Windows 7, the successor to Vista.

TechARP had no information on when Microsoft would post the final version of IE8 for public download. But the site's late-March RTM timetable meshes with past IE release schedules.

In 2006, there was a gap of eight weeks between IE7's first release candidate (RC1) and the public posting of the browser. A similar eight-week stretch from Microsoft's delivery of IE8 RC1 in late January 2009 would put the final build's availability at around March 23.

IE8 includes new Web standard compatibility features, performance improvements, a revamped address bar and private browsing tools.

Seagate FreeAgent Theater

2009-02-16T02:50:00.000-08:00

If you're looking for a way to view tons of media from your computer on your TV, but you want something other than a media streamer, a hard-drive-based media player like the Seagate FreeAgent Theater (starting at US$129 without the hard drive, as of February 11, 2009) may be for you. But if you take home entertainment seriously, you may want to consider other options.

The FreeAgent Theater is relatively easy to set up: Hook it up to your TV; plug it in to an electrical outlet; connect a USB hard drive, a thumb drive, or a digital camera; and you're ready to go. As noted above, the FreeAgent Theater does not include a hard drive at its base price, but you can buy it packaged with either a 250GB or a 500GB FreeAgent Go hard drive; at its site, Seagate currently sells Go drives in these sizes for $100 and $150, respectively.

The FreeAgent Theater includes PC syncing software for transferring photos, music, and movies from your computer to a hard drive. Plug in the hard drive, and the software will automatically sync your PC's media collection to the external drive. Also included is a cradle for attaching any of Seagate's FreeAgent Go portable hard drives to your PC to make transferring media easier. Plug in a hard drive, click the MediaSync button in the PC sync software toolbar, choose your sync options, and you're ready to go.

The player itself is compact and well-designed, with playback control buttons on top, a USB port on the front (for use with any other USB drive), and a dock where you can insert a FreeAgent Go drive. On the back are component and composite outputs, and S-Video-out, but no HDMI-out. Though the FreeAgent Theater supports high-definition video (up to 1080i), and Dolby Digital 5.1 audio, its lack of HDMI will disappoint some users.

I found the FreeAgent Theater straightforward to use. After you plug in a drive and switch it on, the device is ready to use. To view your media, select the drive, and you'll be able to access any media file that is in a format that the FreeAgent Theater can play back. The menu interface is simple to navigate; you can sort through content by device and then narrow it down by category. One quirk I ran into involved the photo slideshow: To go backward or forward through the slides manually, you press the up/down arrow keys on the remote, not the left/right arrows as I would have expected. Instead, the left/right keys rotate the photo.

The device does have some limitations. For one thing, the FreeAgent Theater doesn't play unprotected AAC audio files at all. So any music you've ripped from your CD collection using iTunes' default settings--along with any iTunes Plus (DRM-free) songs you've purchased--can't be played via the FreeAgent Theater. Also, the only way it can play back MPEG-4 video is if that video uses the DivX, Xvid, or AVI codec.

By and large, the FreeAgent Theater does an admirable job; and for many users, it should provide an easy, painless way to release the media held hostage on their PC. For high-end users, though, the lack of HDMI output may be a deal-breaker.

Microsoft halts Windows 7 beta downloads

2009-02-16T02:49:00.000-08:00

As promised late last month, Microsoft Corp. last week shut off the Windows 7 beta spigot for users looking to test the software.

Microsoft has not said when it will offer an updated build of Windows 7 to the public, although Steven Sinofsky, senior vice president in charge of the Windows engineering group, said late last month that the software will move directly from the current beta version to release candidate status.

In the past, Microsoft has run through multiple public betas of its operating systems before shipping a release candidate, the last step in the testing process.

The company did note that subscribers to the TechNet and Microsoft Developer Network services can continue to access the Windows 7 beta. The beta is set to expire Aug. 1, after which users must upgrade to a newer version or reinstall an earlier Windows release.

Hackers attack antivirus firm's tech-support site

2009-02-16T02:48:00.000-08:00

A Kaspersky Lab technical support site was hacked late last month, exposing private customer information for 11 days, the Moscow-based security company admitted last week. The company learned of and closed the breach on Feb. 7 after it was notified by the Romanian hackers.

"This is not good for any company, especially for a company dealing with security," acknowledged Roel Schouwenberg, a senior antivirus researcher at Kaspersky, in a conference call last week. "This should not have happened."

The company had revamped the U.S. support site and relaunched it on Jan. 28. From that point until Feb. 7, the support database was open to attack, Schouwenberg said. The revamped site has now been replaced by the old version.

In a blog post, the hackers claimed that they were able to access a customer database that held e-mail addresses and software-activation codes by launching a SQL injection attack.

Schouwenberg confirmed that the database was hacked via SQL injection, but he contended that only the database's table labels were accessed, not the customer data. However, the e-mail addresses of about 2,500 customers and some 25,000 activation codes were at risk, he noted.

Schouwenberg said the hack was made possible by a combination of vulnerable code crafted by an unnamed third-party vendor and poor code review by Kaspersky.

Kaspersky hired Next Generation Security Software Ltd.'s David Litchfield, an expert on SQL injection attacks, to audit the systems. His report, delivered Feb. 12, confirmed Kaspersky's findings.

Microsoft lashes out at Adobe over Silverlight comments

2009-02-16T02:47:00.000-08:00

Microsoft is crying foul over recent comments made by an Adobe executive that Silverlight has "fizzled" as a competitor to Adobe's Flash.

In his blog, Tim Sneath, director of the Windows and Silverlight technical evangelism team, accused Mark Garrett, Adobe's executive vice president and CFO, of "living in a fantasy world" if he thinks that Silverlight adoption is waning.

"The idea that Silverlight is in anything other than rude health is more to do with what Adobe would like to be the case, rather than what actually is the case," he wrote in the blog posting. "The suggestion that 'Silverlight adoption has fizzled out in the last 6-9 months' is pretty risible, in fact. For starters, Silverlight 2 shipped four months ago, and in just the first month of its availability, we saw over 100 million successful installations just on consumer machines. That doesn’t sound like 'fizzling out' to me."

Sneath was responding to comments Garrett made when answering a question about Silverlight and the competitive landscape at the Thomas Weisel Partners Technology & Telecom Conference 2009 in San Francisco on Tuesday. In his comments, confirmed Thursday by an Adobe representative, Garrett said Silverlight adoption was strong when the technology was right out of the gate but has tapered off in the past six to nine months.

Sneath's reference to Silverlight 2, the second version of the technology, is key to his defense of the technology. Silverlight, which comprises a tool for developing and designing Internet applications and a media player for delivering content, was first introduced in Version 1.0 in April 2007. However, it wasn't until the release of Silverlight 2 that the technology was fully baked and became truly viable as an alternative to Adobe Flash.

But Microsoft lost customers when Silverlight didn't live up to its expectations, even after Silverlight 2 was released. MLB.com, which switched from Flash to Silverlight to stream live baseball games beginning in August 2007 with Silverlight 1.0, said in November -- a month after 2's release -- that it was dumping Silverlight and had signed a two-year deal with Adobe to use Flash again for live streaming.

That said, some high-profile Web sites have used Silverlight 2 to live-stream some notable events recently -- the inauguration of U.S. President Barack Obama last month and the 2008 Summer Olympics in August were among them.

In his post, Sneath pointed out some other recent high-profile Silverlight customers, not just in the U.S. but also overseas. In the U.S., both Netflix and the Home Shopping Network launched on-demand services that use Silverlight, he said. In Europe, satellite broadcast network Sky launched a video-on-demand service using Silverlight in December, and the technology also is being adopted for television broadcasting portals in Japan and Korea, Sneath added.

But Flash has had a significant head start, and adoption of the technology remains strong, according to Adobe. It has been doing some touting of its own lately, not just about Flash but also about a new technology, Adobe Integrated Runtime (AIR). AIR allows developers to use the same tools with which they build Web-based applications to create desktop apps.

Two weeks ago, Adobe said the newest version of Flash, Flash 10, was installed on more than 55% of computers worldwide in the first two months of its release and is expected to surpass 80% adoption by the second quarter, the fastest installation rate of any versions of the technology. Moreover, AIR has reached nearly 100 million installations in less than a year after release.

Flash is actually gaining momentum since Microsoft released Silverlight, according to comScore research for 2008 that shows Flash increasing its worldwide share of video on the Web from 66% to more than 80%.

Also, although Silverlight has scored some high-profile Web sites as customers, enterprise developers have said its adoption among businesses -- a scenario in which it actually has an advantage over Flash because of Microsoft's historical strength in that market and the ability of developers to use .Net tools to build Silverlight applications -- has been lackluster.

Developers cited Silverlight 2's launch during an economic recession -- when businesses, particularly enterprises, are hesitant to switch to new technologies -- as a factor hampering its adoption.

Microsoft plans retail stores, hires Dreamworks exec

2009-02-16T02:46:00.000-08:00

Microsoft Corp. plans to open its own retail stores to "transform the PC and Microsoft buying experience," the company said Wednesday as it hired an executive to run the retail operation.

The stores will help Microsoft engage more deeply with consumers and learn firsthand about what they want to buy and how, according to a Microsoft statement. Deciding where the stores will be located and what they'll look like will be the first order of business for David Porter, who will report to work on Monday as corporate vice president of retail stores.

Microsoft has long been perceived as lagging behind rival Apple Inc. in appealing directly to consumers, and Apple has a head start of several years in running a chain of stores. While Microsoft makes its own Xbox game terminals, Zune media players and some other devices, it doesn't have a branded PC product of its own like Apple's Macintosh.

In December, Apple neared 10% of PC sales while Windows lost a full percentage point of share for the second month in a row.

With the retail strategy, Microsoft said it hopes to articulate and demonstrate its innovation and value proposition. It will pass on lessons it learns from the stores to its retail and OEM partners.

The move comes as the company gears up for the release of the Windows 7 PC operating system as well as new releases of Windows Mobile and of the Windows Live online portal. It follows changes Microsoft has made to its marketing efforts as the Windows Vista operating system took on a negative image.

Porter has been head of worldwide product distribution for Dreamworks Animation SKG since 2007, and before that, he spent 25 years at Wal-Mart Stores Inc. His last position there was vice president and general merchandise manager of entertainment.

Microsoft has already had at least one retail store. In 1999, it opened a large store on the second floor of Sony's Metreon entertainment and shopping complex in downtown San Francisco. Among other things, visitors to the store could try out Windows CE-based handhelds and buy Microsoft apparel, souvenirs and shrink-wrapped software. The shop closed several years later, as did most of the other non-Sony-related businesses in the complex.

Pirates prefer Windows XP over Vista, says Microsoft

2008-10-22T23:30:00.000-07:00

It's planning a PR campaign for early '09 to fight piracy as XP is retired

Software counterfeiters pass on Windows Vista and instead prefer to pirate Windows XP, a Microsoft Corp. attorney said today, outlining a practice that tracks with the leanings of many of the company's customers.

While explaining the "Global Anti-Piracy Day" educational and enforcement effort Microsoft launched today, Bonnie MacNaughton, a senior attorney with the company, acknowledged that pirates prefer Windows XP over Vista.

"Historically, counterfeiters tend to focus on the 'n-1' version of software," MacNaughton said. "Because of the more robust antipiracy and security features in Vista, most sophisticated piracy rings still continue to focus on XP. But that's changing over time."

That pirates have stuck with XP -- which retains the bulk of the Windows operating system's market share -- is "very consistent with what we've seen in counterfeiting in the past," said MacNaughton. "There's usually a lag of between one and two years [before they can] figure out how to replicate those antipiracy and security features."

Counterfeiters currently copy Office 2003 rather than the newer Office 2007 for the same reasons, she said.

MacNaughton also touted the day's announcements of new initiatives and lawsuit filings scheduled to take place in 49 countries, ranging from Argentina to the U.S. "As counterfeiters have gotten more sophisticated, we have realized that this is not a situation that we can address alone," she said. "And we want to stress [today] the collaboration with Microsoft's partners and customers, and governments."

In the U.S., Microsoft filed 20 new lawsuits in federal court against software resellers that, according to the company's allegations, either sold pirated copies of Microsoft Windows XP Professional and Office or installed the counterfeit software on new PCs. Nine of the lawsuits were filed in California; two each were filed in Ohio, Oregon and Texas; and others were filed in Connecticut, Florida, Louisiana, Minnesota and New York.

MacNaughton also said that Microsoft is planning on another antipiracy educational effort early next year to make sure that customers know Windows XP's lifespan is coming to an end. "We're expecting that counterfeiters will attempt to fill the void at XP's end of sales," she said.

Microsoft will halt Windows XP Professional sales to small mom-and-pop computer sellers after Jan. 31, 2009. Larger computer manufacturers, such as Dell Inc. and Hewlett-Packard Co., however, will be able to obtain XP media for "downgrades" from Vista Business and Vista Ultimate licenses through the end of July 2009. Microsoft only recently said that it would extend shipments of XP to OEMs; previously, it had said it would stop the practice in January.

According to MacNaughton, Microsoft will roll out a campaign in early 2009 that will remind people of XP's demise and warn them that copies they obtain after those end-of-sale dates could be counterfeit. "We're planning [a campaign] in January or February to make sure our customers know what our rules and policies are about Windows XP," she said, "to make sure they understand what may be illegitimate and what may be legitimate. We want to make sure that the XP they might be getting is genuine."

Data compiled in August by a Florida developer of Windows performance metrics software showed that more than one-third of all new PCs are still downgraded to Windows XP from Vista, either by the user after purchase or by the computer maker at the factory.

Sun is a software company, new top shareholder says

2008-10-22T23:29:00.000-07:00

The investment company that announced Wednesday it has taken a 21 percent stake in Sun Microsystems believes the market doesn't get one important thing about the workstation and server vendor: It's a software company.

At least, that's what Staley Cates, president of Southeastern Asset Management, told investors last June, after his company acquired 10 percent of Sun's stock.

"Sun Microsystems is kind of interesting because it's progressively less of a server company and more of a software company; it's more about Solaris and Java," Cates said at a shareholder meeting for the Longleaf Partner Funds that his company manages. "And that's kind of a change that we don’t think the market's on to at all."

Although Sun still generates the vast majority of its revenue from server and workstation sales, CEO Jonathan Schwartz may now be paying special attention to Cates' message.

Southeastern has been increasing its stake in Sun this year, and on Wednesday it said it had changed its ownership status in the company in a way that allows it to take a more active hand in its management, according to a filing with the U.S. Securities and Exchange Commission. It also said it has been meeting with Sun's management to talk about ways to "maximize the value of the company."

"We welcome feedback from our shareholders and welcome their insight," a Sun spokeswoman said Wednesday. Neither Sun nor Southeastern Asset Management would elaborate on what was discussed at the meetings. Southeastern Asset Management, based in Memphis, Tennessee, does not focus exclusively on technology stocks, but it has also invested in Dell, Symantec and Level 3 Communications.

In recent years Sun has emphasized the strategic role software plays for the company, switching its stock symbol from SUNW to JAVA last year, and placing more marketing dollars in its Solaris operating system. "We are no longer simply a workstation company," Schwartz wrote in a blog post explaining the ticker symbol change.

Earlier this year Sun spent US$1 billion to pick up open-source database vendor MySQL; however, moves like the acquisition haven't helped Sun's stock price. It has plunged from nearly $25 per share a year ago to a close of $4.72 on Wednesday. Schwartz, who ascended to CEO from the ranks of Sun's software division, has said he sees the company as a "systems" vendor that sells both hardware and software.

Asked recently if Sun would consider selling the company's hardware business to focus exclusively on software, Schwartz said it made more sense to continue as a systems vendor, but he did appear open to this possibility. “We are always thinking about being more creative on behalf of our shareholders,” Schwartz told the New York Times. “We want to drive maximum value for them.”

Clues hint at Windows 7 debut in 2009

2008-10-22T23:27:00.000-07:00

Microsoft says next month's annual WinHEC will be last before launch

Microsoft Corp. may release Windows 7 as early as next November, bloggers speculated today, pointing to postings on the company's own Web site and comments made by the CEO of Asustek Computer Inc., the company that makes the popular Eee PC line of netbooks.

According to Long Zheng, who writes the Istartedsomething.com blog, and Ed Bott, a well-known Windows blogger, clues point to a 2009 release of Windows 7, the successor to Windows Vista.

Long noted that Microsoft's site for its upcoming Windows Hardware Engineering Conference (WinHEC), which opens Nov. 5 in Los Angeles, warns developers that this year's event will be the last before Windows 7's launch. "Be one of the first to see what's new in Windows 7 and be among a select few to receive a prebeta build of Windows 7," the Microsoft site reads. "WinHEC is the only chance for you to engage with the team at this level -- there is not another WinHEC planned before Windows 7 is released."

WinHEC has been an annual affair since 1991 and has typically been held in April or May. Microsoft delayed the conference this year, however, pushing it back from that usual window to November.

Microsoft has not set a ship date for Windows 7, although executives have said their goal is to launch the operating system three years after the debut of Vista, which was released to businesses in November 2006 and to consumers and PC makers in January 2007. Analysts have typically interpreted Microsoft's broad timetable to mean that Windows 7 will ship in the second half of 2009 or in early 2010.

If Microsoft didn't unveil Windows 7 until 2010, that would mean it would be skipping a WinHEC event during 2009, a first.

Bott also pointed to a story in Laptop magazine that quoted Jerry Shen, the CEO of Asustek, also known as Asus, who said his company would move from Windows XP straight to Windows 7 as a choice for the Eee PC netbook line. Shen pegged Windows 7's release date as the second half of next year.

"We don't plan on putting Vista on any of the Eee PCs," Shen told the publication. "I think in the future, in the second half of next year, we will put Windows 7 on Eee PCs."

Mike Elgan has also said that Asus plans to unveil touch-screen laptops early in 2009 that would take advantage of Windows 7's support for a multi-touch user interface when the operating system is released.

Last month, after Microsoft announced that it would hand out alpha versions of Windows 7 at both WinHEC and its Professional Developers Conference (PDC), scheduled for next week, Michael Cherry, an analyst at Directions on Microsoft, said that it was a good, though not sure, bet that the company is on track for a late 2009 or early 2010 launch. "We now know they're making progress," Cherry said then. "They at least have something they're confident enough in to share. But the next question is, how far along is it? And we won't know that until people load it up."

At the time, he also noted that although Microsoft slates PDC based on software releases -- which means the events aren't on a set schedule -- WinHEC is an annual affair.

Wall Street's collapse may be computer science's gain

2008-09-29T08:49:00.000-07:00

The collapse of Wall Street may help make computer science and IT careers attractive to students who abandoned these fields in droves after the pop of the last big bubble, the dot-com bust of 2001.

William Dally, chairman of the computer science department at Stanford University, said that for the last several years, he has watched some students interested in technology go into banking and finance because those fields could be more lucrative.

"Many thought they could make more money in hedge funds," Dally said. He said students are returning to computer science because they like the field and not because it can necessarily make them rich.

John Gallaugher, associate professor of information systems in the Carroll School of Management at Boston College, said he's already seeing a shift in student interest.

"Students have commented to me and written on their course wikis that they're considering changing from finance [majors], both based on the appeal of IS and concern over availability of finance jobs" in the future, Gallaugher said.

After the dot-com bust, computer science enrollments began declining, reaching a low of 8,021 last year from 14,185 in 2003-2004, according to the Computing Research Association (CRA) in Washington, which tracks year-over-year enrollment and graduate trends at 170 Ph.D.-granting institutions.

"Current economic conditions seem to impact the choice that students make in the majors they choose -- that has been true for computer science," said Jay Vegso, a CRA analyst who studies computer science enrollment trends. "Students who are now choosing majors might be looking for safer alternatives," he said, and IT may be a safer alternative.

