T-Mobile Refreshes the BlackBerry Curve

T-Mobile's update of the BlackBerry Curve, the 8900, isn't an earth-shattering revision of one of Research in Motion's most successful QWERTY keyboard models. But for those who are content to browse over T-Mobile's somewhat pokey EDGE network when Wi-Fi isn't available, it offers an improved camera, a sleeker design, and a snappier processor than its predecessor, the Curve 8320 (which is still available from T-Mobile but for US$100 less than the 8900).

Like the 8320, the 8900 is a quad-band phone, meaning you can use it on pretty much any GSM network worldwide. For data, it supports EDGE, the 2.5G network technology that approximates dialup in real-world performance. That's fine for e-mail, but Web browsing is somewhat sluggish (although the desktop-style browser does a good job of rendering large pages and then letting you zoom in on sections of interest).

Black with silver accents, the 8900 is slightly skinnier, a tad more lightweight and more sculpted looking than earlier Curves, with some of the design motifs we've seen in the BlackBerry Bold and Storm. I'm on the fence about the use of red type for keypad numbers, which is more subtle but also makes them slightly less legible than on the 8900's predecessors (which used black on silver). Still, when the phone screen is on, the red numbers do glow so I had no problems dialing. RIM continues to refine its keyboards, and thumb-typing on the Curve is eminently doable. Of course, you get the terrific corporate and Internet e-mail features RIM is known for.

Voice call quality was solid in my tests, Like its predecessor, the 8900 uses UMA technology to let you make voice calls over Wi-Fi when a Wi-Fi network is present. However you must sign up for T-Mobile's Hotspot at Home service to enable seamless transition from Wi-Fi to cellular calls.

The supplied media clips looked good, given the smallish but bright high-res screen. The 8900 comes with the updated media manager introduced since the last Curve, a definite plus. The 3.2-megapixel camera with built in flash and autofocus is also an upgrade from the previous 2-megapixel model, and it definitely shows in the improved images; shutterbugs will appreciate the difference.

Overall performance on apps definitely seemed snappier thanks to the upgraded CPU RIM is touting. Wi-Fi setup was easy and quick. GPS location, on the other hand, wasn't so hot with my production-level unit. The device hung for quite some time on its own requests for satellite fixes, and ultimately appeared to give up. I'm trying to figure out what happened here and will update as needed.

That glitch aside, the Curve 8900 should appeal to T-Mobile BlackBerry fans who feel the original Curve is starting to get a bit tired-and who have no particular need for a handset that supports faster UMTS/DSMA data networks. The rather high $300 pricetag (with a two-year T-Mobile contract) can be lowered to $200 via mail-in rebate when the device hits T-Mobile's retail outlets next week (B to B customers can start ordering now).

Read More

Blackberry Storm's components cost more than iPhone 3G's

iSuppli didn't heed James Dean's outburst in Rebel Without a Cause, because they keep tearing things apart. The latest device to go under their knives screwdrivers isn't an Apple product--rather, it's a competitor--but what lies beneath the surface can shed some light on Apple's iPhone too.

RIM's Blackberry Storm--it of the clickable touchscreen--was touted as a potential rival to the iPhone when it debuted late last year. Interesting thing, though: when iSuppli took apart the Storm, they discovered that its component costs are actually not only more than the price of the very device at your local Verizon store, but more than the comparable cost of the iPhone as well.

The bill of materials for the Storm totes up to US$202.89; the Storm itself has a suggested retail price of $250, but is currently being sold with a $50 rebate from Verizon. iSuppli says the iPhone 3G, meanwhile, costs approximately $174.33 in components, despite a similar retail price.

Of course, a teardown can only tell you what the cost of the physical materials is--it doesn't factor in software development, R&D, marketing, etc. More to the point, as iSuppli points out, the price subsidy from the carrier means it's hard to tell exactly how much each device is really costing.

Still, it's an interesting point that even though the Storm and iPhone seem at first blush to share most of the same parts--LCD touchscreen, camera, cell phone chips, flash memory, GPS--Apple would seem to be in a position to reap more profit of each device than RIM (of course, it's also hard to know what kind of deals each manufacturer has with component vendors).

Read More

Nortel quits WiMax deal with Alvarion

Nortel Networks has pulled out of a deal to resell WiMax equipment from Alvarion and help fund development of Alvarion's WiMax base stations.

The troubled networking vendor joined with Alvarion last June after cutting back its own WiMax efforts. After years of struggling to recover from a financial scandal and compete against bigger rivals, Nortel filed for bankruptcy earlier this month. Alvarion said in a press release Thursday that Nortel had informed it of the decision to quit the WiMax deal.

Alvarion is a WiMax specialist based in Israel. The collapse of the deal will hurt its fourth-quarter financial results, due to be announced Feb. 4. The company won't be able to recognize about US$2.4 million in revenue from sales of products to Nortel in the quarter. Alvarion expects that to take $0.04 per share out of its fourth-quarter bottom line, which the company now expects to show a loss of $0.08. Nortel is obligated to pay Alvarion for certain research and development services beyond the fourth quarter, but in the wake of the bankruptcy, Alvarion said it's not certain whether it will be able to collect.

"The action, while difficult, was a necessary step addressing Nortel's current situation and intention to narrow the company's focus," said Richard Lowe, Nortel's president of carrier networks, in the press release. The companies are working on shifting over their joint WiMax customers to Alvarion, he said.

Nortel has its own WiMax infrastructure products, but they're best-suited to use in developed markets, said IDC analyst Godfrey Chua. Alvarion's gear is better for the developing world, which still makes up the lion's share of the WiMax market, he said. But Nortel's move didn't surprise Chua.

"They really need to make some hard choices," he said. "They can't stay at the scale where they are now."

Going up against larger rivals, including Alcatel-Lucent, Nokia Siemens Networks and Huawei Technologies, Nortel is likely to sell off parts of its business and become a specialist in one or two technologies, Chua said. The company will probably focus on LTE (Long-Term Evolution), the fourth-generation mobile data system most mobile operators are expected to adopt, he said. But that will be a hard technology to translate into revenue, since it won't be widely deployed until 2010 or 2011.

Read More

How many flavors will Windows 7 come in?

Recent beta suggests five versions, but Microsoft says the number is undecided as yet
Windows Me may not have had much going for it, but it has one claim to fame: It was the last major release of Windows to come in a single edition, or SKU.

In the ensuing decade, every major release of desktop Windows has come in a wide -- too wide, say many -- variety of flavors.

By one count, Windows XP and Vista came in eight separate editions, if you include two Windows Media Player-free versions mandated by the European Union for antimonopoly reasons.

Even Windows 2000, often romanticized for its small footprint, came in four versions.

This increase in Windows editions has bewildered many consumers, and has led even ardent Windows fans to make dark jokes.

"I wonder whether Windows 7 will have 700 SKUs or if [Microsoft] will streamline that," Andrew Brust, a technology consultant and Microsoft MVP, has said on his Twitter page.

Paul Thurrott, a well-known Windows blogger, said, "It is laughable. It's such a brazen play on their part to juice people for as much money as they can get."

This MBA textbook-style attempt to maximize revenue by divvying up features by customer segment is actually hurting Microsoft, said Rob Enderle, an independent analyst.

He said Microsoft's decision to strip Active Directory features from consumer versions of Vista meant that workers running Macs at home or on personal laptops have an easier time hooking up to their corporate network than many Vista users.

That is helping Apple gain the foothold in the enterprise it has long been denied, Enderle said.

"In effect, this screwy SKU thing has given Apple an advantage in enterprises that Microsoft has taken away from itself and probably will be one of the primary things slowing Windows 7 adoption" should it come in multiple editions, he said.

Will Windows 7 continue the 'SKU inflation'?

How many editions will Windows 7 come in? Recent beta releases of Windows 7 list five versions during the installation process:

• Starter Edition, a stripped-down version for customers in developing countries running underpowered hardware that has been around since XP.
• Home Basic, the controversial low-end consumer flavor introduced with Vista that Microsoft apparently debated whether or not to release.
• Home Premium, also introduced with Vista.
• Ultimate, introduced with Vista, the loaded-with-goodies version aimed at hard-core hobbyists.
• Business, introduced with Vista as the replacement to Professional for corporate use.