The dot-com era was a wonderful time to be young, computer-savvy and in search of stock-option riches. Wall Street poured billions of dollars into hundreds of companies that were making little or no money. For instance, Webvan Group Inc., a grocery delivery firm in Foster City, Calif., that was founded in 1997, had so much money that it bought a rival, HomeGrocer, in 2000 for $1.2 billion in stock. Webvan ended in Chapter 11 bankruptcy in 2001.

If the dot-com meltdown wasn't enough, offshore outsourcing also scared away students from technology. In 2004, Carly Fiorina, then CEO of Hewlett-Packard Co., summed up the offshore trend this way: "There is no job that is America's God-given right anymore." Fiorina is now an adviser to Republican Sen. John McCain in his bid for the White House.

Today, companies are suffering from a shortage of technology professionals and baby boomer retirements will only add to the problem.

"The pipeline is inadequate for IT professionals," said Jerry Luftman, who is involved in academics and business as associate dean at the Stevens Institute of Technology's Howe School of Technology Management in Hoboken, N.J., and vice president for academic affairs at the Society for Information Management in Chicago.

The big difference between today and the heyday period of the late 1990s is the type of student that businesses need, Luftman said. Technical skills are still important, but businesses also want to hire students with management and industry training, strong communications abilities, marketing and negotiation skills, he said.

According to the U.S. Bureau of Labor Statistics, IT jobs are among the fastest growing. On the top of the bureau's list of fast-growing career areas is network systems and data communications analysts, which it is forecasting will grow from 262,000 jobs in 2006 to 402,000 jobs by 2008, a 53% increase. Computer software engineers, applications, is expected to increase from 507,000 to 733,000 or 45%; while computer scientists and database administrators will rise from 542,000 to 742,000, a 37% increase.

Randal Bryant, dean of the School of Computer Science at Carnegie Mellon University in Pittsburgh, said his school saw student applications drop to a low of 1,700 from a peak of 3,200 in 2001 at the end of the dot-com boom.

But the situation has been turning around in the past few years, with 2,300 applications coming in last year, he said.

Bryant said he expects that the troubles on Wall Street will likely influence some students to switch majors in the coming months from business to other fields, including computer science. He also urges caution to those students.

"I like to tell students that if you make your career choice that quickly based on what is hottest this month, you're going to be graduating in four years and that field may not be hot anymore," Bryant said. "I tell them to major in something they like and not what's a likely short-term fluctuation in the job market."

"Our peak at the dot-com [period] included people in computer science who had no particular aptitude in it, but they thought they'd get rich," he said.

Microsoft unveils new Visual Studio version

2008-09-29T08:47:00.000-07:00

Microsoft Corp. today unveiled the next version of its Visual Studio integrated development environment (IDE) and detailed new features of its Visual Studio Team System (VSTS).

Microsoft did not disclose a release date for the updated tool set, called Visual Studio 2010. However, the company did outline the major themes of the new release and described several new application life-cycle management (ALM) tools that will be part of VSTS 2010, which is code-named "Rosario."

The new version of the developer tool set updates Visual Studio 2008, which was made generally available in January of this year. Microsoft released the first service pack for Visual Studio 2008 last month.

Microsoft said it built Visual Studio 2010 to incorporate what the company called its five major themes -- democratized ALM, riding the next platform wave, delighting developers, breakthrough departmental apps and enabling emerging trends.

As part of the ALM focus for VSTS, Microsoft said it plans to break down the walls that now exist between different developer roles in the development life cycle, such as architects, developers and testers.

Dave Mendlen, Microsoft's director of developer marketing, said VSTS 2010 will also allow teams to configure and adopt any flavor of the Agile development process. In addition, the software is aimed at allowing both technical and nontechnical users to create and use models to work together and graphically define software functionality, the company added.

For example, Mendlen added, the new version of VSTS expands on the notion of a continuous build, which was first introduced in VS 2008 to reduce the chances that developers will "break the build" by checking in bad code. The new tool set has incorporated workflow into the continuous build effort so that an organization can customize development processes, added Cameron Skinner, product manager of VSTS.

For example, he said, a company can create diagrams that show source code that has been inspected against defined restraints, or rules a company sets up to determine if developers are following sound architectural principles. "If a rule is violated … that information is surfaced to you and you can act on it," Skinner said. "We're trying to take the architectural diagrams and get them living and breathing throughout the entire life cycle for the team."

Another new tool, called Architectural Explorer, allows architects to build a graphical model that shows relationships and dependencies of code. This type of model can more easily show developers why certain restrictions are in place and how changes they make may affect other aspects of development, Mendlen said. The new version will support both the Unified Modeling Language and Domain Specific Language.

VSTS 2010 also includes a significant focus on testing. For example, there are new features to eliminate bugs that can't be reproduced and features to ensure that all code changes are tested properly, Microsoft said.

The new version also includes a tool to help developers understand the impact of test cases related to the source code being modified. As a developer makes changes, a window appears that shows the tests that would be impacted by those changes.

Developers and testers often have an adversarial relationship because a tester will find a bug and throw it back to a developer who has to stop work, revert back to that version of the code and try to reproduce what the tester has found. Because it can be difficult for a developer to reproduce that bug, they sometimes dismiss its existence, Mendlen said. The new tool set will include what Microsoft calls "TiVo for debugging," or a way for a developer to see what Microsoft describes as a video of the tester discovering the bug.

"We're actually capturing what is happening during the test process -- the entire state of the machine," Mendlen added. "The developer can watch the video and ... running this tool will emulate the experience of debugging."

A debugging log will put the IDE into a debugging state as if the developer is running the application itself, but the developer actually will only be replaying the debugging log, he noted.

Microsoft also announced today that VSTS 2010 will combine the current development and database editions in VSTS 2008 into a unified VSTS Development and Database product.

Existing Microsoft software assurance customers who currently own Visual Studio Team System 2008 Development Edition or Visual Studio Team System 2008 Database Edition will receive several products starting Oct. 1. The tools, distributed without charge, include the following:

Visual Studio Team System 2008 Development Edition
Visual Studio Team System 2008 Database Edition
Visual Studio 2005 Team System for Software Developers
Visual Studio 2005 Team System for Database Professionals

Microsoft, Washington state to sue 'scareware' pushers

2008-09-29T08:40:00.000-07:00

Microsoft and Washington state are cracking down on scammers who bombard computer users with fake warning messages in the hope of selling them useless software.

On Monday, the state's attorney general and lawyers from Microsoft's Internet Safety Enforcement team will announce several lawsuits against so-called "scareware" vendors, who are being charged under Washington's Computer Spyware Act.

The vendors targeted by the lawsuits are not being named until Monday, but the attorney general's office referred to them in a media alert sent out Friday as "aggressive marketers of scareware -- useless computer programs that bilk consumers by using pop-up ads to warn about nonexistent, yet urgent-sounding computer flaws."

This is not the first time Microsoft and Washington's attorney general have teamed up to fight scareware. In 2005, they jointly sued Secure Computer, a security software company they accused of using fake error messages to scare users into buying its Spyware Cleaner software. Secure Computer eventually paid $1 million to settle the charges.

Washington's attorney general has also brought lawsuits against companies such as Securelink Networks and High Falls Media, as well as the makers of a product called QuickShield, all of which were accused of marketing their products using deceptive techniques such as fake alert messages.

Fake alert messages can be effective. Earlier this week, researchers at North Carolina State University reported that computer users are highly likely to click on fake Windows error messages. In their study, nearly two-thirds of respondents clicked "OK" when presented with a phony Windows pop-up message.

The use of these fake messages is a growing problem on the Internet, said Katherine Tassi, Washington's assistant attorney general, in an interview earlier this week. Scammers are "getting more and more creative, and putting more and more effort into making them look like security messages," she said.

The most prevalent scareware program in circulation today is software called Antivirus XP 2008, according to Alex Eckelberry, president of Sunbelt Software. Often installed on a PC without proper notification, the software bombards victims with fake security warnings, trying to convince them to buy worthless programs that sometimes even harm their PCs

Federal grand jury meets on Palin hacking case

2008-09-24T08:40:00.000-07:00

As a federal grand jury convened to hear testimony about the hack of Alaska Gov. Sarah Palin's e-mail account, the lawyer representing the college student suspected of accessing Palin's messages called his client "a decent and intelligent young man" in a statement issued to the media today.

"The Kernell family wants to do the right thing, and they want what is best for their son," said Wade Davies, a partner in the Knoxville, Tenn., firm of Ritchie, Dillard & Davies PC, in the statement. "We are confident that the truth will emerge as we go through the process. David is a decent and intelligent young man, and I look forward to assisting him during this difficult period."

Meanwhile, a Chattanooga, Tenn., newspaper reported today that a grand jury had convened at the federal court there, but had not filed any indictments.

The Chattanooga Times Free Press said the grand jury met this morning, when the three roommates of David Kernell, 20, of Knoxville, appeared. The session ended without an indictment, said the paper, whose Web site was offline as of 3 p.m. Eastern time.

Kernell, a student at the University of Tennessee-Knoxville, was originally linked to last week's hack of Palin's Yahoo Mail account by self-appointed sleuths on blogs and message boards after someone identified only as "Rubico" posted a message claiming to have accessed Palin's mail. Others subsequently connected the Rubico handle to the e-mail address "rubico10@yahoo.com," which was in turn linked to Kernell.

Yesterday, the webmaster of a Georgia-based proxy service confirmed that his server logs showed the intruder used an IP address belonging to an Illinois Internet service provider that serves the Knoxville apartment complex where Kernell lives.

Early Sunday, FBI agents searched Kernell's apartment and served his roommates with subpoenas to appear at the Chattanooga grand jury.

Kernell is the son of Mike Kernell, a longtime Democratic state representative from Memphis.

Amazon's developer cloud service stumbles

2008-09-24T08:39:00.000-07:00

Amazon.com Inc.'s hosted Simple Queue Service (SQS) has encountered performance problems this month that have prompted users to question its overall stability and its viability for commercial applications.

The latest incident occurred on Monday, when SQS experienced increased error rates for about 35 minutes after an overloaded router triggered increased packet loss, according to Amazon's Service Health Dashboard for its Amazon Web Services cloud computing offerings.

Between Sept. 9 and 11, increased error rates also rocked SQS, and although Amazon restored the service's stability, the company didn't fully diagnose and fix the problem until Sept. 18.

"The specific change we rolled out is in the way we handle garbage collection in the back-end message nodes. With the removal of this root cause, the Amazon SQS issues of Sept. 9 to 11 have been addressed," Amazon wrote in the service dashboard on Sept. 19, referring to a system upgrade it had performed the day before.

In addition, SQS spit out an assortment of errors over several days in late August and early September, a situation that Amazon resolved on Sept. 4, according to postings from SQS users and Amazon representatives in this thread in the service's official discussion forum.

Since last week, some SQS users have been sounding off on another thread titled "SQS is way too unreliable, what's going on?"

"This is nowhere near the kind of reliability I need from a service that I'm using as part of a production app. Can we get some sort of statement on what's going on? Without some kind of assurance that this will be resolved very soon, I can't continue to use it," an SQS user identified as Paul Dowman wrote last week.

Amazon didn't immediately respond to a request for comment.

Amazon's S3 cloud-based storage service reported outages earlier this year, in February and again in July.

SQS is one of the hosted services that Amazon.com provides to developers via its Amazon Web Services (AWS) suite of generic computing, payment, billing, fulfillment and Web-search services. SQS is a hosted queue for storing messages that are in transit between computers. Developers can use it to move data among distributed components of their applications, according to the company.

AWS is part of a popular trend toward cloud-computing offerings in which vendors provide applications and IT infrastructure services via the Internet from their own data centers.

Cloud-based services and software offer customers an alternative to installing hardware and software on their own premises. In theory, following this cloud model can reduce hardware provisioning costs for clients and free them from maintenance responsibilities.

However, a major objection to cloud computing is the performance and availability of the services. If something fails in the vendor's data center, there is little for customers to do but sit and wait for a solution while fielding end-user complaints.

Microsoft leads effort to solve photo metadata problem

2008-09-24T08:35:00.000-07:00

Have you ever been vexed to find that the titles, keywords or ratings you painstakingly entered to organize your digital photo collection disappear when you move them from one software (or service) to another?

Or were you puzzled when the data created when you originally took the photo, such as the exposure, date/time or GPS location end up garbled or missing?

That's not surprising, according to Josh Weisberg, director of Microsoft Corp.'s rich media group. Despite prior standardization efforts, interoperability of photo metadata remains dismal.

"There are several existing standards, but they aren't talking to each other," he said.

Those efforts have failed, he said, because they have been led by vendors in one link of the digital photography chain -- camera manufacturers, or photo software makers -- that didn't consider the needs of other parties.

As a result, there are six different standards for storing something seemingly as simple as photo captions, he said.

Microsoft is leading an effort to fix this by creating a single specification that will, it is hoped, eventually unify all of the existing standards out there.

Announced today at the Photokina trade show in Cologne, Germany, the Metadata Working Group has six corporate members, all leading players in their respective areas of imaging, including Adobe Systems Inc., Apple Inc., Canon Inc., Sony Corp., Nokia and Microsoft.

So far, the group, led by Weisberg, has put out guidelines on how to treat eight key metadata fields. The guidelines are aimed at makers of cameras and cameraphones, software vendors, and Web services and search engines such as Flickr and Google.

They include fields for keywords, descriptions, date and time, location (with different fields for where the photographer was and where the subject was), orientation (i.e. is the photo meant to be displayed vertically or horizontally), rating, copyright and creator.

The guidelines also ask device and software makers to ensure that no metadata is ever deleted without explicitly asking the user, Weisberg said.

The specifications do not create new standards, but build on top of existing ones such as Adobe's XMP (Extensible Metadata Platform) or Exif (Exchangeable Image File).

In other areas, such as office documents, the trend is to use human-readable XML formats such as Office Open XML (OOXML) and OpenDocument Format (ODF), and not to store metadata in hard-coded fields but to embed it -- albeit invisibly -- along with the text or data.

Why not similarly embed these data fields in free-flowing XML and require software and services and search engines to figure out how to pull it out?

While that may work for "ad hoc" data such as captions or tags, Weisberg said that approach isn't up to snuff for highly technical, mathematical data such as GPS coordinates, altitude readings or compass headings. It would create more work for developers, who "would need to write a bunch of code to interpret that data," he said.

Standardizing the metadata doesn't mean that photographers will need to use all of the fields. Photographers may want to omit geographical tags, especially of children's photos, for privacy reasons.

There are no fees or royalties for vendors that want to ensure their products adhere to the specification, Weisberg said. Adhering to the standard is voluntary for any vendor, he explained, noting that attempting to force vendors to cooperate, even if it would be good for consumers, would likely trigger antitrust concerns.

But "there's no licensing cost and not a dramatic amount of engineering work. What's the downside of supporting it?" he asked, although he admitted that it will likely be several years before products supporting the guidelines begin to appear.

There's other work to be done. Only eight fields have been standardized. The Metadata Working Group could eventually rule on hundreds of them.

These guidelines today only apply to digital photos in the JPEG, TIFF and Adobe Photoshop PSD file formats. They do not yet apply to Raw, the format of choice for pro photographers, and, increasingly, advanced amateur photographers. The problem there, Weisberg said, is that there are multiple Raw formats, rather than a single industry one.

The group would like to someday take its specification to a standards body, such as ISO, but it has no timetable for doing so, he said.

Also, some key players haven't joined the Metadata Working Group. Both Yahoo Inc., which owns Flickr, and Google Inc. were invited, but they declined to join, Weisberg said.

Mozilla reacts to rivals with plans to beef up Firefox 3.1

2008-09-16T08:59:00.000-07:00

Mozilla Corp. will try to squeeze more into Firefox 3.1, in part as a reaction to rival browsers from Microsoft and Google, the company's chief engineer said today.

"Looking at where we are and the competitive browser landscape, we felt we would be doing a better job if we had another four to five weeks," said Mike Shaver, Mozilla's interim vice president of engineering.

Shaver wasn't sure what impact, if any, the additional work would have on Firefox 3.1's final release date, which Mozilla had targeted as late 2008 or early 2009. "It's too early to know what affect it will have," he said. "But that [late 2008/early 2009 time frame] is still what we're looking at."

In a lengthy post to the Mozilla.dev.planning message forum last week, Shaver spelled out what Mozilla hopes to do. There, he listed several features that would benefit from "one more 'feature cycle' " of development, including TraceMonkey, the browser's revamped JavaScript engine, and a privacy mode that was only recently slated for Firefox 3.1.

In an interview today, Shaver said the move was in part due to faster-than-expected progress on some features, such as extending TraceMonkey's capabilities into other areas of the Firefox code. "We saw we could apply those [TraceMonkey] techniques to performance in other areas, like [Document Object Model]. We think if we could bang on this a little longer, we would get more out of this," he said.

The desire to push TraceMonkey development wasn't a reaction to Chrome, the beta browser Google Inc. released two weeks ago. "That's not a reactive thing, it's just the next logical step," Shaver said, noting that Mozilla started work on TraceMonkey more than two months before Google announced Chrome.

But Shaver acknowledged that some of the extra work Mozilla would like to put into Firefox 3.1 is being prompted by competitive pressure. "We're not blind to the competitive landscape," he said. "We're watching other browsers as much as they're watching us."

He cited Mozilla's plans for a Firefox privacy mode as an example. Both Microsoft Corp.'s Internet Explorer 8, currently in beta, and Google's Chrome have tools that limit or eliminate what those browsers record during their travels.

"There's a difference between when just one browser has a feature and when it's in several," said Shaver. "There are user expectations."

Among the features of a Firefox privacy mode that Shaver would like to squeeze into 3.1 is one that would let users wipe surfing traces retroactively. "It would be nice if you could pretend these last two hours didn't happen," he said.

Other changes that may land in Firefox 3.1 between its first and second betas, said Shaver, include improvements to the location bar -- which Mozilla dubs the "Awesome Bar" -- and detachable tabs, a feature Chrome also sports that lets users drag tabs from a browser to the desktop to open a new window.

"In some ways, we get a free move" with the opportunity to look at rivals like IE8 and Chrome, study how they implement a feature and watch the reactions from users, said Shaver.

Currently in Alpha 2, Firefox 3.1 is scheduled to go "code freeze" at the end of this month, with a tentative ship in four weeks or so, said Shaver. "We're in good shape for mid-October to the third week," he said today.

Firefox 3.1 can be downloaded in its present form from Mozilla's site in versions for Windows, Mac OS X and Linux.

Microsoft issues wrong update for Exchange 2007

2008-09-16T08:55:00.000-07:00

Microsoft Corp. last week confirmed that it inadvertently released a pre-release version of an Exchange Server 2007 update that could push servers into an endless series of crashes.

The Update Rollup 4 for Exchange Server 2007 released to users via Microsoft Update and Windows Server Update Services (WSUS), Microsoft's two most popular update mechanisms, was a preliminary version, the company acknowledged.

"For a brief period of time on 9/9, a pre-release version of Update Rollup 4 for Exchange Server 2007 Service Pack 1 was inadvertently made available to Microsoft Update, the Microsoft Update Catalog and WSUS servers for download," an unidentified Microsoft employee said in a post to the official Exchange blog.

Once Microsoft discovered its error, it pulled Update Rollup 4 -- a collection of previously disclosed bug fixes -- from the update services but warned those who had already installed it that it could cause problems. "An issue exists with this pre-release version of the Rollup 4 with regard to the Exchange Web Service (EWS) that creates the potential for a continuous crashing cycle," the blog post continued.

Some users reported that they were unable to back up their Exchange servers after installing the rollup during its window of availability, while others had more dire stories to tell. "It bricked one of my 'just about to go live' servers (services wouldn't start, can't uninstall). Spent today building another one," said Alex Britton, in a message posted to the Exchange support forum. "Serves me right for not disabling the recommended auto-update auto install."

Microsoft recommended that users who had installed Update Rollup 4 uninstall it and then install the previous incarnation, Update Rollup 3.

That wasn't always easy, however, as a Microsoft Exchange engineer acknowledged in a comment added to the blog post. "I want to point out that there is an uninstall case that we just uncovered that people may hit," said Scott Roberts, a member of the Exchange team. After uninstalling Update Rollup 4, Roberts said, EWS is unable to read a configuration file; administrators must open the configuration file and manually edit it to replace instances of an incorrect path name.

Later in the comment thread, however, Roberts told a user to simply install Update Rollup 3 atop the faulty Version 4.

Microsoft did not provide a timetable for issuing a working edition of Update Rollup 4, although Roberts said that from this point forward, such updates would be released on the second and fourth Tuesdays of the month. Next Tuesday, Sept. 23, is the fourth Tuesday of this month.

The whole episode left a bad taste in some users' mouths. "I am sorry but this is absolutely unacceptable," said a user identified as "Andy" in the first comment added to the Exchange blog post. "If a pre-release patch can get into Microsoft Update, you leave me no choice but to disable Automatic Updates."

"We apologize for any inconvenience and are working to make sure this does not happen again," Microsoft said in the Exchange blog.

This isn't the first snafu in Microsoft's update services. In June and July, the company had to fix two bugs in other patching mechanisms, including WSUS and the higher-end System Center Configuration Manager 2007, that had kept administrators from pushing patches to end users' PCs.

Minding online store a case of 'Not my job' for eBay, legal foes

2008-08-19T10:17:00.000-07:00

Last month, a federal judge ruled that eBay Inc. had fulfilled its obligations to investigate and control users who were trying to use its Web site to sell counterfeit Tiffany goods — a decision that put the onus on Tiffany & Co. to monitor eBay's site itself.

The ruling by U.S. District Judge Richard Sullivan was a major victory for eBay in its fight with Tiffany and other luxury goods companies over the sale of their merchandise — counterfeit or otherwise — on its auction site. If the ruling stands, it could have big implications for trademark owners, which would have to deploy technology to scour eBay's site for counterfeit and pirated goods, have employees manually monitor the site or pay other companies to watch it for them.

But similar lawsuits filed against eBay in French and German courts haven't turned out in eBay's favor, resulting in a split decision internationally — and the possibility that in the end, eBay might have to bite the bullet and increase its own enforcement efforts.

On June 30, two weeks before Sullivan sided with eBay, the French Tribunal de Commerce in Paris ordered eBay to pay a group of companies a total of $61 million because it failed to stop counterfeit perfumes and other products from being sold through its site. That followed a similar, though much smaller, judgment against eBay by another French court in early June.

And last year, a court in Cologne, Germany, ruled that once eBay's subsidiaries in that country were notified that fake Rolex watches were being sold on the eBay Germany site, the company should have taken measures to prevent the recurrence of counterfeit Rolex postings.

The financial stakes are high on both sides of the legal dispute. Tiffany, which last week filed an appeal of Sullivan's ruling in the U.S. Court of Appeals in New York, said that in the five years before the lawsuit was filed in 2004, it spent $14 million on technology and manpower to police its trademarks on eBay's site.

But between $3 million and $5 million of Tiffany's spending was on the lawsuit itself, and Sullivan described the New York-based company's overall monitoring tab as "relatively modest" in his ruling.

Meanwhile, eBay, which is appealing the European court decisions, said it spends $20 million annually to identify counterfeit goods on its site. That figure would likely increase substantially if eBay were forced to take on more responsibility for rooting out sales of fake products. And the company probably would have to change the way it handles counterfeiting across the board, not just in those two countries.

"EBay operates on one technology platform, and to the extent that eBay has to change its business model in other countries — it would change it everywhere," said Heather McDonald, an attorney at law firm Baker & Hostetler LLP in Cleveland.

McDonald, who specializes in intellectual property enforcement and anticounterfeiting litigation, added that if eBay didn't do so, trademark owners in the U.S. could argue that the company was offering more protections to foreign businesses than it was to them.

"If we have to change our business in relation to [the Tribunal de Commerce's] ruling, it will be a massive undertaking," eBay spokeswoman Nichola Sharpe acknowledged. "We don't view it as just affecting eBay France, but affecting all eBay sites globally."

McDonald and other legal experts said the different rulings weren't surprising, because European courts typically take a stricter stance against trademark infringement and the sale of counterfeit goods than their U.S. counterparts do.

On the other hand, eBay said the ruling in the U.S. case confirms what it has maintained all along: that its efforts to stop counterfeit sales have been reasonable. According to Sharpe, eBay removed 2.2 million potentially counterfeit listings worldwide last year alone. It also suspended about 50,000 sellers who were found to be offering fake goods and took steps to make it harder to post such items, she said.

One of the ways that eBay tries to stop the sale of counterfeit goods is through its Verified Rights Owner Program, or VeRO, which provides software tools to help companies look for fake goods on its site. More than 18,000 businesses take part in VeRO, eBay said; if a company determines that a seller is peddling counterfeit merchandise, it notifies eBay, which immediately takes down the auction.

McDonald said businesses that want to invest in a technical solution to the monitoring problem can write algorithms that automatically scan eBay for listings with their brand names, then dump the information into spreadsheets so workers can determine whether the products are counterfeit.

Ethan Horwitz, an intellectual property attorney at King & Spalding LLP in Atlanta, said trademark owners also can buy packaged software from vendors such as MarkMonitor Inc. and OpSec Security Group PLC that combs the Web and finds uses of their brand names. Or, they can hire services firms to do the online sleuthing for them, he said.

Over a period of about 18 months, the Software & Information Industry Association spent hundreds of thousands of dollars to develop a tool to help it check for counterfeit or pirated software on eBay's site — money that the SIIA said should have come out of eBay's pockets.

Tiffany says eBay can't ignore fake goods on its site

In its appeal of U.S. District Judge Richard Sullivan's ruling in favor of eBay, Tiffany argues that trademark law doesn't allow online auction sites to turn a blind eye to the problem of counterfeit goods.

James Spire, a partner at Washington law firm Arnold & Porter LLP who is representing Tiffany in the case, said that prior court decisions have held that flea market operators and store owners have "a duty to investigate and take action" if they know of a problem with counterfeiting. "In neither instance is there any obligation on the trademark owner to investigate what is happening on-site," he added.

But Tiffany is fighting an uphill battle on the appeal, according to Ethan Horwitz, an intellectual property attorney at law firm King & Spalding. Horwitz said Sullivan's ruling was a "well-reasoned decision" with a solid legal basis for its finding that Tiffany had done "very little, if anything," to protect its trademarks.

Eric Goldman, an assistant professor and director of the High Tech Law Institute at the Santa Clara University School of Law, agreed that the ruling was "almost uniformly thoughtful, thorough and well researched. It looks like the judge intentionally wrote it to be as appealproof as possible."

But Goldman added that if Tiffany does lose on appeal, he wouldn't be surprised to see the battle move to Congress.

In a statement, eBay said Tiffany's appeal "doesn't do anything to combat counterfeiting." The best way to stop the sale of fake goods, it added, is "ongoing collaboration between companies, government agencies and law enforcement."

The SIIA last month threatened to sue eBay over the issue. Like Tiffany, the trade group contended that eBay is making money from the sale of counterfeit and pirated goods and thus should bear the financial burden of stopping such sales.

"At some point, the trademark and copyright owner has done as much as possible," said Keith Kupferschmid, the SIIA's vice president of intellectual property policy and enforcement. "There's so much piracy on the site that eBay really needs to do something [more] about it."

But the ruling in the U.S. case instead reinforced the position that trademark owners have to bear most of the expense of monitoring third-party Web sites.

"[Tiffany] complained, and the court basically said, 'Tough,'" said Eric Goldman, assistant professor and director of the High Tech Law Institute at the Santa Clara University School of Law.

Sullivan's position is that eBay has to be the enforcer but not the detective, noted Horwitz. That puts the burden on trademark owners to do their own investigating of items listed on the eBay site, he said.

At least in the U.S. And at least for now — until the appeals process decides who really should be minding the online auction store.

Google solves Gmail outage, but questions remain

2008-08-19T10:15:00.000-07:00

Late Friday night, Google Inc. resolved the third Gmail outage of the past two weeks, but questions remain about the stability of the webmail service, which is affecting the Google Apps hosted software suite.

Like the previous two outages, the latest one occurred as a log-in error that locked users out of their accounts. This time, some users were prevented from accessing their accounts for more than 24 hours.

All three outages affected not only individual Gmail users, but also people who use it as part of the Google Apps suite of collaboration and communication applications.

Google acknowledged the Gmail problem Friday and said it affected "a small subset" of the service's users. The company didn't immediately comment about what is causing the recurring log-in problem, nor did it provide a more specific figure for the amount of Gmail users affected.

The long outage was painful for several Google Apps users contacted via e-mail.

Denmark's chapter of Fair Allocation of Infotech Resources (FAIR), an international nonprofit group, just started using Google Apps. When the outage hit, system developer Benjamin Bach was showing the suite to his colleagues ahead of the planned launch of FAIR Denmark's Web site this week.

The outage lasted more than 24 hours. "Seeing such a long outage during the very first few days makes us wonder if a free solution provided by Google is actually 'pro' enough for us. We cannot correspond with schools in Africa or partners in Denmark and afford being out of mail for a whole day," Bach said.

FAIR, based in Norway, is devoted to supplying computer products to developing countries. The Denmark chapter is just getting off the ground and expects to grow its Apps user base from four people to as many as 20.

Google Apps comes in several versions, including Basic and Education, which are free, and Premier, which costs $50 per user per year and includes additional functionality, a 99.9% uptime guarantee for Gmail and phone-based technical support.

"I can give them a lot of credit for providing a free service, but they lose some of that when saying, 'Your e-mail is totally inaccessible, and we're not going to tell you why or for how long.' It's arrogant. I'm a system administrator, so I deserve to know a little more," Bach said.

Indeed, Google seemed slow to address this latest outage. The first reports started appearing in the official Apps and Gmail discussion forums on Thursday afternoon Eastern time. However, Google didn't acknowledge the problem in the forums until almost 5 p.m. on Friday, more than 24 hours after the first reports appeared. Google declared the problem solved shortly after 10 p.m. on Friday.

Also without Gmail for more than 24 hours was Howard Feldstein, chairman of the Mexico chapter of Democrats Abroad, the official U.S. Democratic Party organization for American expatriates. "We're quite busy leading up to the convention. I have relied on Gmail not only for e-mail but for my primary contact list and was totally isolated for more than a day," he said.

Abhishek Parolkar, an IT consultant in Bangalore, India, also lost access to his Google Apps and Gmail accounts for more than 24 hours, which disrupted important billing messages from clients.

Sadie Upchurch, president of Glinting Communications, a public relations firm near Atlanta, was affected for about 15 hours. "I was on client deadlines and had to work around for reroutes and resends of e-mails from those clients," she said.

"I do remind myself that I'm not paying for the service and that there's a level of patience and adequate backup you've got to have when you're getting something for free," she added.

Still, it's common for organizations to try out Google Apps via its free Basic version before considering a move to the fee-based Premier edition, so a wobbly e-mail component is unlikely to entice anyone to upgrade. Google serves all of its Gmail users, from individuals to Google Apps Premier account holders, from the same infrastructure, so Gmail outages hit all types of users indiscriminately.

The suite, even its free version, is geared toward workplace use and designed for employee collaboration, which is why it contains calendar, word processing, spreadsheet, presentation and Web site creation applications.

For that reason, it's unlikely that Google would consider several lengthy Gmail outages in a span of two weeks as the norm for Apps. After all, Google has aspirations that Apps will grow its very small presence among large enterprises, which demand high performance and availability levels from their software. Apps is currently used mostly by small organizations.

Microsoft faces Taiwan antitrust investigation

2008-08-19T10:14:00.000-07:00

Taiwan's Fair Trade Commission has launched an investigation into whether Microsoft Corp. holds a monopoly position over the island's software market and whether it abuses such a position, an official said today.

The government investigation into Microsoft will also look into complaints that Microsoft is limiting consumer choices by restricting the availability of Windows XP on new PCs and whether pricing of Microsoft products is fair to consumers on the island.

Taiwan's investigation is unique in that no other region where Microsoft has previously faced regulatory issues, including the U.S., Europe and South Korea, is currently looking at the company for the same reason.

"Taiwan doesn't have its own [OS] software," said an official from the Fair Trade Commission. "Most people in Taiwan use Microsoft software and depend on it for work. Their market share should be very high," she said.

Should the world's largest software maker be found to have broken Taiwanese antitrust laws, the company could face a fine of up to $797,361 and could be forced to change some of its business practices on the island.

"We fully intend to comply with the process and make sure they get all the information they need," said Matt Pilla, Microsoft's director of public relations in Asia.

Taiwan's investigation was launched in part due to urging by Taiwan's nonprofit Consumers' Foundation.

The group last month called on Microsoft to continue selling Windows XP as an option on all new PCs, saying that discontinuing sales of the operating system would violate Taiwanese antitrust laws. The Consumers' Foundation alleges that Microsoft is using its market position to try to force people in Taiwan to switch to Windows Vista.

The foundation conducted a survey on the island that found 67% of consumers are opposed to Microsoft's decision to stop selling XP at the end of June.

The main complaint is over a lack of choice when people buy new computers. Around 56% of survey respondents who had bought a new computer recently were told they could not buy Windows XP and instead were forced to purchase Vista, the foundation said.

The foundation said Microsoft controls 98% of Taiwan's operating system market share, with 75% of survey respondents using Windows XP on their PCs and 23% using Vista.

A majority of respondents to the survey, more than 53%, said they did not think Vista is as useful as XP, while 23% said Vista is the better operating system.

Pilla pointed out that Microsoft has extended XP's life beyond traditional norms for the company, including allowing it to be sold on certain systems meant for businesses until June 30, 2009, and on ultralow cost PCs through June 30, 2010.

Extending the life of an older product isn't easy, he said. By extending the dates of usage, Microsoft also has to extend the time it will support Windows XP, which now stands at April 2014.

Long after it will cease being sold, the product will still have to be updated with new hardware drivers and other software support.

In addition, most of Microsoft's software developers are working on Vista, so the company has to reallocate resources to continue working on XP.

Taiwan's Fair Trade Commission investigation is at least the third action taken against Microsoft in recent years.

In 2004, the commission worked with Microsoft to resolve disputes around Windows Media Player after a ruling by the European Union found Microsoft guilty of trying to destroy competition in that market. A year earlier, the commission reached a settlement with Microsoft over the bundling of Office software.

Microsoft issues massive security update for Windows, Office

2008-08-13T08:37:00.000-07:00

Microsoft Corp. today released its largest security update in 18 months to patch 26 vulnerabilities in Windows, Office, Internet Explorer (IE), Windows Messenger and other software.

"Today is a perfect storm of client-side issues," said Amol Sarwate, manger of Qualys Inc.'s vulnerabilities research lab. "Most or all of Microsoft's client-side applications are affected or patched."

At least two of the vulnerabilities have already been exploited in the wild, Microsoft acknowledged. Those two, plus another pair, said one security researcher, should be considered "zero-day" bugs because technical details about the flaws had been circulating prior to today.

"It's all about the count today," Sarwate said. "This is the largest update in 2008, and the largest in the last 18 months. We have two that we know have been exploited and four zero-days."

Even though today's updates -- 11 total bulletins, six of which were tagged as "critical," Microsoft's highest threat rating -- set a 2008 record, Microsoft left one expected fix off the table. Last week, it said it would patch one or more critical flaws in Windows Media Player 11, the version bundled with Windows Vista.

Microsoft has yanked updates at the last minute in the past, and the company typically cites reliability concerns with the patch or says it was not able to wrap up testing in time. It did the same today. "The bulletin has been removed prior to today's bulletin release because of a last-minute quality issue," said Christopher Budd, a spokesman for the Microsoft Security Response Center (MSRC) in an e-mail.

Of today's 11 updates, two were most anticipated: a patch for a bug in the Snapshot Viewer ActiveX control, which is bundled with Access, Microsoft's database application, and one for a less-critical flaw in Microsoft Word that the company confirmed in a July 8 security advisory. The former was patched by MS08-041, while the latter was fixed by MS08-042.

The Snapshot Viewer and Word vulnerabilities have been exploited by attackers, making them especially important to patch, Sarwate said.

Andrew Storms, director of security operations at security vendor nCircle Network Security Inc., saw two major themes in the massive update. "There's a lot of file-parsing vulnerabilities here," he said, " and a ton of replacement bulletins."

File-format bugs are not new to Microsoft's software, especially the applications in its Office suite, but the number patched today -- a full dozen altogether -- took Storms by surprise. "Every Office product got touched today," he said. "The good thing is that if Office 2007 [applications] are affected, they're less affected, because the file format changed with that version."

File-format vulnerabilities -- like the ones patched in Excel (MS08-043), Office in general (MS08-044) and PowerPoint (MS08-051) -- remain valuable to attackers, Storm maintained.

"They'll continue to pop up because the file formats, the older formats in particular, have been so well documented outside of Microsoft," Storms said.

On the theme of replacement bulletins, Storms noted that seven of the 11 updates unveiled today replace earlier Microsoft security patches. "It's not unusual to have a few, and by 'a few' I think of one or two, maybe three, but we're looking at a full deck here.

"It tells me that one of the best ways to find new vulnerabilities continues to be to look at what Microsoft has patched in the past and what they might have missed when they did," Storms said.

That tactic pays dividends, he argued, citing the large number of replacement updates as proof. "Absolutely, this works. You look in the same area of code as the fix Microsoft applied. Maybe the function call they patched here is being used somewhere else."

While Microsoft addressed six critical vulnerabilities in its IE browser today with MS08-045, it did not tackle a bug first reported in 2006 that returned to the limelight in May 2008 when security researcher Aviv Raff claimed that it could be combined with the so-called "carpet bomb" flaw in Apple Inc.'s Safari. Apple and Mozilla Corp. have patched their browsers to prevent the kind of blended threats that Raff has outlined.

Microsoft also issued a separate security advisory today that announced it had set the "kill bits" for a pair of third-party ActiveX controls from Hewlett-Packard Co. and Aurigma Inc. The practice, which debuted in April, lets Microsoft disable vulnerable ActiveX controls remotely through its Windows Update service.

Microsoft kills more third-party ActiveX controls

2008-08-13T08:34:00.000-07:00

Microsoft Corp. today issued "kill bit" updates for ActiveX controls from HP and a Washington state developer, the third time it's disabled third-party add-ons in the last four months.

One security researcher linked the release to a new program Microsoft announced last week that's designed to help other vendors find and fix bugs in their own software.

Microsoft disabled ActiveX controls from two companies, Hewlett-Packard Co. and Tacoma, Wash.-based Aurigma Inc., in its kill bit update, according to the security advisory issued today. The update was released through Windows Update, but it can also be downloaded from the Microsoft site.

Both companies have acknowledged vulnerabilities in their ActiveX controls, and have, in fact, patched those controls. The HP software that Microsoft killed today were older ActiveX controls associated with a customer support application bundled with some of its PCs; the program, dubbed "HP Instant Support," is meant to help users update key drivers and other HP software.

HP patched its Instant Support in early June.

Aurigma's Image Uploader, meanwhile, also has a troubled past. In late January, security vendor Symantec Corp. reported multiple vulnerabilities in the software, which is licensed by sites such as MySpace and Facebook, to give their users a way to upload photos from within Internet Explorer.