A Microsoft spokeswoman confirmed the five version names in the Windows 7 beta, but said they were only "preliminary."

"We will continue to take customer feedback from the beta test period into account as we refine the SKU set for Windows 7 and will share more information when we are further along the development path," the spokeswoman said in an e-mail.

Meanwhile, CNET UK reported that Microsoft plans to make a single version of Windows 7 just for netbooks.

There is evidence, via a Microsoft job posting, that Microsoft plans to release a Small Business version of Windows 7, as it once planned but abandoned for Vista, as well as an Enterprise edition, which already exists with Vista. There would also be two additional 'N' versions of Windows 7 for customers in the EU, which has signaled recently it may even demand Microsoft bundle rival browsers with Windows. Windows 7 could therefore have as many as 10 editions in all.

Thurrott disagreed, arguing that Microsoft will cut down on the proliferation in editions that peaked with XP and Vista. He noted that the public Windows 7 beta includes the locale-specific themes that, in XP and Vista, were available only in the Starter edition, which hints that the latter could be eliminated.

The public beta, which is of Windows 7 Ultimate, appears able to run on low-end hardware like netbooks, obviating the need to create a separate SKU for it, Thurrott said.

He said that he has also heard reports that Microsoft plans to cut the "useless" Home Basic, that the Business edition will eventually be renamed Professional and include Media Center features, and that an Enterprise edition would be eliminated and its features, such as desktop virtualization, offered as add-ons to interested corporate customers.

Thurrott said he believes Microsoft's best strategy is to release Windows 7 in just three versions (not including the EU-mandated ones): Home, Professional and Ultimate.

"Gosh, I really do hope so. If there were just three versions, no one would make fun of it," he said. "Five or seven versions, that's just crazy town."

Thurrott also thinks Microsoft should cut the price on all of its versions, as well as let customers install Windows on multiple PCs or virtual machines, as Apple does with Mac OS X.

He said he was hopeful for a reduction in editions because Steven Sinofsky, the Microsoft vice president in charge of Windows 7's development, is "a simplicity maven."

Enderle, who hammered Microsoft's version strategy with Vista -- especially its decision to release Vista Home Basic -- has a more quixotic hope.

"I think there should be one version of Windows which allows the OEMs [PC makers] more flexibility with regard to creating unique user experiences without breaking compatibility, and restores the ability of users to drive OS upgrades in the companies where they work," Enderle said in an e-mail.

"I'm not aware of another instance where a user-focused technology is specifically altered so a user can't bring it into their workplace

Read More

Microsoft delivers Vista SP2 RC to testers, reports say

But some users say Vista irrelevant with Windows 7 coming
Microsoft Corp. has delivered a preliminary release candidate for Windows Vista Service Pack 2 (SP2) to testers and is again on track to offer another public preview next month, according to several reports on the Web.

Just last week, a Malaysian Web site, TechARP, claimed that Vista SP2 had been pushed back a month. Yesterday, however, TechARP, which has accurately predicted Windows delivery dates in the past, revised its estimate, saying that Microsoft had "brought forward their release schedule" and would be issuing an "escrow" build no later than Friday.

Yesterday, reports surfaced that testers had been told by Microsoft that the escrow build of Vista SP2's release candidate was available for downloading. ZDNet blogger Mary-Jo Foley, for example, cited a section of the e-mail notification, which told testers that the company was not interested in feature feedback, but only reports on "SP2 regressions and confirmation of fixes we've made."

An "escrow" build is a version on which development has stopped but that is handed to developers and testers, who are asked to shake out the code one final time to make sure there are no show-stopping bugs.

TechARP's revised timetable claims that Microsoft will deliver a full-fledged release candidate to the public during the week of Feb. 16-20, not in March as the site said last week. That will be followed by a release-to-manufacturing (RTM) build sometime in the first half of the second calendar quarter -- in other words, before mid-May.

Previously, TechARP had said Vista SP2 would reach RTM -- a milestone at which the service pack is officially finished, and sent to computer makers and duplicators for retail copies -- as late as June.

Vista SP2 will be released for download from the Web at an undetermined date after Microsoft slaps the RTM label on the service pack. In the past, Microsoft has waited to post service packs anywhere from just two weeks after RTM to more than six weeks after.

But with the recent appearance of the first public beta of Windows 7, the follow-up to Vista, already in users' hands, some have dismissed Vista SP2 as irrelevant.

"Who cares now with Windows 7?" asked a user identified as Luis Mazza on a message thread discussing Vista SP2 at the Windows enthusiast Web site, Neowin.net.

"I could care less as I just got rid of Vista and I'm now only running 7 beta," added "smooth3006" on the same thread.

One analyst, however, disagreed.

"Service packs always matter," said Michael Cherry, an analyst at Directions on Microsoft, a research firm. "Because service packs make it more efficient to update PCs, they increase the chances that people do deploy fixes and patches."

Microsoft has previously declined to comment on TechARPs Vista SP2 schedule, and has instead reiterated its general timetable for delivering Windows Vista SP2 sometime in the second quarter of 2009.

Read More

Second mass hack exposed

Hot on the heels of a recent hack in which 10,000 sites were compromised, researchers have disclosed a new large-scale attack..

Researchers at McAfee estimated that the attack has been active for roughly one week, and in that time frame has managed to place itself on roughly 200,000 web pages.

Most of the infected pages are running the phpBB forum software, said McAfee. The compromised pages are embedded with a Javascript file that links to the site hosting the attack.


Rather than attempt to exploit browser vulnerabilities, the attack attempts to trick a user into manually launching its malicious payload.

"This contrasts [Thursday’s] attack in that the vast majority of those were active server pages (.ASP)," explained McAfee researcher Craig Schmugar on a company blog posting.

"The ASP attacks are different than the phpBB ones in that the payload and method are quite different. Various exploits are used in the ASP attacks, where the phpBB ones rely on social engineering."

The infected pages bring up what appears to be a pornographic web site. Upon loading the page, a 'fake codec' social engineering attack is attempted. The user is told that in order to view the movie on the page, a special video codec must be installed.

The user then downloads a trojan program which installs a malware package on the users system then delivers a fraudulent error message telling the user that the supposed codec could not be installed.

Copyright © 2008 vnunet.com

Read More

Attachment spam – the latest trend

Spammers using common file formats as attachments for pump-and-dump scams

This white paper explains what makes spam such an unbearable problem and how spamming tactics are evolving daily to beat anti-spam software. In the space of two months, spammers have switched from image spam to using PDF, Excel and ZIP file attachments. By using these attachments to send images instead of embedding them in the body of the email message, spammers have taken the cat-and-mouse game with anti-spam software developers to a new level.

At one point or another – like the majority of computer users – you have received emails that promise business deals worth millions of pounds, that try to sell products to improve your appearance or that try to convince that it’s worth investing your money in a particular company or stock. Dealing with spam (unsolicited email that is not targeted at specific individuals), is one problem that all email users share in common. Research shows that between 65% and 90% of all email received is considered spam.
On an individual user basis, spam is annoying; it is a waste of time and often contains spyware, malware and even pornography. On a company-wide basis, the same threats apply however there is also the financial cost to manage spam that must be taken into consideration.

The evolution of spam

Until a while ago, spam was the domain of text- or html-based emails. For anonymous delivery, these messages traditionally relied on abusing open SMTP relays. When open SMTP relays became less common, spammers switched to proxy servers, dial-up services and more recently, hijacked computers. Spammers designed personalized template emails to deliver their messages and then made use of bulk mailing software for distribution.
To block spam, email service providers and companies often relied on keyword ‘detection’, and drew up a list of keywords that commonly appeared in most of the spam email. This list would often include keywords such as ‘viagra’ or ‘bank’. However, this method often blocked genuine email and adding more keywords simply resulted in more false positives which in turn blocked legitimate email. But spammers became smarter too, and they addressed keyword blocking by replacing keywords such as ‘viagra’ to ‘v1agra’.
Another attempt at blocking spam includes making use of blacklists that contain a list of IP addresses of known spammers or compromised hosts. However, these lists have to be constantly updated because spammers have learnt to counteract this by rapidly changing the origin of spam.