Aurigma quashed the bugs in a March 2008 update to Image Uploader.

The first time Microsoft released a kill bit update for another vendors' software was in April, when it disabled a buggy ActiveX control used by Yahoo Inc.'s music player. In June, it released a kill bit that crippled an ActiveX control used by Logitech International SA to retrieve updates for software for its keyboards and mice.

In April, company officials said they would issue kill bit updates whenever asked by a vendor. "If an independent software vendor discovers that they have shipped a vulnerable [ActiveX] control, they should e-mail [us] to work with Microsoft to issue a kill bit, disabling that control," Tim Rains, a spokesman for the Microsoft Security Response Center, said at the time.

Setting the kill bit for an ActiveX control involves modifying the Windows registry. It does not patch the problem, and setting the kill bit means the control's functionality is lost. In today's cases, however, Microsoft was setting the kill bits for the older, vulnerable versions of the HP and Aurigma controls; users who had updated to the newer editions should not lose the programs' functionality.

"This is right in line with Microsoft's presentation at Black Hat," said Andrew Storm, director of security operations at security vendor nCircle Network Security Inc., referring to last week's security conference. At Black Hat, Microsoft said it would launch Microsoft Vulnerability Research in two months. The program helps third-party developers of Windows applications and add-ons find and fix bugs in their software.

"They said many times that they are working as a coalition to better secure the Windows operating system and everything which runs on it," Storms continued. "While Microsoft has issued a few kill bits in the past for third-party products, this is something we are going to continue to see going forward."

Kaspersky Internet Security 2009 -- fast, lean, effective

2008-08-11T09:21:00.000-07:00

Fans of all-in-one security suites should take a serious look at the just-released Kaspersky Internet Security 2009, which includes modules for antivirus, antispyware, firewall and more, yet uses little enough system resources and RAM that it won't slow down or clog up your system.

Like many of its competitors, Kaspersky takes the "everything but the kitchen sink" approach to Internet security, and it largely succeeds. The software's sprawling features are well integrated via a single control panel with individual screens for anti-malware, system security, online security and content-filtering sections. The default settings for each module should work well for most people, but for those who like to tweak, the program offers considerable customization tools as well.

Cyberattacks knock out Georgia's Internet presence

2008-08-11T09:15:00.000-07:00

Hackers, perhaps affiliated with a well-known Russian criminal network, have attacked and hijacked Web sites belonging to Georgia, the former Soviet republic now in the fourth day of war with Russia, a security researcher claimed on Sunday.

Some Georgian government and commercial sites are unavailable, while others may have been hijacked, said Jart Armin, a researcher who tracks the notorious Russian Business Network (RBN), a malware and criminal hosting network.

"Many of Georgia's Internet servers were under external control from late Thursday," Armin said early Saturday in an entry on his Web site. According to his research, the government's sites dedicated to the Ministry of Foreign Affairs, the Ministry of Defense, and the country's president, Mikhail Saakashvili, have been blocked completely, or traffic to and from those sites' servers have been redirected to servers actually located in Russia and Turkey.

As of midnight Eastern time on Sunday, Georgia's presidential and defense ministry sites were unavailable from the U.S. Although the foreign ministry's site remained online, the most recent news item was dated Aug. 8, the day Georgian and Russian forces first clashed.

Armin warned that Georgian sites that appeared online may actually be bogus. "Use caution with any Web sites that appear of a Georgia official source but are without any recent news [such as those dated Saturday, Aug. 9, or Sunday, Aug. 10], as these may be fraudulent," he said in another entry posted midafternoon on Sunday.

Statements from Georgia's foreign ministry have appeared in a blog hosted on Google, perhaps in an attempt to circumvent attacks.

Researchers at the Shadowserver Foundation, which tracks malicious Internet activity, confirmed some of Armin's claims. "We are now seeing new attacks against .ge sites [Editor's note: .ge is the top-level domain for Georgia.] ... www.parliament.ge and president.gov.ge are currently being hit with HTTP floods," the researchers said in a Sunday update to a July post.

On Saturday, Armin reported that key sections of Georgia's Internet traffic had been rerouted through servers based in Russia and Turkey, where the traffic was either blocked or diverted. The Russian and Turkish servers Armin identified, he said, "are well known to be under the control of RBN and influenced by the Russian government."

RBN, which pulled up stakes last year and shifted network operations to China in an attempt to avoid scrutiny, has been fingered for a wide range of criminal activities, including a massive subversion of Web sites last March.

Later on Saturday, Armin added that network administrators in Germany had been able to temporarily reroute some Georgian Internet traffic directly to servers run by Deutsche Telekom AG. Within hours, however, the traffic had been again diverted to Russian servers, this time to ones based in Moscow.

The attacks are reminiscent of other coordinated campaigns against Estonian government Web sites in April and May 2007 and against about 300 Lithuanian sites on July 1. Like Georgia, both countries are former republics in the Soviet Union.

Three weeks ago, a distributed denial-of-service attack knocked Georgia's presidential site offline for about a day.

Late Sunday, Russian ground forces were reported advancing toward Gori, an important transportation hub in central Georgia.

Google China Music Search Live

2008-08-07T08:56:00.000-07:00

Google has released a Music search site for China " and China only, unless youre using a proxy* to access it. We discovered traces of this a while ago, and the Wall Street Journal also covered Googles plans before. In China, music searching is one of the existing advantages of competing services like Baidu over Google, but now Google may try to find a more legal, licensed basis for such a site.

The services main page shows a search box and a list of top songs and their artists, along with links enabling you to e.g. listen to the song online. (Please note the translations in the screenshots are given as approximations as I had automatic translation help me compile them.)

When starting to enter something in the search box, youll get a dropdown box, which can both help auto-complete your query, but also transliterates Pinyin into Chinese characters. (The Google China homepage itself has auto-completion, too.) In the results, you can check several songs and add them to what looks like a song list. It opens in a new window served from Google partner Top100.cn. Songs play back without much hassle using Flash, accompanied by an animated ad banner. (And all that legal, apparently; Music 2.0 writes that authorities and Content Providers can now point to a viable alternative to Baidus mp3 search and snap out of their varying degrees of apathy and do something about it. Baidus recalcitrant attitude and financial abuse of so-called label partners as it pirates music in broad daylight will inevitably catch up with them now.)

Instead of streaming the song, you can also download it as MP3 file sometimes. What, no proprietary digital-rights-mangled format? Im eating a big surprise, as the saying goes... this service is actually uncluttered and useful in finding music. Even the lyrics which you can open in a new window can be (gasp) copied to your clipboard for reuse, something Yahoo Music, for instance, never let you do**. And why not, as theres enough chance for revenue in the vicinity of such a service, like advertisement or paid ringtones. If not for the fact all non-China users are banned from using this, its an almost barrier-free music download site " at the moment, though, the www in the sites address is lying.

-Thanks Xujie and Manoj Nahar!-

*In Firefox, try the following to use a proxy. In the menu open Tools -> Options. Switch to the Advanced tab and in it, the Network tab. Click the Settings button and check Manual proxy configuration. Enter 202.108.251.112 into the HTTP Proxy box and click OK below. Now try load Google Music Search. (If this proxy does not work for you try looking for others by searching Google for -china proxies- and similar.)

**Yahoo used an image instead of text for lyrics, among other hurdles built into their service.

Mozilla dishes up teasers for concept browser

2008-08-07T08:54:00.000-07:00

Mozilla Labs is inviting industry wonks, higher education types and ordinary bods to contribute ideas on its new concept browser, Aurora.

The outfit behind popular open source browser Firefox wants people to get involved in its “Concept Series” project, looking at shaping the future design of web technologies.

Mozilla Labs has buddied up with San Francisco-based Adaptive Path, the firm behind the recent redesign of the MySpace website, to create the Aurora browser.

Anyone can put forward ideas, mockups or prototypes to the project, said Mozilla, which earlier this week released design and interface teasers for people to play with and adapt.

There is one caveat for individuals hoping to make a fast buck from their contribution: it wants all concepts and related source materials to be freely redistributed under either a Creative Commons licence (ideas and mockups) or the Mozilla Public Licence (prototypes).

“We're hoping to lower the barrier to participation by providing a forum for surfacing, sharing, and collaborating on new ideas and concepts,” said Mozilla.

“Our goal is to bring even more people to the table and provoke thought, facilitate discussion, and inspire future design directions for Firefox, the Mozilla project, and the Web as a whole.”

U.S. patent office to revisit Dell's 'cloud computing' trademark

2008-08-07T08:32:00.000-07:00

The U.S. Patent and Trademark Office (USPTO) has done an about-face on Dell Inc.'s effort to claim a trademark on "cloud computing" and is reconsidering its earlier action.

Dell had received near-final approval for this trademark, but the USPTO canceled its "Notice of Allowance" on Tuesday, according to trademark records. The application has been "returned to examination."

Dell spokesman David Frink said the company isn't commenting on the USPTO's action, other than to acknowledge that the issue is going back to the examiner for additional review. He didn't want to speculate on what that might mean.

Joe Englander, an intellectual property attorney at Shutts & Bowen LLP in Fort Lauderdale, Fla., said the USPTO 's decision may have been prompted by the public attention the trademark was getting.

Englander suspects a primary examiner, a person in a senior position, "looked at it and probably agreed with some of the arguments that were made public."

The USPTO move is a setback for Dell, said Englander. "It means that right when you thought you were out of the woods, you are not," he said.

Englander was among the attorneys who argued that "cloud computing" is a generic term. Even if the USPTO ultimately grants approval, the company may still face challenges.

Dell, however, already owns cloudcomputing.com.

Open-source e-voting gets LinuxWorld test run

2008-08-07T08:30:00.000-07:00

Computer engineer Alan Dechert didn't like what he saw during the controversial vote tallying in Florida in 2000's presidential election.

That was when he decided that there had to be a better way for U.S. citizens to safely and accurately cast their ballots.

More than seven years later, Dechert is here at the LinuxWorld Conference & Expo, publicly displaying the open-source e-voting system he helped develop that fixes some of the problems that he and other critics found in the nation's voting systems almost a decade ago.

"I watched the 2000 election, and I was stunned that we didn't know how to count ballots," Dechert said.

In Florida, where paper punch-card ballots were used at the time in many counties, the nation watched in disbelief for weeks as the presidential election came down to the wire over punch cards that were analyzed individually and manually by voting officials. At issue was voter intent, as officials tried to decipher who voters had selected on the ballots, which often weren't fully punched out by the machines that were supposed to mark the ballots.

It took analysis of those ballots and a U.S. Supreme Court decision to finally decide the winner of that election, almost a month after the last polling place closed.

That December, Dechert co-founded the Granite Bay, Calif.-based Open Voting Consortium to try to help come up with a better way to vote in this country.

"This was conceived as a pilot project for Sacramento County [Calif.] in December 2000," he said. The idea was to create an electronic voting system that allows voters to make their candidate selections on a screen, then clearly print their ballots and have them scanned and tallied by reliable machines.

By creating such a system, Dechert said, then "there's no ambiguity about what the voter intended," fixing one of the most glaring problems of the old punch-card systems and poorly designed ballot layouts.

The system, which was set here at LinuxWorld for show attendees to view and vote in mock elections, runs on PCs loaded with Ubuntu Linux and the free, open source e-voting application created by the consortium.

For election officials, the system is a simple one that would allow voters to be sure of their choices before they leave the ballot-casting area, Dechert said. Officials could set up and create the ballot in any elections intuitively with a special software tool that would add candidate names, office titles and other relevant information without requiring major computing skills.

The application runs on standard PC architecture and requires no specialized equipment.

"They don't have to do anything special," Dechert said of local election officials who would use the system. "They don't have to know anything special."

LinuxWorld attendee Greg Simonoff tests out the Open Voting Consortium's proposed e-voting system. Photo by Todd Weiss.

By going to an open-source system, he said, the application's code could be carefully and publicly analyzed for flaws and security issues, then could be fixed and made trustworthy for use. At least, that's the position of open-source advocates who think they can build a better system than those created by proprietary vendors across the nation.

"What we're trying to advance is full public scrutiny, with many eyes on the code," Dechert said.

The open-source system aims to address several concerns about traditional vendor-supplied e-voting systems in use across the U.S., he said, including the following:

By being open source, the code can be checked at any time for flaws or problems by any qualified programmer or developer, making it more transparent and trustworthy.
By using off-the-shelf PC hardware and printers and other peripherals, it's much cheaper than custom, purpose-built e-voting consoles and equipment.
It's usable by handicapped voters and by voters who speak languages other than English.
It contains a voter-verifiable and fully auditable paper record that can be preserved and is recountable.

"It could be used now," Dechert said. Some local voting jurisdictions are in talks with the group now about looking further at the system, including local officials in at least one Maryland county, he said.

For use in national elections, the system would have to be heavily analyzed and eventually certified as an election system, Dechert said. That process is part of the group's future goals, he said.

Here in San Francisco, for the system in display on the show floor, mock voters entered a booth and stood in front of a computer screen that lay flat in front of them on a table. The voters then used a traditional computer mouse to make their selections on the one-screen ballot and then advanced the ballot selections with on-screen arrows. Voters could also choose to go back to check or change their selections.

After completing the ballots, participants were asked to confirm their candidate or referendum-question selections several times, then were able to print their ballots on a printer also in the voting cubicle. Each voter then put the printed paper ballot in a manila folder and walked it over to a nearby election official, who electronically tallied and scanned it in front of the voter.

More than 300 people tried out the system yesterday. Project organizers set up a ballot with the three major party candidates in this year's presidential election, as well as several referendum questions about e-voting and other topical public issues.

Dick Turnquist, an IT manager at the Association of California Water Agencies in Sacramento, test-voted on the proposed system and said he liked what he experienced. "It certainly was easy enough to use. I probably would prefer it" to existing e-voting systems, Turnquist said.

Greg Simonoff, an engineer at the California Department of Transportation, said he liked using the system but would prefer a touch-screen voting mechanism rather than a mouse-based system.

Dechert said the mouse-based system is being used in the demonstration phase of the project to cut costs but would be replaced with a touch-screen system in production.

Credit card thieves ran a polite, professional help desk

2008-08-07T08:28:00.001-07:00

The criminal network identified in the Justice Department indictments this week as having stole tens of millions of credit card numbers used people with skills in technology, finance and black markets -- some whom were notably polite, attentive and productive.

In one chain of ICQ messages excerpted by federal authorities in an indictment, there is back-and-forth about the software used to get credit card data from Dave and Buster's Inc.Albert Gonzalez, of Miami in an instant message. restaurant chain. The U.S. says it was one of nine retailers hit. The hackers gave the chain a positive review: "A very nice place, they have many locations," wrote

But little time was wasted on chitchat. Tech support was needed to modify sniffer software for an intrusion. Maksym "Maksik" Yastremskiy, of Kharkov, Ukraine, in a message to Gonzalez, briefly discussed the need and finished by asking: "...could you, please recompile it :-) Thanks."

Gonzalez's response: "I can compile right now." There was no tech support whining in these messages -- just professional interest, and perhaps some pride, in how the software worked: "Did your guy use or say anything about my sniffer for dandb [Dave and Buster's]?"

"My guy told me to tell you big thanks and etc ;-)" was Yastremskiy's reply. Some 5,000 credit card numbers were taken from the chain.

For some employees, praise is as important as money, and this group evidently had both, according to what's in the federal charging documents. They made millions until the feds closed their operations this year.

"These guys collaborate," said Sam Curry, vice president of the identity access and assurance at RSA Security, a division of EMC Corp. "They even have SLAs (service level agreements) and support numbers to reach other. They have specialized roles, sophisticated economics, [and] worldwide reach," he said.

It's the degree of specialization that's a tip-off as to how big these organizations are. It took focus and organization to attack nine major retailers, steal some 40 million credit and debit card numbers, decrypt PIN numbers, withdraw cash and sell the numbers on black markets.

The main targets were retailers. The thieves parked their cars near retail outlets, searched for open networks, and installed programs to capture the wanted data.

Retailers are particularly susceptible to theft because IT departments are kept lean, crucial technology improvements are deferred, and people with the skills needed to configure systems aren't always on staff, said Paul Kocher, president and chief scientist of Cryptography Research Inc. in San Francisco.

Amit Sinha, vice president and chief technology officer of AirDefense, Inc., a wireless security firm in Atlanta, said retail firms "have been lagging significantly," despite being a favorite target.

Retailers who lose data risk customer ill will, of course, but they also can face also action by the Federal Trade Commission for letting it happen, said Richard Hackett, an adjunct professor at Boston University School Law.

DSW Inc., the shoe retailer, had its data stolen by this group of thieves in 2005, prompting action by the FTC. In a settlement reached that same year, DSW agreed to security improvements and regular audits.

Along with Dave and Buster's, other retailers known to have been targeted are BJ's Wholesale Club, TJX, DSW Shoe Warehouse, OfficeMax, Barnes & Noble, Boston Market, Sports Authority and Forever 21.

The FTC's view is that "it is unfair to consumers to take their information and place it in a system that is not reasonably secure from unauthorized access," said Hackett.

Credit card thieves ran a polite, professional help desk

2008-08-07T08:28:00.000-07:00

"My guy told me to tell you big thanks and etc ;-)" was Yastremskiy's reply. Some 5,000 credit card numbers were taken from the chain.

The main targets were retailers. The thieves parked their cars near retail outlets, searched for open networks, and installed programs to capture the wanted data.

Amit Sinha, vice president and chief technology officer of AirDefense, Inc., a wireless security firm in Atlanta, said retail firms "have been lagging significantly," despite being a favorite target.

Along with Dave and Buster's, other retailers known to have been targeted are BJ's Wholesale Club, TJX, DSW Shoe Warehouse, OfficeMax, Barnes & Noble, Boston Market, Sports Authority and Forever 21.

The FTC's view is that "it is unfair to consumers to take their information and place it in a system that is not reasonably secure from unauthorized access," said Hackett.

A photo that can steal your Facebook account

2008-08-01T02:32:00.000-07:00

At the Black Hat computer security conference in Las Vegas next week, researchers will demonstrate software they've developed that could steal online credentials from users of popular Web sites such as Facebook, eBay and Google.

The attack relies on a new type of hybrid file that looks like different things to different programs. By placing these files on Web sites that allow users to upload their own images, the researchers can circumvent security systems and take over the accounts of Web surfers who use these sites.

"We've been able to come up with a Java applet that for all intents and purposes is an image," said John Heasman, vice president of research at NGS Software.

They call this type of file a GIFAR, a contraction of GIF (graphics interchange format) and JAR (Java Archive), the two file-types that are mixed. At Black Hat, the researchers will show attendees how to create the GIFAR while omitting a few key details to prevent it from being used immediately in any widespread attack.

To the Web server, the file looks exactly like a .gif file, however a browser's Java virtual machine will open it up as a Java Archive file and then run it as an applet. That gives the attacker an opportunity to run Java code in the victim's browser. For its part, the browser treats this malicious applet as though it were written by the Web site's developers.

Here's how an attack would work: The bad guys would create a profile on one of these popular Web sites -- Facebook for example -- and upload their GIFAR as an image on the site. Then they'd trick the victim into visiting a malicious Web site, which would tell the victim's browser to go open the GIFAR. At that point, the applet would run in the browser, giving the bad guys access to the victim's Facebook account.

The attack could work on any site that allows users to upload files, potentially even on Web sites that are used to upload banking card photos or even Amazon.com, they say.

Because GIFARs are opened by Java, they can be opened in many types of browsers.

There is one catch, however. The victim would have to be logged into the Web site that is hosting the image for the attack to work. "The attack is going to work best wherever you leave yourself logged in for long periods of time," Heasman said.