New trends: Dynamic Zombie botnets

Botnets can be defined as networks of compromised computers which can be controlled by a single master. The number of nodes (also known as zombies) of these botnets can run into millions and these machines make use of different software vulnerabilities to gain full access to the infected hosts and add it to their existing array of zombies. Computer hackers had long been using botnets to launch DoS (denial of service) attacks and distribute network hacking attacks. Computer criminals had also been using botnets for money-making schemes, such as stealing credit card information and scamming pay-per-click advertising companies.
Seeing huge potential in botnets, spammers started financing hackers to make use of zombie machines. Hackers were able to offer services such as renting of botnets for a few minutes or hours and collections of email recipients (spam lists). The anti-virus industry noticed correlations between the spam industry and botnets. Not only were malware writers allowing spammers to make use of their creations, but they were writing malicious code to specifically suit their needs. An unholy alliance had been created.

Image spam

By early 2006, most anti-spam vendors had added Bayesian filtering to their arsenal of spam blocking methods. The fight between spam and anti-spam looked like it was taking a positive turn. However, by the end of 2006, the nature of spam had totally shifted. Whereas spam had been mainly text based, this time spam started looking more graphic in nature. Spammers began making use of images to bypass text-based content filtering, simply by no longer using any text content. By making use of image spam, spammers were attacking the defenses of most anti-spam solutions; while the images displayed text messages to the end-users, the anti-spam software was only able to see pixels.
Some email anti-spam solutions decided to go with OCR (Optical Character Recognition) to turn the images into text that the software could then use. However, spammers took their images to the next level. In an approach usually applied to CAPTCHA (an anti-spam solution that is used on web forums), they started fuzzing (including noise and distortions) images to make it even harder for the machine to recognize text. Although it is possible for the machine to read this text, the process is very CPU intensive – especially when it is handling multitudes of images every few seconds. Read the full article: Attachment Spam- the latest trend

Read More

Hackers exploit Obama site to spread malware

My.BarackObama.com still serving up Trojan a week after being notified, says Websense
A social networking site operated by the 2008 Barack Obama presidential campaign is serving up malware to unwary visitors a full week after the tactic was reported, a security researcher said today.

My.BarackObama.com, still active after the innauguration last week of President Obama, is being used by hackers trying to dupe users into downloading a Trojan horse, said Dan Hubbard vice president of security research at Websense Inc.

My.BarackObama.com provides tools that enable visitors to join groups of Obama supporters, raise funds and create a personal blog hosted on the site. The criminals have set up bogus accounts and used them to create blogs. When a user reaches one of the fake blogs, a YouTube-like video window is displayed; clicking on that video frame takes the user to a malicious Web site packed with pornography.

If the user clicks to view the porn, a message pops up claiming a video codec must be downloaded and installed. The executable file is no codec, but rather a Trojan horse that hijacks the PC.

"The group behind this is one of those that's infecting people with fake antivirus software," said Hubbard, referring to so-called scareware programs that pose as security software but are actually useless. Until the victim pays for the worthless program -- prices range between $40 and $50 -- he or she is deluged with fake pop-up warnings.

The cybercrooks don't just try to grab people browsing through My.BarackObama.com, Hubbard added; rather, they are actively polluting search engines with the URLs of their bogus blog accounts in an attempt to take advantage of My.BarackObama.com's reputation and popularity.

Although Websense first uncovered the phony blogs a week ago, it has had no luck reaching someone responsible for the My.BarackObama.com site. "We've been constantly trying to reach them, and tried every possible angle, from e-mail to the site itself to the phone, but we haven't heard back," said Hubbard. "Obviously, they've been fairly busy."

Multiple bogus blogs on the site are still serving the Trojan, Hubbard confirmed today.

A call Monday by Computerworld to the contact phone number listed in the site's terms of service was not returned.

This is not the first time Obama's name has been used to spread malicious code. The weekend before his inauguration, sites claiming that Obama would refuse to take office infected users with the Waledec bot Trojan; last November, the day after Obama won the U.S. presidential election, hackers launched a major malware campaign based on a site that claimed to have final vote tallies.

Read More

Test Center: How secure is Google Chrome?

Google's shiny new open source Web browser is a frustrating blend of excellent security model, questionable decisions, and a dearth of critical security controls.
Google Chrome was built from the ground up to be a more secure Web browser, and Google and its Chromium developers should be applauded for the attention they have brought to browser security. Google deserves much credit for the wealth of security information posted on the Internet and on the Google Chrome blog, and for making Chrome's source code available for anyone to examine.

he security model Chrome follows is excellent. Chrome separates the main browser program, called the browser kernel, from the rendering processes, which are based upon the open source WebKit engine, also used by Apple's Safari. The browser kernel starts with all privileges removed, the null SID (a security identifier in Windows Vista that denotes the user as untrusted), and multiple "restrict" and "deny" SIDs enabled. On Windows Vista, Chrome runs as a medium-integrity process.

Every Web site is given its own separate rendering process, memory space, global data structures, access token, tab, URL bar, desktop, and so forth. Currently, Chrome will open as many as 20 separate processes, one for each Web site, and start sharing processes between Web sites after that. Rendering processes are highly restricted as to what they can and can't do. On Windows Vista, Chrome's rendering processes run with low integrity, much like Internet Explorer in Protected Mode. But Chrome actually uses Vista's mandatory integrity controls more securely than Microsoft does. For one, Chrome attempts to prevent low-integrity browser processes from reading high-integrity resources, which is not normally prevented. (By default, Vista prevents lower to higher modifications, but not reads.)

Both the browser kernel and rendering processes run with DEP (Data Execution Prevention) and ASLR (Address Space Layout Representation) enabled, and with virtualization disabled. Any supplementary browser add-ons are run in a separate, medium-integrity (or higher-integrity) process. This screen image shows the various browser processes and their security settings, as enumerated by Process Explorer on Windows Vista. Chrome even has its own Task Manager and internal page to show memory and CPU statistics. With respect to the base security model, Chrome is leading the pack. It's beautiful.

Interesting innovations
A slightly questionable choice is Google's decision to allow Chrome to be installed without requiring Administrator-level access. This can make Chrome installs difficult to manage in an enterprise environment, but Microsoft is encouraging this sort of behavior in all vendors (to prevent Windows system modifications). Chrome is just one of the first major apps to follow Microsoft's advice.

Chrome also installs the Googleupdate.exe application, scheduled to run automatically in Windows Vista Task Scheduler, which frequently dials home (although only when the user is logged on and the computer is idle) and checks for browser (and other Google application) updates, and silently installs them. This is a great way to keep the browser up to date (patches are currently applied more frequently than once a week), but it riles many security administrators because there is no notification of the outward-bound search, no notification of pending patches, and no approval requested for patches to be applied; plus, this behavior cannot be easily changed.

Another interesting concept is Chrome's virtual JavaScript machine, called V8. Google's Chromium team built its own virtual environment for all JavaScript execution. V8 even converts JavaScript code into native machine language (to speed up Web-page loading) and has its own memory garbage-collection processes, source-code inspector, and debugger. V8 significantly limits what can be accomplished by JavaScript against the user's system, including preventing the normal JavaScript pop-ups. In testing, Chrome did pretty well against pop-up ads but suffered from UI problems and slowness on some of the JavaScript modal tests.

Chrome has many standard security features, including a browser-session privacy mode (called Incognito); anti-phishing capability (called Google Chrome's Safe Browsing); one-button setting resets; forced file saves before launching; moniker handling (which helps thwart attempts to fool the browser into launching helper applications that can be exploited); and MIME content-type sniffing (which helps thwart attempts to fool the browser into downloading malicious content). Chrome actually has many more security features that I could go on about; so far, so good.

Questionable controls
But then reality hits hard. One of the most glaring lapses is the inability to disable JavaScript. Because JavaScript is involved with most malicious Web attacks, all of Google's competitors allow its use to be disabled globally, or per site or per zone (albeit Firefox requires a third-party add-on, NoScript, to be site-specific). The world has yet to create a virtual machine that was not able to be breached, so despite all the cleverness that went into V8, I cannot understand how Google committed such an oversight, even if the company is trying to promote JavaScript-enriched applications and sites. If a large JavaScript exploit happens against Chrome -- or rather, when it happens -- the only recommendation Google will be able to offer, it seems, is to stop using it.

Most user-selectable security settings are under an option tab called Under the Hood. It's when you first go here that you realize how little Chrome offers in the way of fine-grained security settings. The options are very sparse and often lack a secure default. For example, all cookie types (both first- and third-party) are allowed by default. This isn't surprising for a company that makes its living from ads. But even the third-party-cookie restricted mode allows the reading of any third-party cookie, which is almost as bad as allowing modifications. In another example of a poor default, HTTP data is allowed to commingle with HTTPS data in the same view, without warning to the user.

Another critical security feature that's missing is the ability to place different Web sites into separate security zones or domains. Most browsers provide at least two zones (Internet Explorer has five) or the binary ability to whitelist or blacklist sites. Chrome is also glaringly absent of enterprise management features. SSL/TLS (Secure Sockets Layer/Transport Layer Security) server revocation checking is enabled by default, but Chrome does not support the more efficient OCSP (Online Certificate Status Protocol) revocation-checking protocol, though all of its competitors do.

Google has also washed its hands of responsibility for the security of add-ons. Reviewers are very mixed on this approach. While it is true that browser vendors should not be ultimately held responsible for others' add-ons and applications, Chrome offers no add-on management. You cannot easily determine which add-ons will render particular content, nor easily disable them.

Many users are perturbed by the treatment of their own saved passwords. Chrome allows the current user to reveal the saved log-on names and passwords in plaintext with a few clicks of the mouse. This is convenient for the user -- and for anyone else who wants to learn all of the user's passwords and finds the computer left unattended for a few seconds. Internet Explorer doesn't allow this at all, and Firefox and Opera at least have the ability to assign another password to protect the saved passwords. On the Password Manager Evaluator testing Web site, Chrome scored the worst among all of the browsers I've tested (including Firefox, Internet Explorer, Opera, and Safari), passing only 4 of 21 tests.

Bugaboos
Chrome has a very limited feature set and relatively moderate complexity. This might help it avoid some security issues in the long run, but so far it hasn't. Chrome has had 10 exploits in the five months it has been released (you can search on keyword Chrome at milw0rm.com to see the individual exploits). They have been patched. Most were simple denial-of-service exploits, but at least one allowed complete system compromise and another allowed malicious redirection.

On a good note, Chrome passed all of the browser security tests I threw at it and prevented the automatic installation of any malware. These tests included dozens of predefined tests made in the lab, several browser-security tests on the Web (including scanit and Jason's Toolbox). I sniffed traffic looking for information leaks, tested the browser's handling of XSS (cross-site scripting), tested privacy features, confirmed digital certificate handling, and surfed to more than one hundred malicious Web sites. With less than 2 percent market share, Chrome isn't yet the popular target of hackers. That gives its users additional insulation compared with its competitors.

One key feature simply doesn't work as promised. Google repeatedly makes the claim that Chrome's rendering-process isolation prevents one browser session from bringing down another or affecting the whole browser. Yet, vulnerability after vulnerability has proven that Chrome's process separation isn't nearly as perfect as it sounds on paper. Malicious Web pages of all kinds have caused DoS problems, lockups, and complete system failure. I and every other Chrome user I know have experienced complete browser lockups while browsing ordinary, legitimate Web pages.

Far more indicative of systematic problems is that the initial vulnerabilities found in Chrome were very simple, well-known exploits. Initially, Google shipped its beta with a known vulnerable version of the WebKit engine, for which a patch had been issued months before. I realize it was only beta code, but how embarrassing. The buffer overflow attacks that were soon discovered were often simple string overflows, a vulnerability that any normal security code review or fuzzing tool should have found. Most of the other vulnerabilities were flaws that had been widely reported in other browsers and should not have been present in Google's first try. Google should have known better.

This is the security paradox of Chrome. It begins with a beautiful idea and an excellent security model but then compromises the vision with questionable decisions, a dearth of granular security controls, and the obvious failure to perform a serious code review. This may be Google's first version of its first browser, but it has more experience with browsers and malicious content than any of its competitors. Why introduce yet another new Web browser and not blow away the competition?

Chrome's excellent security model and newness give it a chance to quickly improve in areas where other vendors must tread more slowly because of backward-compatibility issues. The real challenge is that the bigger flaws are human- and process-oriented, and cannot be solved with fast patching. They are systematic and will require a serious paradigm shift within Google to achieve.

Read More

A Mac user's take on the Windows 7 UI

Microsoft tried to reinvent the desktop OS interface with Vista, to little fanfare. Does Windows 7 turn its UI around?
After I installed Windows Vista in November 2006, I was perplexed. Why was it suddenly so much harder for me to use my computer? I knew XP cold, and I could use it without thinking. But with Vista, I felt a little lost and began to notice the extra work required to perform tasks that had become second nature. By hiding various features in an attempt to simplify Vista's interface, Microsoft was in fact adding overhead to my Vista transition, forcing me to learn a new UI.

Like many, I just couldn't see how Vista's "new look" benefited the Windows experience. I became further entrenched in my belief that Microsoft's ongoing divergence from the well-established menu approach pioneered by Apple is fundamentally wrong.

Microsoft Office -- and to a lesser extent Internet Explorer -- went nuts in this direction, relying on buttons, variable menus, and right-clicking for almost everything. These UIs made Vista's user interface appear intuitive by comparison, yet they also hinted at further UI confusion to come. It was as if Microsoft's strategy for UI design was to leave its customers at a loss for where to start or what to do next. Not surprisingly, users have rejected Microsoft's latest offerings in amazing numbers.

Me, I took the easy route: I switched to a Mac and have been happy ever since. Tiger, the Mac OS X version available at that time, proved robust, offering a modern yet familiar UI. The current Mac OS X Leopard is even better. But here comes Windows 7, seeking to breathe life back into Windows where Vista had stumbled. Less than a year from being released, Windows 7 aims to fix the many Vista flaws, including its UI. I decided to test-drive the Windows 7 beta to see whether Microsoft had redressed its UI sins.

The bottom line: Nothing in Windows 7 will tempt a Mac user back to the PC. There are some cool, useful enhancements, but overall, the UI remains largely unchanged. In other words, those who upgrade from XP to Windows 7 will still have to relearn Windows.

A caveat: Windows 7 is in beta stage, so it's not complete. Who knows what Microsoft will change before it ships sometime in the next year?

Where Mac OS X beats the Windows 7 UI
Finder toolbar and search: Known for delighting its users, Mac OS X offers extras that you grow to love the more you use them. Take the Finder toolbar, which you can customize to burn contents to disc, for example, or to get a quick look at an item's contents. File search in Mac OS X is much more sophisticated and easier to use than it is in Windows, allowing you to search and sort by practically any criteria in a simple window UI. Windows 7, for its part, offers very limited per-search controls; you can use them only before you start a search. By comparison, you can easily add and refine search criteria at any time on the Mac, refining your results live as you do so. Plus, Mac OS X's special folder views -- columns and the CoverFlow image browser pioneered in iTunes -- make it much easier to navigate large file stores and image sets, respectively.

Default desktop configuration: Microsoft clearly loves the blank slate, leaving its default desktop configuration for Windows clear except for the Recycle Bin. That's another reason I prefer the Mac: My hard drive is always in the Finder, giving me quick access when I need it. Sure, you can create an alias on the Windows desktop, but why require that step or the need to go through several mouse clicks in the Start menu? People access their files and folders frequently, so why bury them? Take a tip from XP and give your users the choice of removing default items on the desktop rather than burying them from the get-go, a philosophy Windows 7 carries over from Vista, unfortunately.