There are a couple of ways that the GIFAR attack could be thwarted. Web sites could beef up their filtering tools so that they could spot the hybrid files. Alternatively, Sun could tighten up the Java runtime environment to prevent this from happening. The researchers expect Sun to come up with a fix not long after its Black Hat talk.

But researchers say that while a Java fix may disable this one attack vector, the problem of malicious content being placed on legitimate Web applications is a much larger and thornier issue. "There will be other ways to do this, with other technologies," said GIFAR developer Nathan McFeters, a researcher with Ernst & Young's Advanced Security Center.

"In the long term, Web applications are going to have to take control of the content," McFeters said. "It's a Web application issue. The Java attack that we're currently using is just one vector."

He and his fellow Black Hat presenters have entitled their talk The Internet is Broken.

Ultimately, browser makers will have to make some fundamental changes to their software too, said Jeremiah Grossman, chief technology officer with White Hat Security. "It's not that the Internet is broken," he said. "It's that browser security is broken. Browser security is really an oxymoron."

IBM plans large cloud data center in North Carolina

2008-08-01T02:31:00.000-07:00

IBM today said it is spending $360 million on a new cloud data center facility in North Carolina, the latest in a series of moves by this company to develop technology and infrastructure to support that platform.

IBM's announcement follows one earlier this week by Hewlett-Packard Co., Intel Corp., and Yahoo Inc., to jointly provide compute resources to universities to help advance cloud computing research.

All these announcements say one thing: These vendors see big potential and profit in this platform, but perhaps some cause for concern as well. Cloud computing is focused on service delivery, not on the underlying technology that these companies sell. It's a platform that could bring many new service providers into this market -- a business model along the lines of what Amazon is doing with its Elastic Compute Cloud (EC2).

IBM says it is renovating an existing building in Research Triangle Park to build 60,000 square feet of raised-floor data center space, and will complete the work early next year. The $360 million cost, according to IBM, includes construction, technology and personnel expenses. IBM now has nine centers worldwide devoted to cloud computing, and the North Carolina facility will be the largest.

The company employs about 11,000 in existing IBM facilities in that area already, but did not disclose how many would be working specifically in the North Carolina facility.

IBM today also today said that it was opening a cloud computing center in Tokyo, costing about $40 million. And the company is working with Google on some of the technology issues around cloud computing.

Jay Subramonia, the director of high performance on demand solutions at IBM, said its facilities are used for research but also as test beds by customers to experiment with this platform, and see what they can do to make internal operations more cloud-like -- meaning virtualized, automated and dynamic.

Subramonia said the "entry point" for enterprises on working with the cloud model has been in deploying collaboration tools and Web 2.0 systems, as well as using them for software development test environments.

Charles King, an analyst at Pund-IT, Inc., a research firm in Hayward, Calif., said that in contrast to the research initiative announced this week by HP, Yahoo and Intel, IBM is demonstrating an early lead on commercial cloud development by by building out test beds.

Cloud systems being built by some of the larger firms, such as Google and Yahoo, are relying on x86-based systems. But IBM says it will include a range systems, from its mainframe on down, in its data center. King believes that IBM will "use all the tool in their garage" to make the case that x86 environments won't meet every need.

After facing shareholders, Yang must fulfill promises

2008-08-01T02:30:00.001-07:00

Yahoo CEO Jerry Yang will face a tough crowd at Friday's shareholders meeting, but the expected tongue-lashing is likely the least of his worries as he stares at the towering list of promises he has made and must fulfill.

Since replacing former CEO Terry Semel in mid-2007, Yang has been assuring employees, partners, external developers, publishers, advertisers and online-service consumers that he has a foolproof plan to get Yahoo back on track financially and technologically.

For shareholders, the problem with Yang's rhetoric is that when he took over from Semel, Yahoo's stock price was in the US$27 to $28 range. On Thursday, it closed at $19.89, far from the $33 per share Microsoft offered before negotiations collapsed in early May, and very close to the $19.18 price on Jan. 31, the day prior to the bid's announcement.

"There is a lot of anger and discontent among shareholders. It will be lively tomorrow," said IDC analyst Karsten Weide in a phone interview.

Activist investor Eric Jackson, president of Ironfire Capital, plans to attend and get vocal at San Jose's Fairmont Hotel, and is encouraging others to do the same. "[The meeting] will be an opportunity for us to speak up and make our voices heard. If you're in the Bay Area, I encourage you to come out ... Hopefully, we'll have a lively set of questions posed to the Yahoo board in a true direct fashion," Jackson wrote on his blog Monday.

While Friday's meeting will give shareholders a soapbox to vent frustrations, the event is also of significance to Yahoo end-users, advertisers, publishers, partners and developers who are trusting that Yang and his team will deliver the promised goods.

With Microsoft no longer circling the waters and having appeased Carl Icahn -- who wanted to kick out the entire board and boot Yang from the CEO throne -- Yahoo's management now has no excuse for the company's underperformance.

After all, at Friday's meeting, despite the likely sound and fury from the floor, the current board will retain a solid majority -- eight members -- as part of an agreement that grants seats to Icahn and two of his candidates. This leaves Yang and his team on much more solid job-security ground.

Or maybe not. Industry analyst Rob Enderle of Enderle Group wouldn't be surprised if top management changes are announced at the meeting or shortly afterward, involving either the replacement of Yang as CEO or the addition of a new executive in a prominent role, possibly former AOL CEO Jonathan Miller, a candidate for an Icahn seat.

The mere fact that Icahn will have a say in Yahoo's operations assures changes will be made to current plans and strategies, so people and organizations tied to Yahoo services would do well to pay attention to what transpires at the meeting, especially discussions about possibly changed plans and strategies, Enderle said.

After Microsoft made its bid, Yahoo went into a hyperactive mode with product and strategy announcements, seemingly to prove that it was worth more than Microsoft was willing to pay and also able to survive independently. It's likely that that list of projects will be pared down, according to Enderle. "I don't think they'll be able to execute on all of them," he said.

Probably the most ambitious project is Yahoo Open Strategy (Y OS), which promises end-users and developers alike a major revamping of how they will respectively use and develop applications for Yahoo online services. It's generally agreed that if the Y OS vision is fully realized, it could give Yahoo a significant and long-needed boost in key areas like search and social networking.

Announced in April to great fanfare, Y OS calls for Yahoo to open all its sites, online services and Web applications to outside developers, and give users a "social profile" dashboard to unify and manage their Yahoo services. To accomplish this, officials recognize that it will be necessary to rewire Yahoo's technology back-end inside and out -- no small feat.

"It's a cool, bold, visionary project, but it will be hard to do," Weide said. "The question is: Can Yahoo pull it off?"

Another big project in the works, this one aimed at advertisers, is AMP, a new advertising management platform that the company says will greatly simplify buying and selling ads online, and -- Yahoo promises -- provide laser-like ability to target audiences.

In June, when it announced its latest of several major reorganizations in the past two years, Yahoo shocked observers with the creation of a Cloud Computing and Data Infrastructure Group, which many have speculated is a sign Yahoo plans to get into the hosted software and IT infrastructure services markets.

In addition, Yahoo has ongoing projects to continually improve its mobile services, its franchise e-mail and instant messaging products, and Panama, its much-touted search advertising platform whose efficacy fell into doubt when Yahoo recently agreed to outsource part of its search ad business to Google in order to jump-start those segment revenues.

In addition, during Microsoft's pursuit, Yahoo also acquired online video player Maven Networks, announced its social network OneConnect mobile service, re-launched its video site and introduced social news site Yahoo Buzz.

So on Friday, while shareholders hurl verbal rotten tomatoes at Yang, President Sue Decker and the other top managers, end-users, developers, publishers and advertisers should be watching, looking for signs that their promises will be fulfilled.

After facing shareholders, Yang must fulfill promises

2008-08-01T02:30:00.000-07:00

Big stock exchanges now battling for microseconds

2008-08-01T02:29:00.000-07:00

Computer systems, hardware and networking technologies have improved so much that two of the world's largest trading exchanges say they have begun measuring transaction times in microseconds.

What is a microsecond? It's one-thousandth of the relatively familiar millisecond — in other words, one-millionth of a second. Speed like that is too fast for us humans to visualize.

But trading systems inhabit a Terminator 2-type world, where machine battles machine. Such systems — which are, naturally, automated — compete for the best price by getting the electrons to travel through servers and networks as fast as they can. With millions of dollars, and customers, at stake, the IT managers who run these trading operations are continually finding ways to increase system performance.

In the past year, the New York Stock Exchange and CME Group, which operates the Chicago Mercantile Exchange and Chicago Board of Trade, have begun to frame their thinking in microseconds as they look at some of the processes involved in their superfast transactions.

The need for microsecond measures is an outgrowth of the steadily increasing speed of transactions, which are heading into the single-digit-millisecond range. Improvements are due to advances in hardware, networking and trading algorithms, and as transaction rate times continue to fall, the need to measure time in smaller units becomes more acute. "We got pulled into it," said John Hart, managing director of technology engineering at CME, of the move to microsecond measures.

At these extreme speeds, microseconds matter. A 3- or 300-microsecond improvement in one transaction, multiplied across systems that are processing millions of transactions in an hour, will add up.

"It's all at the microsecond level right now," said Steve Rubinow, CIO of NYSE Euronext, which operates the New York Stock Exchange. "The core trading stuff has to be in the hundredths of microseconds."

The increasing focus on finer measurement levels may have broad implications for businesses outside of financial services, especially as companies turn to software-as-a-service (SaaS) providers.

In the trading world, speed measurements are examined at both ends of the deal. Microsecond measurement data helps the exchanges improve systems at various points in a transaction, but the customers are also measuring transaction rates and making notes.

A trader who loses money may blame IT for that loss, and defending against that accusation will require measurement data, said Bernie Davidovics, chief technology officer of SeaNet Technologies Inc. His Kew Gardens, N.Y.-based company makes a hardware appliance that can use either GPS or cellular network time data to measure transactions in a network. "He who has the data wins," Davidovics said.

SaaS and cloud-type service providers and their customers may face similar concerns over response times. For SaaS providers, these kind of precise time measures will grow in importance, said Michael Salsburg, a director of the Computer Measurement Group Inc., a not-for-profit organization in Turnerville, N.J., whose members are concerned with IT service delivery. Vendors will likely use their speed as a competitive differentiator, but customers will measure as well to ensure that service levels are met, he said.

But when it comes to speed, the technology staffs at the exchanges are constantly looking for ways to improve response times by improving interconnects, tweaking operating systems and trying out new systems and the latest processors. Hart said CME, for instance, is already piloting Hewlett-Packard Co.'s just-released first blade system in the NonStop line, which he said doubles the throughput of earlier NonStop models.

The shift to microsecond measurement is also changing expectations for vendors. Rubinow tells the story of a storage manufacturer (that he didn't want to identify) that told him its new system delivered "sub-millisecond" response times.

Questioning the vendor about the "sub-millisecond" claim, Rubinow said, "Do you mean 900 microseconds or 100 microseconds? Because that's a world of difference to us." The vendor said he wasn't certain because he hadn't been asked that question before. Rubinow responded: "Well, get use to it, because everybody in this industry is going to ask this question."

Apple restores partial access to MobileMe e-mail, admits messages lost

2008-07-29T03:11:00.000-07:00

Apple Inc. late on Friday announced that it had restored partial access to blacked-out MobileMe e-mail accounts, but the company acknowledged that some messages sent to those accounts had been lost during the week-long outage.

Full access to MobileMe's e-mail will be restored within another week, Apple said.

In a posting under a new "Status" section of the MobileMe home page on Apple's Web site, an unnamed employee said he had been directed by CEO Steve Jobs to keep users up to date on the outage and efforts to restore service.

The long message -- an unusual step for Apple, but perhaps prompted by the fact that those affected are not able to receive mail at their mac.com or me.com addresses -- summarized the problem, which Apple blamed on a balky server. The post also reiterated Apple's claim that only about 1% of MobileMe subscribers had been blocked from their accounts.

"As of today, a team was able to restore limited Web access to those accounts so the affected members can use their browsers to read mail that has arrived since last Friday (though not before) as well as send and receive new mail," the Friday message read. "The team has already begun rolling out restoration of full access for all the accounts and expect[s] to finish by the end of next week."

The Apple employee confirmed the loss of some messages sent to the affected accounts in the two days prior to the outage, which began for most users on July 18. "We particularly regret to report the loss in the affected accounts of approximately 10% of the messages received between July 16 and July 18," Apple said.

Apple also updated a support document late Friday night to flesh out instructions to users. Until the new messages were posted to the Status page of MobileMe, the support document had been the only official word on the incident by Apple.

The document noted that the partial service restoration "does not provide access to any e-mail messages received or saved before the outage began on July 18," but it promised that most would eventually be restored to users. However, the support document echoed the warning in the Status message about lost mail. "While the vast majority of your e-mail messages will be fully restored, a small percentage of e-mail messages in the affected accounts have regrettably been lost. This includes approximately 10% of messages received between 5:00 a.m. PDT on July 16 and 10:20 a.m. PDT on July 18. We sincerely apologize for any e-mail messages you may have lost."

The only recourse, according to Apple, is if subscribers used a desktop client -- such as Mac OS X's Mail or Outlook, Outlook Express or Windows Mail on a PC -- to grab messages from their mac.com and me.com accounts and backed up their Mac's or PC's data. Those customers may be able to restore lost messages from their own backups.

Others are out of luck. "If you access your MobileMe Mail exclusively at me.com, there's nothing for you to do. Your account will be restored, but you will not be able to retrieve any messages that may have been lost from your account," the document stated.

MobileMe customers who had been without e-mail for more than a week were understandably happy to hear the news that some service had been restored, but the mood remained gloomy on some threads in Apple's support forums.

"After eight or so days, I think this is a little too late," said a user identified as "Confused7766" on the MobileMe forum, referring to the Status message and revised support document posted Friday. "If I had seen this on the third day, I would have been very happy."

Others continued to rebuke Apple. "Apple is still clinging to the phrase, 'rocky road' in describing the rollout," said David Farrow on another thread. "GIVE US A BREAK. This isn't a few rocks in the road, it is an effing LAND SLIDE.

"You're asking us to invest into using this service in our homes and small businesses, you have a rollout DISASTER like this, and then try to blow it off as a pebble in the road? I am losing confidence as this debacle unfolds, and I watch Apple's increasingly flailing response," Farrow wrote.

The e-mail outage was just one of several major MobileMe problems in the past two weeks. Prior to its July 11 kickoff, customers of the .Mac service -- MobileMe's predecessor -- complained about a day-long blackout when Apple shifted to MobileMe. That process was supposed to take just a few hours.

Last week, other users blasted Apple for slower-than-expected synchronization between Macs and PCs on one hand and the iPhone and MobileMe servers on the other. At the time, Apple apologized and credited customers with an additional 30 days of service after acknowledging that that part of the service didn't meet the definition of "push" synchronization.

Ex-Googlers' search engine draws fanfare, but testers prefer Google

2008-07-29T03:10:00.000-07:00

While there has never been a shortage of would-be "Google-killers" -- upstarts aiming to beat the search giant at its own game -- few have generated fanfare like Cuil Inc. The start-up company's founders say that their search engine, also called Cuil (pronounced cool), offers an index that's three times larger than that of any other search engine.

Perhaps in anticipation of today's launch, Google Inc. on Friday boasted that it has tracked more than 1 trillion URLs on the Web. And the market leader's position was bolstered a bit today because the Cuil site was unavailable for some periods of time throughout the day.

Nonetheless, Cuil's reputation benefits from the backgrounds of those who launched the start-up firm. Anna Patterson, Cuil's president and chief operating officer, worked as an architect of Google search index and led the company's Web page ranking team. Her co-founder and husband, Tom Costello, the company's CEO, researched and developed search engine technology at Stanford and IBM.

But despite Cuil's claim that it had indexed 120 billion Web pages and that it provides relevant results based on Web page content analysis, which goes beyond Google's link analysis techniques, some early reviewers questioned whether it can compete with Google.

Danny Sullivan, a blogger at Search Engine Land, acknowledged the pedigrees of the founders of the company. "These people know search," he wrote. "In particular, they know on-the-firing line, heavy-duty, industrial-strength search. Not only that, they're unleashing what appears to be a comprehensive service that anyone can use."

However, he debunked the company's claim that they use content rather than popularity to link Web pages. Sullivan noted that he tested the search engine with a search for the term "Harry Potter." The Harry Potter & the Order of the Phoenix movie Web site came up first on Cuil, he noted.

"This is out of thousands of possible pages," he added. "How on earth can Cuil know just from the content on the page itself that the movie site should be in the top results, especially in a Web environment where people can (and will) custom-tailor content to mislead search algorithms? The answer is link analysis -- counting links and effectively seeing who is pointed at the most. The twist is that it is done by measuring the links from pages relevant to what someone searches on."

He went on to note that today's largest search engine companies, Google, Microsoft Corp. and Yahoo Inc., offer more than just the Web searching that Cuil is providing.

"News search, image search, video search, local search -- these are just some of the verticals that Cuil lacks but which do get used by searchers," Sullivan pointed out. "Not offering these makes Cuil feel too focused on what "old school" search used to be and [like it is] missing out on the Search 3.0 vertical and blended search revolution that has been going on."

While Cuil has a chance to pick up a bigger share of the search market than other start-ups, it is unlikely to threaten Google, he added.

"Google came along at a very special time," he noted. "It had better technology at a time when all the search engines had abandoned improving search, since that was seen as a loss leader. To date, Google is the real exception of 'a better mousetrap wins.'"

Michael Arrington, a blogger at TechCrunch, added that after testing Cuil with multiple search terms, he found it to be an "excellent search engine" but without the depth or relevancy of Google results. Arrington found that a search for "dog" returned 280 million results on Cuil and 498 million on Google.

"It seems pretty clear that Google's index of Web pages is significantly larger than Cuil's, unless we're randomly choosing the wrong queries," Arrington noted. "And Cuil's ranking isn't as good as Google's, based on the pure results returned from both queries. However, he did note that Cuil excelled in related categories, which return results that were extremely relevant

"With Google, we've all gotten used to trying a slightly different search to get the refined results we need," Arrington added. "Cuil does a good job of guessing what we'll want next and presents that in the top right widget. That means Cuil saves time for more research based queries."

Stan Schroeder, a blogger at Mashable, also tested the quality of Cuil for multiple searches compared to Google, and he found the newcomer lacking.

"The more I tried, the more I was convinced that Google is, quite simply, a vastly better search engine," he noted. "This is unfair, I know: Cuil is a very new product, and Google has been around for quite a while. No one can create a better search engine than Google, simply because Google does not only search Web sites, but -- through its domination of the market -- the entire Web bends to Google's will because every Web site wants to be positioned well on Google."

Security experts knock Apple for not patching DNS bug

2008-07-29T03:08:00.000-07:00

Apple Inc. has not yet patched a critical Domain Name System (DNS) bug in its Mac OS X operating system, analysts and security researchers noted today as some criticized the company for dragging its feet.

"It's not sending a real good message," said Rich Mogull, an independent security consultant and former Gartner Inc. analyst. "If they don't patch this in a reasonable time, they're putting their customers at risk."

Apple, which integrates considerable open-source code into its operating systems, relies on BIND (Berkeley Internet Name Domain), created by the Internet Systems Consortium (ISC), for its DNS components. ISC patched BIND July 8, but as of today, Apple had not released an update for Mac OS X.

According to Dan Kaminsky, the researcher who uncovered the DNS flaw in February and helped coordinate a multivendor patch effort, Apple was told of the vulnerability before patches went public. "They were notified at some point," said Kaminsky, who did not name a date. "They were given a heads-up."