Control panels: Like Vista, Windows 7 insists on putting controls every which way. Say you right-click the desktop to change display settings. In XP, you get the settings in one window, with tabs to switch among them (the Mac has two system preferences, each with tabs, to switch between). In Windows 7, you get a window that has three sets of option lists, many of which open their own window. Soon your screen is littered with windows, each of which does one small piece of the customization task you wanted.

And I still wish Microsoft would get rid of its "friendly" view of control panels, which ask you to guess what Microsoft was thinking in terms of how it grouped its panels. Even if you know where each control panel could be found, the approach adds a second step to get to them. (As with Vista, you can switch to XP's more sensible "Classic" view.)

By contrast, the Mac system preference layout is better designed. It's easier to move among the panels, thanks to navigation controls and a menu that shows all available preference panels for quick access.

Hardware-dependent feature display: Speaking of control panels and system preferences, Windows 7 includes BitLocker encryption capabilities that you set up with a control panel, but only after you turn on this feature will Windows tell you that your PC doesn't have the required TPM module. I much prefer Apple's approach: System preferences that are hardware-dependent appear only if that hardware is installed, and system preferences typically don't show options your Mac doesn't support.

Taskbar preview: Windows 7 is slated to add a preview feature to the taskbar: If you hover over a running app, you're supposed to get a preview of what it is doing (the feature isn't working in my Windows 7 beta) -- a great idea that the Mac has had for years. All open windows display in the Mac's Dock with a preview of their contents. Also, the Mac Dock shows both apps and content windows, while the Windows 7 taskbar shows just running apps, which is why adding pop-up previews to those taskbar apps is so useful for PC users. Plus, the Mac's previews are always visible, while the Windows 7 preview disappears as soon as you stop hovering over the selected application's icon.

System utilities: Apple's system utilities are night and day ahead of Microsoft's. Some examples: The Startup Disk utility lets you boot off any drive easily; try that with Windows. The Sharing system preference makes it much easier to control your Mac's security than Windows' tools do; plus, you get more control in one place with Mac OS X. (And the Secure Delete feature is an easy way to secure deleted files when you empty the trash -- another feature Windows doesn't offer.) The Time Machine software is an incredibly easy, powerful backup utility bundled with the OS that makes Windows 7's look like a holdout from the DOS era. Backup is automatic, sure. But recovery is where Time Machine really shines; just zoom to a past state and select it to go back to that point. If you're in an application, you can restore just that application's state, so changes elsewhere aren’t also rolled back.

You see the same sophistication in the other system utilities. The Address Book, iCal, and Mail apps are well-integrated, and your system information -- even your log-in photo, if you take one -- is automatically synced across all of these.

Stability: A big reason I moved to the Mac was OS stability, which admittedly is more about user experience than user interface. The Mac OS rarely crashes, and it recovers much better when apps freeze. You can even restart the Finder without taking down the OS. My experience is that Windows not only crashes more often, but it also more often needs a full reboot. I can’t tell whether Windows 7 is more stable than Vista yet, as stability only reveals itself over time. The Mac, however, doesn't offer the same registry madness that Windows does, so it seems to resist corruption better.

Gadget sidebar: My favorite aspect of the Windows 7 UI is in fact a carryover from Vista: its gadget sidebar. With Windows 7, however, the sidebar is no longer displayed automatically. As such, your desktop is no longer partly obscured by "gadget" utilities that, quite frankly, you won't use often. Instead, you can toggle the gadget sidebar when you want it -- just as you can with Mac OS X. And you can drag them out of the sidebar and let them free-float where you want. The big difference is that Mac OS X's sidebar equivalent covers your entire desktop, rendering everything else inaccessible, and the individual gadgets can't be pulled out of that covers-everything sidebar. The Windows 7 approach to gadgets shows the kind of elegance and simplicity that Microsoft needs to do more often.

Network and Sharing Center: Windows 7's new Network and Sharing Center provides a worthwhile visual cue as to your network's setup. It also includes straightforward setup tools to diagnose the network and switch location-specific configurations. Although it is easier to actually connect to other Mac users in Mac OS X than it is to connect to other PC users in Windows, the latter provides a better overall picture of your network state than the Mac OS does.

Window resizing: Another plus for Microsoft, Windows has long let users resize application and other windows by dragging any side. Mac OS X still forces you to use the lower-right corner, which the Dock sometimes obscures.

Dialog box actions: Although this breaks with Apple's purist mentality, I've always liked the fact that in Windows when I'm using an Open or Save dialog box I can rename or otherwise manipulate files and folders through that dialog box, without having to close the box and switch to Finder. Yes, I know that breaks the architectural line between applications and the OS, but it makes life easier. And, yes, I know you can usually create folders from apps' Save As dialog boxes on the Mac, but that's not enough.

Uninstall: The one big deficit in the Mac OS is its lack of a central way to uninstall applications and their support files. Although the Windows uninstall doesn't always clean up everything, the Mac provides no facility for finding and removing these stray files. They don’t seem to do harm, but why leave them around?

Where Mac OS X and Windows 7 even out
Security warnings -- or lack thereof: Windows 7 reduces the UAC security nagging of Vista, putting it on par with XP and Mac OS X. I really noticed the difference, so I rarely canceled an action I wanted because of incessant, confusing security warnings -- a frequent problem in Vista.

Taskbar vs. Dock: Windows 7's taskbar works more like the Mac OS X dock, making the "pinned" (docked) applications more visible than the XP/Vista taskbar's quick-launch icons. Plus, they animate when opening, copying a concept from the Mac OS Dock. (In what I assume was a beta bug, the taskbar's pinned icons appeared only after I dragged an application onto the taskbar to pin it there; using the Pin to Taskbar contextual menu didn't toggle on their display in the taskbar.) Beyond the strictly visual design, the biggest difference between the Windows 7 taskbar and the Mac OS X dock is that you can add status controls, such as checking on available networks, to the taskbar. In the Mac OS X, such controls reside in the taskbar at the edge of the application bar, not in the Dock. Either way, you get quick access to essentially the same things. And the stacks capability for displaying folder contents in the Mac OS X Dock is more customizable in terms of its display than Windows' equivalent.

File and folder navigation: The file-and-folder approach to navigating storage media is essentially the same in Mac OS and Windows, and both Mac OS X and Windows 7 (like Vista) let you put your favorite directories into the easy-access lists in the folder windows, as well as offer quick-look file previews. I've always liked Mac OS' ability to let you color folders, as a visual mnemonic; Windows can't do this, but a lot of Mac users don’t use it, either.

Overall, Windows 7 does not yet present a clear step away from Vista in terms of user experience. There are some nice UI enhancements, but nothing to undo the learning curve necessary to transition from XP. Then again, at least it hasn't gotten worse -- a real possibility given what Microsoft has done to Internet Explorer and Office.

Read More

Trojan hides in pirated copies of Apple's iWork '09

Malware hitchhikes on iWork installer, hijacks Macs, says security firm
Pirated copies of Apple Inc.'s new iWork '09 application suite that are now available on file-sharing sites contain a Trojan horse that hijacks Macs and leaves them open to further attack, a security company said yesterday.

The "iServices.a" Trojan hitchhikes on iWork '09's installer, said Intego, an Austin-based company that specializes in Mac security software. "The installer for the Trojan horse is launched as soon as a user begins the installation of iWork, following the installer's request of an administrator password," Intego said in a warning published Wednesday.

Once installed, the Trojan "phones home" to a malicious server to notify the hacker that the Mac has been compromised, and to await instructions. Intego did not spell out what second-stage actions the iServices.a Trojan takes but noted that they could include delivering additional malware to the hijacked machine.

Intego said that iWork '09 download traffic on file-sharing sites has been brisk, claiming that as of early Wednesday, 20,000 copies had been downloaded. "The risk of infection is serious, and users may face extremely serious consequences if their Macs are accessible to malicious users," the company's alert continued.

Users on Pirate Bay, a popular BitTorrent tracking site, confirmed that copies of iWork '09 harbored the Trojan. "I can confirm that this contains a iServices trojan," said a user identified as "Aklacat" in a comment appended to one iWork '09 listing on Pirate Bay. "Little Snitch also confirms this," said Aklacat, referring to a Mac-only personal firewall.