Approximately a month after Kaminsky discovered the vulnerability, representatives from several major developers, including Cisco Systems Inc., Internet Systems Consortium (ISC) and Microsoft Corp., met at the latter's Redmond, Wash., headquarters to discuss how to handle the bug. "In the Spring it was all about [vendors] who write DNS code, at its core it was about people who write name servers," said Kaminsky. Companies he called "second tier," those that "ship name server code that others write," were not part of that March meeting at Microsoft. Apple, he added, was one of those second tier vendors.

Calls to patch grew louder last week, however, after other researchers guessed some of the bug's technical details. Two days later, attack code went public.

Apple did not respond to questions about when it had been informed of the DSN flaw and when it would update Mac OS X to patch the bug.

Kaminsky was willing to cut Apple some slack on the DNS patch issue because of its miniscule market share. "Not that many people are running BIND on OS X Server, and those that do don't need Apple to hold their hand about patching," he said. "If there was a huge population of people behind DNS servers running OS X, I'd be more worried. That's not a dig [against Apple], it's just a statement."

In the grand scheme of things DNS, Kaminsky continued, Apple is a minor player at best. "We have bigger fish to fry," he said, adding that it was more important to focus on the vendors whose DNS code affected the most people.

True enough, said Mogull, but that's beside the point for people running Apple's operating system, particularly those relying on Mac OS X Server. "It may be a low priority in the scheme of the DNS vulnerability, but if all my servers are OS X, it matters. Within the Mac audience, it matters."

Andrew Storms, director of security operations at security vendor nCircle Network Security Inc., echoed Mogull's comments. "It is valid to say that the target market [for the DNS exploit] doesn't really affect them, if only because Mac OS X is primarily a client-side operating system."

But both Mogull and Storms hammered Apple for not providing its users with any word. "Users have to wonder if Apple is even listening to the talk about the DNS bug," Storms said. "We don't know anything. Why can't Apple simply make a one-line statement that it knows about the vulnerability and will have a fix in the next 30 to 60 days?

"It's that fear of the unknown that fuels the fire," Storms said.

Mogull, too, was critical of Apple's security process in general and this example in particular. "Apple's mostly gotten a pass on security issues," he said, "and as long as customers aren't getting beaten up, that's not been a problem. But that can change very quickly."

Mogull recommended that Apple work more closely with the open-source community responsible for code integrated in Mac OS X, such as the ISC's BIND, and urged the company to change how it handles security. "Apple does need to change its security practices. It makes a great operating system, but it's going to be much more of a target going forward."

Storms saw the bright side of Apple not patching the DSN bug, however, saying that it could be one of the few instances when the company's time-to-patch can be measured accurately. "Let's give them the best case, for them, and say that they didn't know until Microsoft patched on July 8," Storms said. "But now there's a vulnerability with exploit code freely available. How quickly is Apple going to respond a get a patch out?

"For most of the vulnerabilities it patches, it's difficult to tell what their internal [patch] release cycle looks like," he said. "This is the first chance we've had to gauge how quickly they can get their act together."

But this isn't the first time that Apple has been taken to task over how fast it updates the open-source parts in its OS. Last year, for example, Charlie Miller, a researcher at Baltimore-based Independent Security Evaluators (ISE) who is noted for his Mac and iPhone vulnerability research, called the company "negligent" for taking too long to patch. More recently, Miller slammed Apple for waiting until July to update the iPhone's built-in browser after Miller had exploited the same bug to hack a MacBook Air in March at a security conference contest.

"They do have a history of being slow to patch their open-source code," Mogull agreed.

Researchers unleash DNS attack code

2008-07-24T23:12:00.001-07:00

Just days after details of a critical bug in the Domain Name System (DNS) software went public, researchers released attack code that can silently redirect users to unintended sites.

HD Moore, the creator of the Metasploit penetration testing framework, and a hacker who goes by the alias "I)ruid," published the attack code in two parts yesterday and today to several security mailing lists and to the Computer Academic Underground Web site.

The two exploits do essentially the same thing, said Andrew Storms, director of security operations at nCircle Network Security Inc.; both poison a DNS server's cache, and therefore can, at least temporarily, replace the legitimate addresses in that cache with bogus destinations. Users steering to what they believe are valid sites could, if they pull the routing information from a victimized DNS server, be sent instead to a fake site such as a phony banking site, where they could be easily duped into divulging confidential information.

Yesterday's exploit, explained Storms, lets an attacker poison a DNS server's cache with a single malicious entry, but today's attack code allows a hacker to poison large quantities of domains with one fell swoop. "This second exploit has the potential for a much larger impact," said Storms, "and could result in potentially thousands of fake addresses inserted into a DNS server's cache.

HD Moore, however, noted that the single entry exploit of Tuesday gives attackers more anonymity, while today's exploit requires hackers to have a real DNS server. "That means they'll be less anonymous," Moore said, adding that it would be possible to trace the DNS requests back to the fake server operated by the attacker, then have it taken offline by, for instance, the host provider.

"Both [kinds of attacks] will be difficult to detect," Storm said. "It will probably take an end user to raise the flag when they go to their banking site, for example, and then report, 'Hey, this just doesn't look quite right.'" Digging through the enormous amount of data generated by a DNS server -- hundreds of thousands of results in an hour at a company like nCircle, said Storms -- is simply impossible.

The DNS cache-poisoning bug exploited by Moore's and I)ruid's attack code was first announced earlier this month by Dan Kaminsky, director of penetration testing at Seattle-based IOActive Inc. The bug, which Kaminsky uncovered earlier this year, was patched that same day by several major vendors, including Cisco Systems Inc., Internet Systems Consortium Inc. and Microsoft Corp.

Although Kaminsky declined to publicly disclose technical information, he briefed several fellow security researchers after he was criticized for overstating the seriousness of the threat. Those researchers recanted, and said Kaminsky's research was on target.

Monday, however, a German hacker went public with his guesses about the bug's details. His speculation was confirmed later in the day by Matasano Security, a consultancy that included at least one researcher who had been briefed on the bug by Kaminsky.

That was when Moore and I)ruid started working on the attack code, Moore said today. "We were keeping an eye on it before, but we didn't really start until Monday," he said. "There have been tools available to check to see if you needed to patch [the DNS software], but there wasn't any way to actually see if you could actually do this attack."

The exploits have been added to the Metasploit framework, said Moore, but at the moment can be launched only from systems running Linux. He said that work on exploits able to run from Mac OS X and other operating systems would start soon, but that the attack code would not be tweaked for Windows. Because of the way the exploits are written, they "would never work on Windows."

That doesn't mean Windows users are safe, however. Although the current exploits can't be launched by attackers from a Windows PC, end users running Windows are at risk if they don't apply this month's DNS patches.

Storms didn't dismiss the possibility of attacks now that exploit code is available, but downplayed the threat because of all the attention the bug has received. "I think the likelihood of a mass attack is limited," said Storms, "because a whole lot more people understand how DNS works than did several weeks ago."

Users should patch now, said Storms, even if they're not operating a DNS server. "It's important that you look at the Microsoft patch now," he said, referring to the fix Microsoft issued two weeks ago for every version of Windows except Vista.

"Anytime you can change [entries on a] DNS server, you run into a lot of other issues, including drive-by Web attacks," warned Moore.

Microsoft looks to mimic Apple success, says Ballmer

2008-07-24T23:11:00.000-07:00

Microsoft Corp. CEO Steve Ballmer said yesterday that his company hopes to steal a page from Apple Inc.'s playbook and change how it works with hardware makers in an attempt to duplicate its rival's success.

In a Wednesday e-mail memo to employees that also outlined changes brought on by the departure of platforms and services chief Kevin Johnson, Ballmer cited several areas that Microsoft would focus on during the next year. Among his comments were some cryptic remarks about Apple.

"In the competition between PCs and Macs, we outsell Apple 30-to-1," Ballmer said in the e-mail, which was obtained by the Seattle Post-Intelligencer, as well as other news outlets. "But there is no doubt that Apple is thriving. Why? Because they are good at providing an experience that is narrow but complete, while our commitment to choice often comes with some compromises to the end-to-end experience."

Ballmer went on to promise that Microsoft would change how it deals with hardware vendors, such as Dell Inc. and Hewlett-Packard Co., the world's No. 1 and No. 2 computer sellers, respectively. "Today, we're changing the way we work with hardware vendors to ensure that we can provide complete experiences with absolutely no compromises. We'll do the same with phones -- providing choice as we work to create great end-to-end experiences."

Analysts struggled to interpret Ballmer's comments, with some unsure exactly what he meant and others willing to read between the lines.

"If he's serious, this would be a pretty fundamental change in how they work with hardware manufacturers," said Rob Helm, an analyst at Directions on Microsoft, a Kirkland, Wash., research firm.

Historically, Microsoft's role in deciding what goes into a PC, or how PCs are priced, has been minor. "Microsoft may have had a major role at times, the Tablet PC is one, but really it relies on forward-thinking partners like HP, who would take a change on Microsoft's designs on software," said Helm.

But the company clearly sees Apple as a threat, outnumbered sales notwithstanding. "Apple's making inroads in the U.S., especially in the consumer market and at the high end," Helms said as he speculated on what drove Ballmer to announce a major change in PC production. "Those are the same people that might pay for a premium version of Windows, so maybe that's one reason."

Allan Krans, an analyst at Technology Business Research Inc., was less inclined to read Ballmer's note as a major shift in Microsoft's strategy. "I don't think this is surprising. This is not anything new."

Rather than see it as a call for Microsoft to become more involved in hardware design, Krans interpreted the memo to mean the company will try to market its software as competitive with Apple's in the functionality and user experience areas. "He's talking not only about the software experience, he's also talking about how Microsoft plans to draw excitement to the platform and why they need to do that because of the shift toward the consumer," Krans added.

During a previously scheduled day-long meeting with Wall Street analysts at Microsoft's headquarters today, Ballmer did add that the company would boost spending on marketing in fiscal year 2009, noting that Microsoft currently spends much less on marketing PCs and smart phones than does Apple.

"My first reaction is that Microsoft may be willing to do more with contract hardware makers," said Helm. "If I had to take a guess, I'd say [it would be] in the ultramini laptop market, which is currently hot and an area that Microsoft has deep concerns."

The low-cost, lightweight notebook market, which Microsoft has touched on already this year as it made exceptions to the retirement of its aged Windows XP operating system, is important for other reasons, said Helm. "The current operating system [Windows Vista] doesn't run on that, so Microsoft has had to make allowances for crippled licenses of XP.

"It's probably within Microsoft's ability to produce an ultramini laptop," he said.

But can Microsoft pull off such a dramatic shift in how it works with hardware partners? Can it really make itself more Apple-like? Helm was dubious.

"They'll say, 'How hard can it be? And we have the money to blow it a couple of times if that's what it takes.' That's their thinking," Helm said.

Microsoft's online woes hint at larger vulnerability

2008-07-24T23:09:00.000-07:00

Microsoft Corp. has built its massive software business by watching other companies take the lead in emerging technology markets and then following fast with competitive products that eventually become dominant once those markets begin to pay out.

The company did it with IBM during the birth of the PC and Netscape during the browser wars, and it's currently making a strong showing against Sony and Nintendo in the game-console market.

However, Microsoft's inability so far to capitalize on online advertising and services and its inability to make any headway against Google shows that, despite its huge cash reserves, this strategy may no longer be effective.

In an unexpected move on Wednesday, Microsoft reorganized its platform and services division, which oversees its online services business (OSB) and its lucrative Windows OS business, into two groups to separate its distinct online brands. It also announced the departure of the president of the group, Kevin Johnson, who is reportedly leaving the company to join Juniper Networks Inc.

Both of the new organizations -- one that oversees Microsoft's online advertising and search properties and another that runs Windows Live services and Windows OS -- will report directly to Steve Ballmer.

This move shows the CEO taking firm control of a part of Microsoft's business that has been searching for an identity since the company launched Windows Live services in late 2005 -- in part as a complement to its MSN and search businesses and in part as a rebranding of previous online efforts.

"For the past two years, I've been totally confused about [the difference between] Windows Live, MSN and Windows," said Charlene Li, an independent technology industry analyst. "The messaging and product features don't pull together."

She said splitting up businesses is "a good thing" for the company because it will help clarify Microsoft's online strategy. "You start seeing some differentiation between what the Windows Live brand stands for and what online services is trying to do," Li said.

The move to divide its online brands follows the news last week on a financial conference call that Microsoft would invest "hundreds of millions of dollars" in its OSB group in light of its failure to close a deal to purchase Yahoo or at least its search business. OSB has operated at a loss for years and has shown only meager signs of life despite Microsoft's best attempts to revive it.

For Microsoft's fiscal 2008, OSB showed a year-over-year revenue gain of 32%, from $2.44 billion in 2007 to $3.21 billion in 2008. For the year, however, OSB lost $1.23 billion in operating income; a nearly 100% increase over the $617 million loss in operating income in fiscal 2007.

Last Thursday, Microsoft Chief Financial Officer Chris Liddell sketched out some vague plans for Microsoft's investment, which mainly will go into its search business to bolster online advertising revenue.

However, published reports say Microsoft's biggest shareholders aren't convinced that the company's financial bet will yield much of a return. Microsoft is hosting its annual meeting for financial analysts in Redmond, Wash., Thursday, and will likely shed more light on how it plans to revive OSB with the restructuring and with its renewed investment in the group.

Analysts will certainly be looking for some serious clarity on the topic, especially since Microsoft has been throwing money at online services for years.

"Microsoft's execution online has been poor," said Matt Rosoff, an analyst at Directions on Microsoft. "They've never had a runaway success with a product line ... nothing that has dominated the market or changed the game."

To be fair, the online advertising game -- which some analysts estimate will represent about a $50 billion revenue opportunity in the U.S. alone in the next few years -- is far from over, he said.

Rosoff noted that Microsoft only really began going after Google in earnest three years ago when it launched MSN Search, which was overhauled and rebranded Windows Live Search, and then simply Live Search shortly thereafter.

Microsoft takes a "10-year view of things," he said, noting that Microsoft made more than $60 billion in revenue last year, and the business continues to grow. The company has the "luxury of looking at this as a very long-term business," he said.

"If any other company had thrown this much money away online, they wouldn't be in business right now," Rosoff said. But because of its cash balance and the strength of its business, Microsoft "can invest a lot of money in it without having to worry about the short term."

Still, Microsoft is facing vulnerability in areas that have been a lock for the company for many years. For example, many attribute Apple Inc.'s modest growth in computer sales to negative publicity surrounding its Windows Vista PC OS. While the Windows client OS is still a cash cow and is in no real danger of obsolescence, Apple's success shows there are new chinks in the Microsoft armor.

The popularity of the iPod and iPhone may be showing Windows customers that there are credible alternatives, said Greg Sterling, principal analyst at Sterling Market Intelligence.

This so-called "halo effect," combined with Apple's aggressive advertising campaign that exploited problems users had with Vista early on, proves to PC users that they don't have to settle for what may be perceived as a subpar OS if they don't want to, he said.

"To the extent that people are less fearful of using alternative systems -- that gives them a sense they can stray from Microsoft products and still be OK," Sterling said. The growth of Google's search engine and other online services and applications also provides people with alternatives to Microsoft, he added.

This perception could hurt Microsoft in other markets it's attempting to dominate -- such as the one for virtualization software -- even if the company has the cash to play the waiting game.

Microsoft is chasing VMware in virtualization. To combat its giant competitor, VMware said on Tuesday that it would offer a free version of its basic hypervisor product -- similar to the Hyper-V product Microsoft now offers in its Windows Server OS.

If history is any indication, Microsoft should eventually be able to overtake VMware, especially since its hypervisor is tied to such a successful operating system.

But even Paul Maritz, VMware's new CEO and a former Microsoft executive, pointed out on a VMware conference call Tuesday that Microsoft is not completely invincible, especially when another company already has a substantial lead in a market.

Indeed, Sterling said, "I think there is clearly a perception in the market that Microsoft is not the invincible juggernaut it was."

Mozilla fixes nine flaws in Thunderbird

2008-07-24T23:08:00.000-07:00

Mozilla Messaging patched nine security vulnerabilities in Thunderbird yesterday, the first time it has plugged holes in the e-mail software since early May.

Thunderbird 2.0.0.16, which was added to Mozilla's download servers late Wednesday, quashes nine bugs, including one that was patched last week in Firefox, the company's open-source browser. The remainder fix flaws that were first addressed in early July when Mozilla updated Firefox to Version 2.0.0.15.

It's not unusual for Thunderbird security updates to lag behind those released for Firefox.

Seven of the nine bugs were rated "moderate" by Mozilla, the second-lowest of the four rankings in its threat system. The other two were pegged as "low."

The bug patched in Thunderbird yesterday that was fixed in Firefox last week was in the browser rendering engine's CSSValue array data structure. According to Mozilla, the vulnerability could be used by hackers to force a crash, and from there, run malicious code. Several other just-patched Thunderbird vulnerabilities could also be used by attackers to execute code remotely.

Thunderbird 2.x, like its browser sibling, is on the way out. Most of Mozilla's attention is now on Thunderbird 3.0, which has been available as an Alpha 1 preview for more than two months.

Users can download Thunderbird 2.0.0.16 in versions for Windows, Mac OS X and Linux from the Mozilla site, call up the e-mail client's built-in updater or wait for the automatic update notification, which typically appears within 24 to 48 hours.

Major sites fall victim to Web hijack; check yours

2008-07-17T05:14:00.000-07:00

Security company Finjan Wednesday reported it has found more than 1,000 sites infected by an attack toolkit called "Asprox," which exploits discovered flaws in a vulnerable site's programming to add hidden attack code. The attack code in turn searches for flaws on a browser's PC, and if any such holes are found it will download malware onto the computer.

I wasn't struck by the number -- these days, 1,000 sites unfortunately isn't that many -- so much as by the list of sites that Finjan says were hacked. My own city's site, which I've visited many times to pay parking tickets and the like, was nailed (though it's now clean). Snapple took a hit, as did the National Health Service in the UK and a wide range of other sites.

As with a previous SQL injection round I wrote about in May, you can check to see if your site has been infected by running a Google search. Before you do, let me repeat a warning I wrote then:

IMPORTANT: DO NOT visit the domain named in the following test, or any sites that show up on a Web search as having this domain listed in their pages' code (including cached pages). Doing so could infect your PC with malware.

This time around, you'll need to run these three different searches, as the attack is inserting different code into different sites. In each case, substitute your site's domain (ie., computerworld.com) for "domain."

site:yourdomain "b.js"

site:yourdomain "ngg.js"

site:yourdomain "fgg.js"

When I ran those searches just now I turned up plenty of still-infected sites, so again, be extremely careful about visiting any of them. If your site turns up in search results, contact your IT department or hosting provider immediately.

Whether or not your site turns up, it's also a good idea to run the free Scrawlr tool from HP, which can check your site for the kind of vulnerabilities exploited by a SQL injection attack. It's quick and easy to download and run.

Also, for your own computer's safety, it's critical to keep all your software -- not just the browsers and the OS -- up-to-date with patches. Finjan writes that this attack kit goes after flaws in QuickTime and the AOL SuperBuddy as well as Windows.

Facebook bug leaks members' birthday data

2008-07-17T05:13:00.001-07:00

A glitch in a test version of Facebook's Web site inadvertently exposed the birthdays of Facebook's 80 million members this week.

The bug was discovered over the weekend by Graham Cluley, a senior technology consultant at Sophos. While checking out Facebook's new design, Cluley noticed that the birth dates of some of his privacy-obsessed acquaintances were popping up when they should have been hidden.

Facebook allows users to control who sees private information such as their birth date, which can be a valuable nugget of data for identity thieves. But Cluley discovered that the new site was making this information public to other members. "Their new profile page essentially ignored the privacy setting to withhold the data of birth," he said.

"For a brief period of time, a small number of users were able to access a private beta of Facebook's new site design meant only for developers. During that time, some of those users had their birthdays revealed due to a bug," Facebook said Wednesday in a statement. The company could not say exactly how long this data was exposed or how many people viewed the beta site, but the bug was patched within hours of Cluley's discovery.

Facebook may intend for the beta site to be private, but it has been open to the general public for several days. It features a new profile design that should be rolled out as an option to Facebook users some time this week.

Cluley himself did not consider this a major data breach, but he said it should serve as a warning to people who put a lot of information on social networks. "It raises a more serious question which is, 'Can you trust these social networks to look after your data properly?'" he said.

Facebook is sensitive about privacy. In November the company scrambled to fix its Beacon ad system after a CA researcher discovered that the system was collecting data on users' online behavior, despite Facebook's assurances to the contrary.

"With Beacon we just screwed it up," said Matt Cohler, the company's vice president of product management, during a March session with reporters.

Cluley isn't sure that won't happen again. He's telling his friends to just make up a birth date on Facebook from now on.

Apple's MobileMe users gripe about 'push' that isn't

2008-07-15T02:22:00.000-07:00

Some Mac users are calling foul after discovering that information entered on their Mac and PC calendars and address books isn't pushed instantly to the servers in the MobileMe "cloud."

Apple, meanwhile, has posted a support document to its Web site acknowledging that applications on a PC, or on a Mac running Leopard, synchronize with MobileMe only once every 15 minutes. Macs running the older Mac OS X 10.4, aka Tiger, sync with MobileMe only once each hour.

Users have vented on Apple's own forums as well in comments on sites such as MacRumors.com, which posted a story early Monday on the brouhaha.

"It's really the desktop iCal and Address Book issue that's got everyone disappointed though, because Apple didn't tell people it was only push one way down, and everyone understandably assumed that the desktop apps would push UP as well, based on Apple's marketing," said a user identified as "McToast" on a thread in Apple's MobileMe support forum Sunday. "But they don't."

Changes made to the iPhone's e-mail, address book or calendar are pushed almost instantly to the MobileMe servers, and entries added to or modified in the MobileMe Web-based applications push down to the iPhone at the same speed. Any changes that reach the MobileMe servers are pushed immediately to the user's Mac or PC, but on the upstream -- from Macs and Windows PCs to MobileMe -- there's a lag because of the best-speed-sync of every 15 minutes.

Apple confirmed the slower Mac/PC-to-MobileMe synchronization in a document published last week to the company's support database.

"Selecting Automatic in Mac OS X allows your computer to immediately sync and update when there are any changes on the MobileMe servers. Those changes can come from your iPhone, iPod touch, the MobileMe website, or another computer. Changes made on your computer will be synced to the MobileMe 'cloud' once every 15 minutes (or every hour in Mac OS X 10.4.11)."

Windows-to-MobileMe sync also occurs about every 15 minutes, Apple added in the document.

Most users contributing to the support forum were disappointed about the slower sync, and felt Apple misled them when it marketed MobileMe.

"This is definitely disappointing, and Apple's sales blurb is misleading if not downright wrong," said a user tagged as "keith.wilson" on the same thread as McToast. "They clearly state that 'When you make a change on one device, the cloud updates the others. Push happens automatically, instantly and continuously.' Whilst this is true for iPhones, iPod touch and the new web apps, it's not true for the Mac desktop applications."

"Disappointing to say the least," agreed another user, "FarmacyMan."

Another user called out Apple for touting MobileMe as "Exchange for the rest of us," a phrase it's used since it unveiled the service in early June. "For comparison, I updated a contact on my PC-based Outlook application (Microsoft Exchange). In a few seconds, that record was updated on my Blackberry," reported Jim Dever on the support forum. "I like to give Apple the benefit of the doubt, but they must not have anticipated the reaction by those of us expecting to see MS Exchange-like functions in MobileMe."

Elsewhere, a Mac user posted a workaround on the hints and tips section of Macworld, a Computerworld sister publication, that outlined how to change the 15-min. interval by modifying a .plist file on a Mac.

This is the second dustup over MobileMe since it went live late last week. Then, customers griped about a day-long outage as Apple launched the new service and shut down its predecessor, .Mac.

MobileMe costs $99 for an single-user annual subscription. But although Apple initially let users sign up for a free 60-day trial last week, that offer has apparently been pulled.

Icahn files Yahoo board proxy statement with SEC

2008-07-15T02:21:00.002-07:00

Billionaire investor and Yahoo Inc. shareholder Carl Icahn filed a definitive proxy statement Jerry Yang. nominating a slate of nine directors to replace Yahoo's board and its CEO,

Today's filing with the U.S. Securities and Exchange Commission comes after Yahoo on Saturday rejected a joint proposal from Microsoft Corp. and Icahn that called for a restructuring of Yahoo's board and executive ranks and the sale of the company's search business to Microsoft.

Icahn's slate of directors includes Mark Cuban, an Internet entrepreneur and majority and controlling owner of the NBA's Dallas Mavericks; and Adam Dell, managing general partner of Impact Venture Partners, a venture capital firm focused on IT investments. The slate differs from board members Icahn proposed in a letter to Yahoo in May. Icahn's list submitted today leaves out Robert K. Shaye, co-chairman and co-CEO of New Line Cinema, and replaces Shaye with Icahn himself.

In a letter to shareholders, Ichan, who owns approximately 5% of Yahoo, Icahn said, "We believe that now is the time to enter into a significant transaction with Microsoft."

Yahoo could not be reached for comment.

In the statement, Icahn told shareholders that Microsoft would be willing to enter into an agreement to purchase all of Yahoo, or the software maker would purchase Yahoo's search business with certain guarantees for shareholders if the current board were replaced with Icahn's nominees.

Microsoft: Search-only deal was Yahoo chairman's idea

2008-07-15T02:21:00.001-07:00

Microsoft Corp.'s proposal Friday to purchase Yahoo Inc.'s search business was actually the idea of Yahoo Chairman Roy Bostock, and Yahoo has publicly "mischaracterized" the discussion surrounding the proposal, Microsoft said Monday.

In a statement, Microsoft claimed that Bostock called the office of Microsoft CEO Steve Ballmer last Thursday to arrange a call, on which he told Ballmer that "with substantial guarantees on the table and an increase in the TAC [traffic acquisition cost] rate, there are the pillars of a search-only deal to be done."

"Mr. Bostock encouraged Mr. Ballmer to submit a new proposal to Yahoo for a search-only deal reflecting these terms," according to Microsoft.

Yahoo said Saturday night that it rejected a joint proposal made Friday night by Microsoft and investor Carl Icahn that called for a restructuring of Yahoo, the removal of its board and management team, and the sale of Yahoo's search business -- which the proposal devalued -- to Microsoft.

At the time, Yahoo said it was given only 24 hours to reject or accept the proposal.

But Microsoft said in its statement that Yahoo "mischaracterized" the discussion as "a take it or leave it ultimatum, rather than a timetable in order to move forward to intensive negotiations." The proposal also did not call for any changes to Yahoo's governance, Microsoft said.

Upon Bostock's urging Thursday, Microsoft proposed an "enhanced search transaction" to include "significant revenue guarantees, higher TAC rates, an equity investment and an option for Yahoo to extend the agreement over a 10-year period," according to Microsoft.

"At the time Microsoft submitted its enhanced proposal, Microsoft asked that Yahoo confirm whether it would agree that the enhancements were sufficient to form the basis for the parties to engage in negotiations over the weekend on a letter of intent and more detailed term sheets," according to Microsoft. However, Yahoo told Microsoft on Saturday that it had rejected the deal, Microsoft said.

Microsoft submitted its first unsolicited bid to acquire Yahoo on Feb. 1, but the two companies have been unable to come to an agreement despite months of negotiations. Most recently, Yahoo has said publicly that it is willing to sell the company to Microsoft for $33 a share and that it is not interested in deal to sell only its search business.

Unpatched Windows PCs fall to hackers in under 5 minutes, says ISC

2008-07-15T02:19:00.000-07:00

It takes less than five minutes for hackers to find and compromise an unpatched Windows PC after it's connected to the Internet, a security researcher said today.

The SANS Institute's Internet Storm Center (ISC) currently estimates the "survival" time of an Internet-connected computer running Windows at around four minutes if it's not equipped with the latest Microsoft Corp. security patches, said Lorna Hutcheson, a researcher and analyst, in a post to the ISC blog.

"I have been asked many [times] by people if I really believed the survival time graph on the ISC site was truly an accurate representation of how long a new system had once connected," said Hutcheson. "The answer to this is 'yes' for most home users and systems that are Internet-facing.

The ISC maintains a record of the time between network probes for an average IP address, and assumes that hackers would follow a successful probe -- which would disclose one or more open ports -- with an exploit, most likely a worm.

Another security researcher, however, said unpatched machines can last longer than just a few minutes before falling to attack. The German Honeypot Project, which sets vulnerable systems on the Internet to collect malware, estimates survival time in hours, not minutes.

"Compared to the survival time from the Internet Storm Center which is currently below five minutes, we measure a higher survival time," said Thorsten Holz, a co-founder of the project and current a Ph.D. student at the University of Mannheim, in a post to the Honeypot Project's blog. The project's data estimates the average time between connecting to the Internet and compromise at under 1,000 minutes, or approximately 16 hours.

"[But] the time is still short, and you need to patch a system before taking it online," said Holz.

"While the survival time varies quite a bit across methods used, pretty much all agree that placing an unpatched Windows computer directly onto the Internet in the hope that it downloads the patches faster than it gets exploited are odds that you wouldn't bet on in Vegas," added Hutcheson of the ISC.

Microsoft says it would deal with new Yahoo board

2008-07-07T10:49:00.000-07:00

In a statement Monday, Microsoft Corp. confirmed that it would be interested in resuming talks with Yahoo Inc. with a new board of directors, either as part of an effort to buy Yahoo's search business or the entire company.

Billionaire investor Carl Icahn, who has been pushing for a deal with Microsoft and has proposed a new slate of Yahoo directors, also issued a letter on Monday, confirming that he has discussed the scenario "frequently" during the past week with Microsoft CEO Steve Ballmer and other executives.

In response to Icahn's letter, Yahoo's board of directors on Monday said the company is ready to sell and urged Microsoft to make an offer for all of Yahoo now if it is still interested in buying rather than speculate about plans for some "future 'negotiation' between Mr. Icahn's directors and Microsoft's management."

"If Microsoft and Mr. Ballmer really want to purchase Yahoo!, we again invite them to make a proposal immediately," the company said in a statement.

It added that a deal between Icahn's proposed new board and Microsoft to only buy Yahoo's search business "would not lead to an outcome that would be in the best interests of Yahoo!'s stockholders."

In its statement, Microsoft said that, after Yahoo's shareholder meeting this quarter, it would be "interested in discussing with a new board a major transaction with Yahoo, such as either a transaction to purchase the 'Search' function with large financial guarantees or, in the alternative, purchasing the whole company."

Microsoft also noted that its talks with the current board have reached an impasse. "Despite working since Jan. 31 of this year, as well as in the early part of last year, we have never been able to reach an agreement in a timely way on acceptable terms with the current management and board of directors at Yahoo," Microsoft's statement said. " We have concluded that we cannot reach an agreement with them."

Ballmer expressed concern that the current board could mismanage the company during the months it would take for a sale to gain regulatory approval, putting Microsoft's investment at risk, according to Icahn.

Icahn has nominated a number of candidates to be named to the board at the company's August shareholder meeting. In the letter, he said he has "little doubt" that a new board will immediately begin negotiations with Microsoft and "move expeditiously" to replace current CEO Jerry Yang "with a new CEO with operating experience."

"There is no need to keep pointing out the mistakes I believe Yahoo made by not immediately taking a $33 offer made by Microsoft. But one thing is clear -- Jerry Yang and the current board of Yahoo will not be able to 'botch up' a negotiation with Microsoft again, simply because they will not have the opportunity," Icahn wrote.

"Our company is now moving toward a precipice," he added. "It is currently losing market share in its 'Search' function; our current board has failed to bring in a talented and experienced CEO to replace Jerry Yang and return Jerry to his role as Chief Yahoo, and currently it is witnessing a meaningful exodus of talent."

Microsoft first made an unsolicited offer to buy Yahoo on Feb. 1 -- a $44.6 billion cash-and-stock deal that offered shareholders a 62% premium over Yahoo's stock price the day before of $19.18.

But 10 days later, Yahoo's board rejected that offer, saying it undervalued the company. On Feb. 11, Yahoo's stock closed at almost $30.

Microsoft later increased its offer to $33 per share, or about $47.5 billion, but Microsoft eventually walked away from the negotiations on May 3 after the two sides failed to agree on a price.

Since then, Microsoft officials have repeatedly said the company isn't interested in acquiring all of Yahoo. Later, Microsoft did offer to buy Yahoo's search advertising business, but those negotiations also fell through. Yahoo instead struck a more limited deal to outsource part of its search ad business to Google.

Google is doing WHAT?

2008-07-07T05:44:00.000-07:00

With a skyrocketing stock price, fanboy hysteria and -- most importantly -- really useful products, Google Inc. is the prima donna of tech for the new millennium.

The company is so active that it's hard to keep track of everything it does. And, just when you get a good handle on its litany of Web applications, promising lab innovations and unheralded research projects, it seems to turn on a dime -- a difficult move for a $167 billion company with 19,000 employees -- and invent something new. Who would have thought a search site company would get involved in laying a fiber-optic undersea cable between the U.S. and Japan?

Of course, not everything has worked out for the company, as these flubs, flops and failures illustrate. JupiterResearch analyst Michael Gartenberg, for one, isn't put off by the wide range of directions the company has taken and occasional miscues.

"The whole Google empire started as a research project, and it's a core in their DNA to try and discover new things and figure out how to monetize them," he says. "When you have a market cap like they do and the cash cow in the guise of paid search, they can keep experimenting. You need the financial wherewithal to support these projects, and plenty of smart people to carry them out. Google does not seem short on either."

Truth and rumors

Here's an update on some of Google's most interesting projects, including some new details about Android, energy initiatives, language translation and a new facial recognition search technology. Also, the Web is rife with wild rumors about clandestine Google projects, so we asked the secretive company to comment on some of the more prominent ones to try to find out what's really going on.

Android

Street View on an Android phone suddenly becomes much more powerful because you can use it when you are standing on a street corner, trying to find an address.

Click to view larger image.

Although the "gPhone" never materialized, the company has been planning something better: an operating system for phones called Android. It's partly a direct competitor to Windows Mobile and partly an experiment in open-source development. Recently, the company held a contest for third-party developers to create innovative apps for Android. 1,700 programmers took up the challenge.

Examples from the contest include wayfinding apps that tap into the handheld's Global Positioning System chip. One application lets users find a taxi based on where they are. Another app lets users find their friends' locations and what they're doing and lets them create plans with them, with all the information tracked in real time. Some of these apps sounds a bit theoretical at this point -- the platform and phones will ship in the second half of 2008 -- but Google did post a PDF that shows the top 50 winners in the first round of the challenge, along with screenshots.

Erick Tseng, Android product manager, says it's a massive shift in thinking from the phone dictating what you can do to the device being open to any kind of content, service, provider and media.

"There are clear benefits to the ecosystem, not just [for] the users, but [also for] developers, carriers, providers," Tseng says. "Whatever phone you use today, think about the difficulty of getting content -- Android has unfettered access to content. You never have to think about, because I am on this service or this provider I can't get certain content."

Not everything has gone smoothly for Android, however. Charles Covin, a Forrester Research Inc. analyst covering Android, says "I think the Android platform is a long-term play, and its short-term hiccups are no surprise. Google is intent on reaching consumers wherever they can, and it's clear that, while Internet use on mobile phones is still limited, it is the next venue where Google can expect to interact with its customers."

Facial recognition search

After measuring the facial characteristics of an image, you can find all versions of that image, including the most common photo and all variations.

Click to view larger image.

Image search is a burgeoning market that is woefully untapped. Today, when you type "Paris Hilton" at Google.com, you'll find images that other users have tagged. Yet tagging is a tedious process. At Flickr.com, for example, many images are left untagged, making it impossible to find them by searching. The more images stored without tags, the harder it is to find them.

At Google, new facial recognition technology will make it easier to find untagged images. Unlike the technology used for biometrics -- where you can pass through a security checkpoint when a video camera confirms your identity -- this image search is purely for finding the information you want.

"What Google did for text, we want to do for vision," says Shumeet Baluja, a Google research scientist. "We want to make images just as searchable and accessible as text."

Imagine this scenario: Five years from now, when all of your digital photos are stored online, you decide you want to search for pictures of your grandmother. With Google facial recognition technology, you might start with a source scan that measures the distance between the eyes, arrangement of nose, ears, eyes and other data. In seconds, you find every image you ever uploaded -- and any image stored anywhere online.

Language translation

The actual language-translation interface looks simplistic, but it is based on thousands of language-pair rules that require high processing power and complex programming techniques.

Click to view larger image.

Translation has been around for years, especially as part of search engines such as Alta Vista. Google has made progress with the vast number of languages it has made available for translation, including Russian, Arabic and the recent addition of Hindi. Another innovation is in researching the rules applied to machine translation based on cultural phenomena of languages, which requires a great deal of computer processing.

"The more rules used, the better the quality of the translation," says Franz Och, a Google machine translation research scientist. "If you want to perform an English-to-Hindi translation, for example -- which has a small subset of the language pairs [matching words] of French or Spanish -- the smaller the language, the more important machine translation becomes. Finnish is a challenging language because of the morphology. One word could have all kinds of information inherent to it. Other language translations are more complicated because there are so many differences between the languages. Nice languages with historic roots and similarities are easier, like French to English."

Energy initiatives

Bill Weihl is the energy czar at Google charged with making the company a leading example of energy efficiency. Most buildings at Google's headquarters have a solar array that provides 30% of peak power usage at the campus. The company also lets employees use hybrid cars for occasional short-term use -- they are located in a garage that is itself powered by a solar array.

"In the last year, we have been working with companies in the industry in and outside of technology to drive energy efficiency in PCs and servers," Weihl says. "We started an initiative with Intel and HP and others called the Climate Savers Initiative. Also Starbucks -- who provides a lot of the fuel that drives the tech industry. It is not a technology issue -- it is a demand issue."

2 emissions and promoting the use of hybrid vehicles." border="0">Google runs the Google.org/recharge Web site as a portal for information about reducing CO₂ emissions and promoting the use of hybrid vehicles.

Click to view larger image.

"It costs more to get a PC or server that is energy-efficient; components have not been efficient," Weihl says. "It is a cost that pays beck within a year or two. For years, we talked about price performance and features. We really need to educate the industry and consumers that they should think about energy when they buy them."

Universal search

Universal -- or "one-box" -- search, changes the search paradigm at Google. Instead of just presenting text results, you now see videos, photos and other content listed in the results.

Click to view larger image.

Anytime you search on Google.com, you are performing a "universal search," where the results are not just text links but a mix of Web sites, images, videos, blog entries and even audio. The underlying technology is how Google determines which results it presents and how it presents them. With universal search, Google continues to tweak algorithms and experiment with the search results. The goal, says Bailey, is to present balanced results based on the search term and move away from the heavy emphasis on only textual Web links that existed prior to the switch to universal search in May 2007.

"If you search for Martin Luther King, you might be thinking text, but we present relevant video results," says David Bailey, a Google senior software engineer for universal search. "We can look at the results and compare and contrast. Someone might be speculatively searching, but we put the 'non-Web' results at the top of the page. There might be blog posts or video podcasts. It is a good diversity play when we search everything speculatively. We know about the video, we have the thumbnails, we know the star rating, so we should present those results."