According to the dates assigned to Pirate Bay's iWork '09 BitTorrents, most copies were posted before Apple announced it had dropped a form of copy protection from retail copies of the suite. On Monday, Apple said that it was not including serial numbers with iWork '09, an antipiracy measure it had used to keep customers from copying earlier versions of the bundle.

Apple unveiled iWork '09 at Macworld Conference & Expo on Jan. 6 when it touted changes and additions to Pages, the suite's word processor, and Numbers, its spreadsheet application.

IWork '09 retails for $79. Apple also offers a free 30-day trial version that does require a serial number -- delivered via e-mail at the time of payment -- in order to run as a fully functional version.

Mac-only malware is such a relative rarity that Apple has publicly mocked Microsoft Corp. about the number of worms, viruses and Trojans that take aim at the Windows operating system. Late last year, in fact, when Apple revised an online recommendation that Mac users consider running antivirus software, the move drew lots of attention.

Read More

The Big Windows 7 Problem: XP Holdouts

Microsoft hopes that the release of Windows 7 will solve problems ranging from desktop clutter to what Vista did to Microsoft's public reputation. But the toughest challenge may be to win over the group of people that arguably represent the software giant's biggest obstacle to success: Windows XP users.

The Windows 7 pitch, to date, takes direct aim at Vista's reputation as a bloated resource hog. As developers and members of the general public begin to tinker with the Windows 7 public beta, Microsoft is framing it as a lean and lithe OS, with the flexibility to run on all types of computers, from netbooks to high-end gaming laptops.

The new and streamlined user interface features of Windows 7 are well-documented at this point. A cleaned-up taskbar, the sleek Aero Peek GUI, mouse-hover Jump Lists and multi-touch capability have generated interest from users whose Windows desktops have been cluttered for too long.

Quicker, easier, more organized. Those were the buzzwords about Windows 7 features that Parri Munsell, Microsoft's Director of Consumer Product Management for Windows, used repeatedly in a recent interview from CES (Consumer Electronics Show) in Las Vegas.

"Our goal was to make the UI in Windows 7 much easier to navigate. We'll let the beta speak for itself but we have a high degree of optimism in it," Munsell says.

As for fastest growing segment of the PC market, netbooks, Munsell says that Microsoft has made it a priority to run Windows 7 on small form-factor notebooks.

"Windows 7 has been optimized and engineered to work with anything: from the smallest netbook to the most loaded laptop or desktop," he says.

A lot is expected of Windows 7, but can it do what at times has seemed impossible-win back the trust of XP users who have shunned Vista?

The software giant has stated outright that Windows 7 will not make significant architectural changes from Vista and will run most if not all the applications that run on Vista.

Yet just 21 percent of Windows users currently run Vista, according to Web metrics company Net Applications. Most Windows users (65 percent) still run XP; they like it and they are wary of the compatibility issues that have plagued Vista.

It's All About the Third-Party Apps

That wariness is not without cause, analysts say. Even though Microsoft is trying to use Windows 7 to move XP customers forward, it's still a Vista-like operating system and will have the same compatibility problems that are part of any OS upgrade, says Al Gillen, Research Vice President, System Software at IDC .

"If you don't run Vista today, Windows 7 will not be a silver bullet," he says. Ultimately, Gillen adds, it's not the operating system that matters as much as having updated third-party applications.

"Whether they are upgrading to Vista or Windows 7, XP users have to make sure third-party applications are compatible," he says.

Microsoft has warned users of the dangers of skipping versions of Windows entirely and has been trying to wean users off Windows XP through downgrade fees. Its success has been limited however as the Vista stigma lingers.

Microsoft's Munsell urges XP users to evaluate which third-party applications are important and make sure there is vendor support.

"It is important to avoid a situation where your critical application is no longer supported on Windows XP while not yet supported on Windows 7," Munsell says.

Transition to Windows 7 Easier?

Though the transition from XP to Windows 7 will be complex, it should be simpler as compared to the early days of Vista, says Michael Cherry, lead analyst with market researcher Directions on Microsoft.

When Windows Vista first shipped, Cherry says, people were not prepared for the application and hardware compatibility problems that came with an OS so different from XP.

"At this point there should be compatible versions of most applications and, when necessary, virtualization can be used to facilitate the upgrade," Cherry says.

"This is not to say that XP apps and drivers will work on Windows 7, but that there are now compatible replacements available, which should make the transition manageable."

If Microsoft wants to move customers forward with Windows 7, it must help XP users bridge the gap as much as possible, Cherry adds.

"Microsoft needs to help XP users determine if their hardware is up to running Windows 7, and which device drivers for their hardware and programs need updating," Cherry says. "It then needs to help people find the updated drivers and software."

Read More

British UFO hacker's extradition case to be reviewed

IDG News Service —

A British hacker who sought to find evidence of UFOs on U.S. military computers has another chance at avoiding extradition after a court ruling Friday.

The High Court in London ruled that Gary McKinnon can have his case reviewed by the director of public prosecutions for England and Wales, Keir Starmer, according to statement released by McKinnon's attorney.

McKinnon is seeking to be prosecuted in the U.K. although his extradition order has been approved by the U.K. government. He has managed to avoid extradition so far through a series of legal maneuvers and appeals, all of which have been unsuccessful but held up his transfer to the U.S.

McKinnon was indicted in November 2002 in the U.S. District Court for the Eastern District of Virginia. He faces charges of illegally accessing and damaging U.S. government computers.

The U.S. government alleges his exploits cost at least US$700,000 and caused the shutdown of critical military networks shortly after the Sept. 11, 2001, terrorist attacks. McKinnon could face a sentence of 60 years or more.

Most recently, McKinnon has tried to garner support that, for medical reasons, if he is extradited and sentenced he should be allowed to serve a sentence in the U.K. Now McKinnon is pushing to only be prosecuted in the U.K. due to the stress he would endure from a U.S. trial.

He has been diagnosed with Asperger Syndrome, which is a neurological disorder characterized by obsessive behavior and deficiencies in social interaction.

McKinnon has admitted to hacking the computers and described how he did it in detail at computer security conferences in London. From his north London home, McKinnon began probing military computers looking for evidence of UFOs.

He used a program called "RemotelyAnywhere" to control U.S. military computers. Many of the computers he accessed were set up with default passwords, which made them easy to access, McKinnon has said.

He timed his hacking when no one was working at the U.S. offices. But on one occasion he miscalculated the time difference. Someone using a computer that McKinnon controlled noticed the cursor moving on its own. The connection was severed, and U.K. police eventually tracked McKinnon down.

IDG News Service

Read More

Google shuts off antiphishing feature in Firefox 2.0

Mozilla again urges users to upgrade to the newer Firefox 3.0
Google Inc. will turn off the antiphishing service used by Firefox 2.0 today, a Mozilla Corp. executive said Monday.

Although the two most-recent builds of Firefox 2.0, labeled 2.0.0.19 and 2.0.0.20, have omitted the defense, earlier editions of the browser were still able to query Google for a list of sites suspected of hosting identity theft scams. But Google is now shutting down the blacklist, said Mike Beltzner, director of Firefox.

"If you're using a previous version of Firefox 2, even though the feature is enabled in your browser, as of January 20 no new data will be sent to your computer," Beltzner said in a post to the Mozilla developer center blog Monday.

Mozilla had warned users last month that Firefox 2.0, which was slated to be dropped from support, would soon lack antiphishing protection because Google wanted to discontinue the obsolete blacklist protocol that served the aged browser.

Google and Mozilla had worked together to update the protocol, first to SafeBrowsing v2.1 in late 2007, and then to SafeBrowsing v2.2 last year. In December, Mozilla urged people still running Firefox 2.0 to upgrade to the newer Firefox 3.0, which includes a working antiphishing feature.

Beltzner repeated that advice Monday. "If you're running Firefox 2.0.0.20, you can select 'Check for Updates' in the Help menu to receive an update right now," he said in another blog entry.

Mozilla has made three separate upgrade offers to Firefox 2.0 users since August, the most recent on Jan. 8. In notes published last week, however, Mozilla said that the uptake on the offer had not been "very good."

Users running versions older than Firefox 2.0.0.20 can download Firefox 3.0 from Mozilla's site.

If users can't or do not want to upgrade to Firefox 3.0, Beltzner recommended that they disable the setting "Tell me if the site I'm visiting is a suspected forgery" in the Security preferences section of Firefox 2.0's Options dialog box.

Read More

Google improves password security

Google has unveiled new administration tools designed to improve the use of passwords, in order to boost security for customers using its Google Apps hosted enterprise software offerings.

"Helping businesses, schools and organisations to keep information safe is critical, and we've been providing Google Apps customers with a spectrum of capabilities to help ensure that only authorised users have access to information accessible from the cloud," wrote Eran Feigenbaum, director of security for Google Apps, in a blog post.

"These include Secure Sockets Layer options, single sign-on capabilities, and administrative controls for how widely users can share and publish information from Google Docs, Google Sites and Google Calendar."

Google has also added a new layer of security with administrator controls that allow enterprises to define the length of passwords and analyse their strength.

The company offered a number of password selection tips. "The first step in protecting your online privacy is creating a safe password, i.e. one that a computer program or persistent individual won't easily be able to guess in a short period of time," the advice reads.

"To help you choose a secure password, we've created a feature that lets you know visually how safe your password is as soon as you create it."

One example, which may seem obvious, is "not to use a password listed as an example of how to pick a good password".

The relative strength of a password can be determined automatically in real time as Google's account authentication system constantly analyses password use and attempts to break them.

Copyright © 2008 vnunet.com

Read More

'Amazing' worm attack infects 9 million PCs

Biggest infection in years, says Finnish security firm.
Calling the scope of the attack "amazing," security researchers at F-Secure Corp. today said that 6.5 million Windows PCs have been infected by the "Downadup" worm in the last four days, and that nearly 9 million have been compromised in just over two weeks.

Early Friday, the Finnish firm revised its estimate of the number of computers that had fallen victim to the worm, and explained how it came to the figure. "The number of Downadup infections [is] skyrocketing," Toni Koivunen, an F-Secure researcher, said in an entry to the company's Security Lab blog. "From an estimated 2.4 million infected machines to over 8.9 million during the last four days. That's just amazing."

On Tuesday, Koivunen put the number of infected systems at 2.4 million, then updated the estimate Wednesday to 3.5 million, an increase of 1.1 million in just 24 hours.

"We haven't seen outbreaks of this scale in many years," said Mikko Hypponen, chief research officer at F-Secure, in an e-mail reply to questions. "[It] reminds me of the old Loveletter/Melissa/Sasser/Blaster cases size-wise," he added, ticking off some of history's biggest malware attacks.

Downadup -- which also goes by the name "Conficker" -- exploits a bug in the Windows Server service used by Windows 2000, XP, Vista, Server 2003 and Server 2008. Although Microsoft fixed the flaw with one of its rare "out of cycle" updates in late October, about a third of all PCs have not yet been patched, according to Qualys Inc., another security company. Those PCs are the ones being hijacked by the worm.

In his Friday blog post, F-Secure's Koivunen also provided some background on the company's estimate, in part because some people had expressed disbelief in the number. According to Koivunen, F-Secure came to its 8.9 million-machine estimate by spying on the worm's communication with hacker-controlled servers.

Once it's gotten onto a PC, Downadup generates a list of possible domains, selects one, then uses that URL to reach a malicious server from which it downloads additional malware to install on the hijacked computer. F-Secure, however, has registered some of those domains, and has been able to monitor traffic through those URLs.

By examining logs of connection attempts to the domains, F-Secure discovered several hundred thousand different IP addresses -- over 350,000 as of today -- as well as a counter embedded in each that spells out the number of additional PCs that the infected machine has compromised.

"So this number tells us how many other computers this machine has exploited since it was last restarted," explained Koivunen. A sample log provided by F-Secure showed 12 Downadup-infected PCs, which collectively had infected 186 additional systems. Just one of the originally infected computers successfully attacked 116 other machines.

"We wrote a program that parses the logs, extracting the highest value for the IP/User-Agent pairs ... then added together to get our figures," said Koivunen. "As you can see now, they are very conservative."

Earlier this week, the already-high number of Downadup infections prompted Microsoft to add detection for the worm to its Malicious Software Removal Tool (MSRT), the anti-malware utility that the company updates and redistributes each month to Windows machines. Microsoft released the latest edition of the MSRT with anti-Downadup capabilities last Tuesday.

Like other security researchers, those from Microsoft have put some of the blame on users slow to patch their PCs. "Either Security Update MS08-067 was not installed at all or was not installed on all the computers," a pair of security researchers who work at Microsoft said Tuesday.

Microsoft has recommended that Windows users install the emergency update, then run the January edition of the MSRT to scrub the worm from compromised computers.

Read More

1 in 3 Windows PCs vulnerable to worm attack

And open-source exploit code made hacker's job easier.
The worm that has infected several million Windows PCs is causing havoc because nearly a third of all systems remain unpatched 80 days after Microsoft Corp. rolled out an emergency fix, a security expert said today.

Based on scans of several hundred thousand customer-owned Windows PCs, Qualys Inc. concluded that about 30% of the machines have not yet been patched with the "out of cycle" fix Microsoft provided Oct. 23 as security update MS08-067.

"The unpatched numbers went down significantly around the 30-day mark," said Wolfgang Kandek, Qualys' chief technology officer, "when less than 50% were unpatched. After that, it went down a little slower. As of yesterday, 30% of the machines are unpatched."

With nearly a third of all Windows systems still vulnerable, it's no surprise that the "Downadup" worm has been able to score such a success, Kandek said. "These slow [corporate] patch cycles are simply not acceptable," he said. "They lead directly to these high-infection rates."

The Downadup worm, called "Conficker" by some researchers, surged dramatically this week and has infected an estimated 3.5 million PCs so far, according to Finnish security company F-Secure Corp. The worm exploits a bug in the Windows Server service used in Windows 2000, XP, Vista, Server 2003 and Server 2008.

Microsoft issued a patch in late October after confirming reports of in-the-wild attacks, most of them against machines in Asia.

On Tuesday, Microsoft laid at least some of the blame for the worm's success at the feet of Windows users. "Either Security Update MS08-067 was not installed at all or was not installed on all the computers," said Cristian Craioveanu and Ziv Mador, researchers at Microsoft's Malware Protection Center, in a Tuesday blog post.

Kandek agreed with them. "This shows that a three-month patch cycle, which some companies use, is unacceptable," he said.

In related news, a researcher at McAfee Inc. today said that the author of Downadup/Conficker worm took a shortcut when crafting the malware by grabbing functional exploit code from Metasploit, the open-source penetration testing framework.

"By using the exploit from the Metasploit module as the code base, a virus/worm programmer only needs to implement functions for automatic downloading and spreading," said Xiao Chen, a McAfee security researcher, in an entry to the company's blog. "We believe that this can be accomplished by an average programmer who understands the basics of exploitation and has decent programming skills.

"It's obvious that worm writers are abusing open-source tools to their advantage to make their work easier," Chen added.

Microsoft has recommended that Windows users install the October update, then run the January edition of the Malicious Software Removal Tool to clean up compromised computers.

"Patch faster," urged Kandek from Qualys.

Read More

Intel's net profit drops 90%

Steep loss from investments; one bright spot was Atom chips revenues

(IDG News Service) Intel Corp.'s fourth-quarter profit plunged 90% from a year earlier, as the chip maker battled a worsening economy and recorded a steep loss from investments.

The company recorded net profit of $234 million for the quarter ended Dec. 27, compared to $2.27 billion in the same quarter a year earlier. The net profit also fell short of the $257.22 million consensus expectation from analysts polled by Thomson Reuters.

The results included a loss of $1.1 billion from equity investments and interest. That loss was primarily due to a billion-dollar reduction in the value of Intel's investments in Clearwire, the company said.

The company's fourth-quarter revenue was in line with lowered expectations of $8.2 billion. Fourth-quarter revenue was down 23% year-over-year and 19% sequentially. Revenue from microprocessors and chip sets was lower compared to the third quarter.