Rumored projects

Along with the confirmed projects already mentioned, there are also plenty of rumors about fantastic new programs at the Mountain View, Calif.-based technology juggernaut. We asked Google to comment on some of the more prominent rumors and to confirm or deny its involvement.

Google bows to pressure, adds 'Privacy' link to home page

2008-07-04T05:41:00.001-07:00

For Google, ready Privacy: That could be the subliminal message Google wants to send by replacing its name on its famously spartan home page with a link to its privacy policy.

Last month, privacy organizations wrote to Google CEO Eric Schmidt asking the company to link to its privacy policy from its home page. Including the link on the home page is good practice -- and also mandated by California law, the organizations said.

On Thursday, Google acceded to the request, putting the word "Privacy" at the foot of its home page and linking it to its privacy information pages. The link replaces the company's name next to the copyright notice, leaving the number of words on the home page unchanged.

Google had previously declined to make the change to its home page, saying that users appreciate the lack of clutter there. Microsoft and Yahoo both include privacy links on their search pages, while Ask.com added a link to its privacy policy on June 18.

The order to remove the company's name to make way for the privacy link came right from the company's founders, Vice President of Search Products and User Experience Marissa Mayer explained in a posting to the company's blog.

"Larry and Sergey told me we could only add this to the homepage if we took a word away -- keeping the 'weight' of the homepage unchanged at 28," she said.

That figure holds only if you have signed out of your Google account and are viewing the basic U.S. home page in English, see no promotional line running beneath the search box, see no invitation to make Google your home page because you have already done so, and count "©2008 Google" (now "©2008 Privacy") as two words.

Google gives away home-cooked Web application security scanner

2008-07-04T05:39:00.000-07:00

Google has released for free one of its internal tools used for testing the security of Web-based applications.

Ratproxy, released under an Apache 2.0 software license, looks for a variety of coding problems in Web applications, such as errors that could allow a cross-site scripting attack or cause caching problems.

"We decided to make this tool freely available as open source because we feel it will be a valuable contribution to the information security community, helping advance the community's understanding of security challenges associated with contemporary Web technologies," wrote Google's Michal Zalewski on a company security blog.

Ratproxy -- released as version 1.51 beta -- is quick and less intrusive than other scanners in that it is passive and does not generate a high volume of attack-simulating traffic when running, Zalewski wrote. Active scanners can cause problems with application performance.

The tool sniffs content and can pick out snippets of JavaScript from style sheets. It also supports SSL (Secure Socket Layer) scanning, among other features.

Since it runs in a passive mode, Ratproxy highlights areas of concern that "are not necessarily indicative of actual security flaws. The information gathered during a testing session should be then interpreted by a security professional with a good understanding of the common problems and security models employed in web applications," Zalewski wrote.

Google has posted an overview of Ratproxy as well as a download link to the source code. Code licensed under the Apache 2.0 license may be incorporated in derivative works, including commercial ones, but the origin of the code must be acknowledged.

Weak web application security continues to embarrass companies, potentially causing the loss of customer or financial data.

A 2006 survey by the Web Application Security Consortium found that 85.57 percent of 31,373 sites were vulnerable to cross-site scripting attacks, 26.38 percent were vulnerable to SQL injection and 15.70 percent had other faults that could lead to data loss.

As a result, security vendors have moved to fill the need for better security tools, with large technology companies acquiring smaller, specialized companies in the field.

In June 2007, IBM bought Watchfire, a company that focused on Web application vulnerability scanning, data protection and compliance auditing. Two weeks later, Hewlett-Packard said it would buy SPI Dynamics, a rival of Watchfire whose software also looks for vulnerabilities in Web applications as well as performing compliance audits.

Microsoft promises four patches next week

2008-07-04T05:38:00.000-07:00

Microsoft Corp. on Thursday chalked in four security updates for next week that would fix vulnerabilities in Windows, SQL Server and Exchange Server.

All four were labeled "important," the company's second-highest ranking, even though one of the Windows updates will quash a bug that attackers could use to execute malicious code remotely. That kind of vulnerability has been regularly rated as "critical" by Microsoft in the past.

As is its practice for pre-patch notifications, Microsoft disclosed few details today of next week's updates other than their severity ranking and the affected software.

"None of these were on my radar," admitted Andrew Storms, director of security operations at nCircle Network Security Inc. "I'm doing quite a bit of head scratching given the variety and interesting details [in the bulletins]."

One of the two Windows bulletins will patch Windows 2000 and Windows XP -- including the recently released XP Service Pack 3 (SP3) -- but not Windows Vista, while the second update slated for the client operating system will patch Vista, including Vista SP1, but not the older OSes.

The Vista bug caught Storms' eye because while Microsoft said it could result in remote code execution -- a description reserved for a serious vulnerability that could let hackers hijack a PC -- the company ranked it as important, not critical.

"I read that kind of bug as 'critical'," said Storms. "Microsoft seems to have stepped it up a notch," he said, noting that it appears the company is taking a harder line in defining "critical" flaws as only those that don't require any user action to be exploited.

Microsoft described both the SQL Server bug and the Exchange vulnerability as elevation of privilege flaws, and will provide patches for the former to Windows Server 2003, Server 2008, Windows 2000 and all still-supported versions of SQL Server, the company said. The Exchange update applies to both Exchange Server 2003 and the newer Exchange Server 2007.

The amount of detail Microsoft tucked into the pre-patch notification for the SQL Server and Exchange Server vulnerabilities puzzled Storms, who pointed out that Microsoft specified that the former's flaw affected both WMSDE, the SQL engine added to Windows clients, and WYukon, the engine within Windows server software. "I don't know whether this is a clue [about the vulnerability] or whether they're just being more promiscuous with information," Storms said.

It doesn't appear the Microsoft will be patching an Internet Explorer vulnerability first reported in 2006, but which returned to the limelight last month when security researcher Aviv Raff claimed that it could be combined with a bug in Apple Inc.'s Safari to pose a danger to users. At the end of May, Microsoft warned users of the blended threat, and recommended that people stop using Safari.

Apple patched Safari for Windows to quash the browser's so-called "carpet bomb" bug two weeks ago.

But Storms thought there was an outside chance that Microsoft would fix IE, even though it didn't explicitly label any of the prospective patches as intended for Internet Explorer. Last year, he said, Microsoft dealt with protocol handler bugs that could be exploited by attacks against IE by fixing Windows, not the browser.

The four security updates will be posted Tuesday, July 8, around 1 p.m. EDT.

Microsoft trumpets security additions in upcoming IE8

2008-07-04T05:37:00.000-07:00

Microsoft Corp. today outlined new security features that it plans to add to Internet Explorer (IE) next month, including anti-malware protection to match tools similar to those offered by its rivals and a filter the company said would block most cross-site scripting attacks.

Internet Explorer 8 Beta 2, which Microsoft has slated for release sometime in August, will include two new security tools, said Austin Wilson, the director of Windows client product management.

One, dubbed "SmartScreen Filter" by Microsoft, adds malware blocking to the antiphishing protection already embedded in IE7. The new feature, which will resemble the defenses already used by rival browsers Firefox 3.0 and Opera 9.5, will warn users when they're about to visit a site known or suspected of spreading malicious code and then block any download from that site.

Unlike Mozilla Corp.'s Firefox, which retrieves a blacklist several times daily, then stores it locally to compare against Web site addresses, IE8 will dynamically determine whether a site is potentially dangerous by pinging remote servers each time a user tries to reach a page.

Microsoft will use multiple third-party sources to compose the blacklists for both phishing and malware-hosting sites, said Wilson. It will also draw on data gathered by Windows Defender, the company's free antispyware tool. Wilson would not disclose the third-party information providers, however.

"We get the data feeds and update our lists multiple times a day," he said. "And IE8 makes the call to the URL reputation service servers, and if it's a phishing or malware site, the browser navigates away from the page and displays a warning."

He denied that the process would have a noticeable effect on IE8's performance. "Our choice was to make sure that the user has the most recent data possible," he said. "We do an asynchronous call, so the page rendering takes place while the call is made to the reputation servers."

Also to debut next month in IE8 Beta 2 is an integrated filter that Microsoft said would prevent most cross-site scripting attacks. "Today, the end user can be doing all the right things, checking the URL to make sure it's legitimate, only going to trusted sites, but because of vulnerabilities on the Web server side, they can still be compromised," said Wilson, referring to cross-site scripting attacks, which are most commonly used by identity thieves and have been on the upswing.

"When IE8 sees a cross-site scripting attack, it stops that script from being reflected to the server, and stops the attack at the client," Wilson added.

IE8 will have the cross-site scripting filter enabled by default, and it will not need to deal with pop-up warnings or other dialogs, added David Ross, a security software engineer at Microsoft. "When the filter discovers likely XSS in a cross-site request, it identifies and neuters the attack if it is replayed in the server's response," said Ross in a technical posting to the IE team's blog today.

Cross-site scripting is sometimes referred to by the abbreviation "XSS."

However, Ross acknowledged that IE8's cross-site scripting filter won't completely protect users. "The XSS Filter defends against the most common XSS attacks but it is not, and will never be, an XSS panacea," Ross said.

John Pescatore, a Gartner Inc. analyst, applauded Microsoft's plans. "It's good to see these kinds of things built into the browser," he said, adding that the two new features take different approaches against security problems on the Web.

The SmartScreen Filter is the "more reactive part" of the IE8 security upgrade, Pescatore argued. "You really have to protect the browser user against himself," he said, and one way is to block users from straying into dangerous places.

The concept behind the cross-site scripting filter and IE8's planned support for protocols designed to make intersite communications more secure is similar to the tools Microsoft and Hewlett-Packard Co. unveiled last week to help Web site developers and administrators secure their sites against SQL injection attacks. "You can't build everything into the browser," Pescatore said. "The browser has to be the thing that tries to protect the user, but it can't make up for all the Web security vulnerabilities."

IE8 Beta 2 will ship next month, Microsoft's Wilson confirmed today, although he declined to set a more specific date.

Beta 1, which launched four months ago, can be downloaded from Microsoft's Web site.

Microsoft Readies New Try for Yahoo

2008-07-02T01:46:00.000-07:00

Microsoft is seeking partners including Time Warner and News Corp. in a new bid to acquire Yahoo's search business, the Wall Street Journal reported Wednesday.

Microsoft wants to acquire Yahoo search, with the partner, likely a media company, taking the rest of Yahoo's business. CEO Steve Ballmer called Yahoo Chairman Roy Bostock and arranged a meeting set for Monday, but that meeting was cancelled, the Journal reported, citing people familiar with the situation.

In January, Microsoft made an unsolicited bid to buy all of Yahoo, an offer the latter refused. Although Microsoft later raised its offer price, Yahoo continued to decline, and in early May, Microsoft ended the negotiations.

On Monday, his final day as Microsoft's chairman, Bill Gates stated that he thought any deal between his company and Yahoo was unlikely.

However, the matter has refused to go away with Microsoft indicating it would still be interested in buying part of Yahoo, namely its search business. At the same time, Yahoo investor Carl Icahn has pushed for a deal with Microsoft. He has stated publicly on several occasions that the company's board failed to serve shareholder interests by refusing to sell, and is maneuvering to replace the board at an upcoming investor meeting in August.

On Tuesday, Yahoo gave shareholders with a 32-page presentation that sought to shore up support for the board ahead of that meeting, and defended its decisions in the face of Microsoft and Icahn criticism.

Trojan Lurks, Waiting to Steal Admin Passwords

2008-07-02T01:44:00.000-07:00

Writers of a password-stealing Trojan horse program have found that a little patience can lead to a lot of infections.

They have managed to infect hundreds of thousands of computers -- including more than 14,000 within one unnamed global hotel chain -- by waiting for system administrators to log onto infected PCs and then using a Microsoft administration tool to spread their malicious software throughout the network.

The criminals behind the Coreflood Trojan are using the software to steal banking and brokerage account usernames and passwords. They've amassed a 50G-byte database of this information from the machines they've infected, according to Joe Stewart, director of malware research with security vendor SecureWorks.

"They've been able to spread throughout entire enterprises," he said. "That's something you rarely see these days."

Since Microsoft shipped its Windows XP Service Pack 2 software with its locked-down security features, hackers have had a hard time finding ways to spread malicious software throughout corporate networks. Widespread worm or virus outbreaks soon dropped off after the software's August 2004 release.

But the Coreflood hackers have been successful, thanks in part to a Microsoft program called PsExec, which was written to help system administrators run legitimate software on computers across their networks.

For a widespread infection, attackers must first compromise a system on the network by tricking the user into downloading their program. Then, when a system administrator logs onto that desktop machine -- to perform routine maintenance, for example -- the malicious software tries to run PsExec and install malware on all other systems on the network.

Often the technique succeeds.

Over the past 16 months, Coreflood's authors have infected more than 378,000 computers. SecureWorks has counted thousands of infections in university networks and has found financial companies, hospitals, law firms, and even a U.S. state police agency that have had hundreds of infections. "It's kind of insane how often they are getting on hundreds or thousands of computers at a single company," Stewart said. "They've probably stolen far more accounts than they can use."

The SANS Internet Storm Center reported one of the infections, which affected 600 machines on a 3,000 PC network, on June 25.

Malicious programs have used PsExec for more than five years, said the software's creator, Mark Russinovich, a Microsoft technical fellow. However, this is the first time he had heard of it being used in this fashion. "PsExec doesn't expose anything that a malware author can't code themselves or even accomplish with alternate mechanisms," he said in an e-mail interview. "Once you have credentials that give you local admin rights via remote access, you own that system."

Coreflood, which is also known as the AFcore Trojan, has been around for about six years. It has been used in the past for such things as launching denial-of-service attacks, but not to steal passwords, Stewart said.

Citibank ATM breach reveals PIN security problems

2008-07-02T01:43:00.000-07:00

Hackers broke into Citibank's network of ATMs inside 7-Eleven stores and stole customers' PIN codes, according to recent court filings that revealed a disturbing security hole in the most sensitive part of a banking record.

The scam netted the alleged identity thieves millions of dollars. But more importantly for consumers, it indicates criminals were able to access PINs — the numeric passwords that theoretically are among the most closely guarded elements of banking transactions — by attacking the back-end computers responsible for approving the cash withdrawals.

The case against three people in U.S. District Court for the Southern District of New York highlights a significant problem.

Hackers are targeting the ATM system's infrastructure, which is increasingly built on Microsoft Corp.'s Windows operating system and allows machines to be remotely diagnosed and repaired over the Internet. And despite industry standards that call for protecting PINs with strong encryption — which means encoding them to cloak them to outsiders — some ATM operators apparently aren't properly doing that. The PINs seem to be leaking while in transit between the automated teller machines and the computers that process the transactions.

"PINs were supposed be sacrosanct — what this shows is that PINs aren't always encrypted like they're supposed to be," said Avivah Litan, a security analyst with the Gartner research firm. "The banks need much better fraud detection systems and much better authentication."

It's unclear how many Citibank customers were affected by the breach, which extended at least from October 2007 to March of this year and was first reported by technology news Web site Wired.com. The bank has nearly 5,700 Citibank-branded ATMs inside 7-Eleven Inc. stores throughout the U.S., but it doesn't own or operate any of them.

That responsibility falls on two companies: Houston-based Cardtronics Inc., which owns all the machines but only operates some, and Brookfield, Wis.-based Fiserv Inc., which operates the others.

A critical issue in the investigation is how the hackers infiltrated the system, a question that still hasn't been answered publicly.

All that's known is they broke into the ATM network through a server at a third-party processor, which means they probably didn't have to touch the ATMs at all to pull off the heist.

They could have gained administrative access to the machines — which means they had carte blanche to grab information — through a flaw in the network or by figuring out those computers' passwords. Or it's possible they installed a piece of malicious software on a banking server to capture unencrypted PINs as they passed through.

What that means for consumers is that their PINs were stolen from machines that showed no signs of tampering they could detect. In previous PIN thefts, thieves generally took steps that might draw notice — sending "phishing" e-mails, for example, or installing false-front keypads or even tiny cameras on ATMs.

Getting the PINs is a key step for identity thieves. It lets criminals encode stolen account information onto blank ATM cards and withdraw piles of cash from compromised accounts.

Don Jackson, director of threat intelligence for SecureWorks Inc., said he has seen an "alarming" spike in the number of attacks on back-end computers for ATM networks over the past year.

"This was fairly large, but I don't think it's anything out of the ordinary — these kinds of scams go on every day," Jackson said. "What makes this case unique is the sheer luck of happening upon these guys and catching them red-handed. But there are a whole lot of other ATM and PIN compromises going on that aren't reported."

The alleged plot is outlined in court papers supporting the prosecution of three people — Yuriy Rakushchynets, Ivan Biltse and Angelina Kitaeva. They were indicted in March on two counts each of conspiracy and fraud. Prosecutors say their activities generated at least $2 million in illegal profits.

Defense lawyers for all three people did not return calls for comment, and it was not clear where they had been living. The main defendant, Rakushchynets, was described as having Michiganarrest warrant. and Florida's driver licenses in a February FBI affidavit for an

Citibank, part of Citigroup Inc., has declined to comment on the technique or how many customers' accounts were compromised. It said it notified affected customers and issued them new debit cards.

"We want our customers to know that, consistent with legal requirements, we do not hold them responsible for fraudulent activity in their accounts," the bank said in a statement.

Cardtronics said it is cooperating with authorities but otherwise declined to comment. Fiserv spokeswoman Melanie Tolley said the intrusion didn't happen on Fiserv's servers.

"Fiserv," she said, "is confident in the integrity and security of our system."

Firefox 3.0 wins memory battle, says tester

2008-06-29T20:29:00.001-07:00

Mozilla Corp.'s Firefox 3.0 browser uses memory much more efficiently than its rivals, according to an independent tester who wrote a memory-monitoring utility to track usage by Firefox, Internet Explorer (IE), Flock, Opera and Safari.

In a lengthy post to his Web site, .Net developer Sam Allen spelled out the data he collected from the "Memory Watcher" application he wrote specifically to track Web browser memory use.

Although Allen acknowledged that the testing was unscientific -- he ran each browser between 2.69 hours and 2.91 hours, for instance, and didn't claim to have visited the exact same pages with each -- he claimed that the trend lines drawn by Memory Watcher were valid. The results, he said, "Are not a direct comparison in any way, but they offer a visualization of trending in the memory behavior of the layout engines and interfaces."

Firefox 3.0 was the clear winner, not only because it used the least amount of memory of any of the tested browsers, but its memory use didn't noticeably grow over time. "This browser exhibits memory usage that is by far lower than the others," Allen said of Firefox 3.0. "It releases memory to the system and the trend line is nearly flat."

The poorest marks went to Apple Inc.'s Safari 3.1 for Windows -- Allen tested only the Windows versions of each browser -- which consistently consumed more memory the longer it was used. "Safari on Windows shows extremely poor memory management," he said.

Other browsers, including Microsoft Corp.'s IE 8 Beta 1, Flock Inc.'s Flock 2.0 and Opera Software ASA's Opera 9.5, were in the middle, memory management-wise, he argued. While their memory use crept up over time, the increase was much more gradual than Safari's. "IE did well ... although a worrying trend in the data could indicate that it[s memory usage] would keep escalating," Allen said.

Browsers are regularly dinged for "memory leaks," the term used to describe the increase in memory use the longer an application is used. In some cases, the memory load becomes big enough to degrade the overall performance of some computers.

Older versions of Firefox, including Firefox 2.0, for example, were assailed for rampant memory leaks, criticism that drove Mozilla to reduce the browser's memory footprint in the just-released Firefox 3.0.

Allen did not immediately reply to an e-mail Friday asking for further comment on his memory tests.