The bright spot for Intel this quarter was sales of Atom chips that go into netbooks, small laptops designed for Web surfing and productivity applications. Revenue from Atom microprocessors and chip sets was up 50% sequentially to $300 million.

Intel did not project revenue guidance for the first quarter of 2009, citing "economic uncertainty and limited visibility."

While the economic environment is uncertain, the company is adjusting its business plans to adapt to build for the future, said Paul Otellini, Intel president and CEO, in a statement. The company is entering new markets and has cut costs by around $3 billion since 2006, he said.

The restructuring yielded $800 million in savings in 2008, Otellini said during a conference call yesterday. The company ended the year with approximately 84,000 employees, down 3% from a year earlier.

"Intel has weathered difficult times in the past, and we know what needs to be done to drive our success moving forward. Our new technologies and new products will help us ignite market growth and thrive when the economy recovers," Otellini said.

The company hopes to ramp up to the 32-nanometer process technology to lower chip-manufacturing costs and increase production. It will then be able to make more chips at lower costs, which should add efficiencies to the production process, said Stacy Smith, Intel's chief financial officer, during the call.

"We are absolutely prioritizing the investment that it takes to get to 32nm process technology ... we are going to get there as fast as we possibly can. That gives us a performance advantage, cost advantage and allows us to get to this higher level of integration that the future markets we want to serve requires," Smith said.

Intel hopes to fit integrated chips made using the new manufacturing process into devices like set-top boxes and TVs, which will create new markets and revenue opportunities, Smith said.

Netbooks emerged as a steady revenue stream for Intel, and the segment is ripe for growth in the tough economic environment, Otellini said. The company established the business and has a good base to grow with, but competition is heating up, he said. New competitors are entering Intel's turf with netbooks that offer unique applications, Otellini said. For example, one netbook is being marketed as a communications device.

"There are already models in Japan, for example, where you get a netbook for 1 yen (1 cent U.S.) if you sign up for a wireless subscription. People will play with those models much like they did in the early days of the cell phone, and it's difficult to figure which of those will stick," Otellini said.

Looking ahead, Intel will also continue to invest in research and development to have a gaggle of new products ready when the recession ends, Otellini said.

The company's new Nehalem microarchitecture is expected to make its way to new products like desktops and notebooks by the second half of the year, Otellini said. The new architecture will offer incremental growth opportunities in new markets and form factors. Intel launched its first Nehalem-based Core i7 chips for high-end gaming desktops in November.

Read More

NASA: Gas may be new evidence of life on Mars

Scientists say methane could be coming from rocks or microscopic life.
NASA scientists have discovered that Mars actually is burping gas -- methane to be exact -- which could be one more sign that there's life on the Red Planet.

The space agency announced today that its researchers have found definitive evidence of methane emissions into the Martian atmosphere, which could indicate that the planet is still alive, either biologically or geologically.

"Methane is quickly destroyed in the Martian atmosphere in a variety of ways, so our discovery of substantial plumes of methane in the northern hemisphere of Mars in 2003 indicates some ongoing process is releasing the gas," said Michael Mumma of NASA's Goddard Space Flight Center, in a written statement. "Right now, we don't have enough information to tell if biology or geology -- or both -- is producing the methane on Mars. But it does tell us that the planet is still alive, at least in a geologic sense. It's as if Mars is challenging us, saying, 'Hey, find out what this means.'"

NASA scientists have been putting significant emphasis in recent months into an effort to find evidence of life or at least life-sustaining elements on Mars.

Scientists announced last summer that for thousands or even millions of years, rivers, lakes and deltas coursed across the surface of Mars. The Jet Propulsion Laboratory reported in July that its scientists have concluded that Mars was once awash in water. NASA said the findings are spurring further interest in searching not only for elements that could support life, but also for evidence of past life.

Close-up photos of the planet were sent down to the NASA scientists from the Mars Reconnaissance Orbiter. While the spacecraft has been orbiting the planet, NASA's Phoenix Mars Lander was working on the surface of its northern pole for several months last year, running its own experiments. Late in June, the robotic arm on the Lander found what NASA scientists had been hoping for -- ice -- a key element in supporting life.

Then soon after the ice discovery, NASA scientists announced that they'd found that the Martian soil contained minerals that are essential to supporting life. The dirt was found to be very alkaline, with a pH level of between eight and nine. It also contained magnesium, sodium, potassium and chloride. NASA reported that the minerals in Martian soil are typical of soils here on Earth.

NASA scientists said today that there's now more hope than ever of finding signs of life on Mars.

According to NASA, methane is the main component of natural gas on Earth. It's of interest to astrobiologists because biological organisms release much of Earth's methane as they digest nutrients. But that's not the only way methane is produced. Geological processes, like the oxidation of iron, also release methane, NASA pointed out.

And scientists noted that if microscopic Martian life is producing the methane that's being found in the atmosphere, the organisms most likely live far below the planet's surface, where it's still warm enough for liquid water to exist. Liquid water, as well as energy sources and a supply of carbon, is necessary for all known forms of life, according to NASA.

Read More

Google unwraps Apps partner program

Resellers can now offer the Apps productivity suite, but question remains whether Google can support a partner ecosystem soundly enough to entice enterprises.
Google on Wednesday detailed a new program under which resellers can now offer Google Apps to businesses -- effectively meaning that companies considering the alternative to Microsoft Office don't have to go it alone. But the search giant has yet to prove its strength in supporting a partner ecosystem that could bring enterprises much needed assurances.
"This is a natural evolution of where Google Apps is," says Stephen Cho, director of Google Apps channels. In the two years since Google launched its productivity applications, Cho continues, Google has made progress with enterprise features and SLAs and gotten more than 1 million.

With the new program, Google intends to offer the resellers training, support, and tools for integrating Google Apps into customers' infrastructures, including APIs for tasks such as directory synchronization, migration, reporting, and single sign-on. Resellers, in turn, can bundle in their own services and support and maintain a direct relationship with customers.

Cho explains that this partner program was built from the ground up, SaaS style, so Google hosts all the tools resellers can use. He also points to Google's acquisition of Postini, which already had a robust channel in place. "We've taken lessons from that to bring this new reseller program into play."

But Philbert Shih, analyst with Tier1 Research, is skeptical. "Google does not have a lot of experience working with partners. I've not seen the groundwork, a foundation, for keeping them up to date," Shih says. "Will the resellers have expertise in Google products? I don't think Google can just hand off support and services."

What's more, "part of the appeal of Google is the no-install proposition and the fact that the apps are pretty intuitive," explains Jim Murphy, research director at AMR Research.

That said, Murphy expects that down the line, companies tapping Google Apps will look to partners for help employing and integrating processes, particularly those that interact with Microsoft Office. "Enterprises need reassurance about things such as privacy and security," qualities that signing on with a reseller can bring.

Of the large-enterprise customers Murphy speaks with on a daily basis, in fact, many are currently discussing a five-year plan for collaboration, a gradual evolution that often begins with Gmail and eventually includes other Google Apps. "For some companies, the SaaS model is a way of isolating that move from the unpredictable costs of being able to support all this stuff. Going with Google, which provides the infrastructure, can relieve those headaches," Murphy explains, adding that "it could also stifle the growth of Microsoft Office."

Microsoft, for its part, is simultaneously working on packaged and hosted editions of Office, the next tentatively dubbed Office 14. Although officials have offered little detail, Microsoft did say that Office 14 will include lightweight Web versions of Excel, PowerPoint, and Word offered via its Office Live Workspace service. Sources this week speculated that Office 14 will not ship in accordance with Windows 7 and may not become available until 2010.

In the meantime, Web-based applications not only from Google but also Adobe, IBM, and Zoho, among others are gaining purchase in small businesses. However, they have failed thus far to gain enterprise adoption, according to a report Forrester Research put out last week: "Companies use Word out of habit, not necessity."

Google's U.S. partners consist of SADA Systems, Excel Micro, Horizon Info Services, Cloud Sherpas, and others, including providers from 25 countries. The company is also working to sign up Capgemini, which is already a partner in another Google program. "There are other recognizable names we're in advanced discussions with," Google's Cho says.

Read More