Tech Loop

Is U.S. stuck in Internet's slow lane?

2007-10-30T19:33:00.000-07:00

By PETER SVENSSON, AP Technology Writer 2 hours, 51 minutes ago

NEW YORK - The United States is starting to look like a slowpoke on the Internet. Examples abound of countries that have faster and cheaper broadband connections, and more of their population connected to them.

What's less clear is how badly the country that gave birth to the Internet is doing, and whether the government needs to step in and do something about it. The Bush administration has tried to foster broadband adoption with a hands-off approach. If that's seen as a failure by the next administration, the policy may change.

In a move to get a clearer picture of where the U.S. stands, the House Energy and Commerce Committee on Tuesday approved legislation that would develop an annual inventory of existing broadband services — including the types, advertised speeds and actual number of subscribers — available to households and businesses across the nation.

The bill, introduced by Rep. Ed Markey, D-Mass., is intended to provide policy makers with improved data so they can better use grants and subsidies to target areas lacking high-speed Internet access. He said in a statement last week that promoting broadband would help spur job growth, access to health care and education and promote innovation among other benefits.

The inventory wouldn't cover other countries, but a cursory look shows the U.S. lagging behind at least some of them. In South Korea, for instance, the average apartment can get an Internet connection that's 15 times faster than a typical U.S. connection. In Paris, a "triple play" of TV, phone and broadband service costs less than half of what it does in the U.S.

The Organization for Economic Co-operation and Development — a 30-member club of nations — compiles the most often cited international comparison. It puts the U.S. at 15th place for broadband lines per person in 2006, down from No. 4 in 2001.

The OECD numbers have been vigorously attacked by anti-regulation think tanks for making the U.S. look exceedingly bad. They point out that the OECD is not very open about how it compiles the data. It doesn't count people who have access to the Internet at work, or students who have access in their dorms.

"We would never base other kinds of policy on that kind of data," said Scott Wallsten, director of communications policy studies at the Progress and Freedom Foundation, a think tank that favors deregulation over government intervention.

But the OECD numbers are in line with other international measures. Figures from the British research firm Point-Topic Ltd. put the U.S., with 55 percent of its households connected, in 17th place for adoption rates at the end of June (excluding some very small countries and territories like Macau and Hong Kong).

"We're now in the middle of the pack of developed countries," said Dave Burstein, telecom gadfly and the editor of the DSL Prime newsletter, during a sometimes tense debate at the Columbia Business School's Institute for Tele-Information.

Burstein says the U.S. is lagging because of low levels of investment by the big telecom companies and regulatory failure.

Several of the European countries that are doing well have forced telephone companies to rent their lines to Internet service providers for low fees. The ISPs use them to run broadband Digital Subscriber Lines, or DSL, often at speeds much higher than those available in the U.S.

The U.S. Federal Communications Commission went down this regulatory road a few years ago, but legal challenges from the phone companies forced it to back away.

In 2004, President Bush called for nationwide broadband access by 2007, to be nurtured by an absence of taxation and little regulation. The U.S. is very close to Bush's goal, thanks to the availability of satellite broadband across the lower 48 states.

But the Internet by satellite is expensive and slow. Nearly everyone may have access to the Internet, but that doesn't mean they're plugging in.

Part of the problem may be that people don't see fast Internet access as an essential part of modern life, and may need more of a push to get on. The U.S. does have wider income disparities than many of the countries that are outdoing it in broadband, and people in poverty may have other priorities for their money.

Dan Correa, research analyst at the Information Technology and Innovation Foundation, believes the U.S. needs a more "proactive" broadband policy, and compares the lack of government involvement in the field with the situation in other utilities, which are mostly heavily regulated.

"In the 1930s, we recognized that electricity was essential. We're not quite at that level in broadband," Correa said.

An FCC chairman appointed by a Democratic president in 2009 may agree. Current Democratic Commissioner Michael J. Copps has said broadband availability could be encouraged with tax incentives and loans to rural utilities.

The United States doesn't look set to catch up to South Korea or even Canada (with 65 percent of households connected to broadband, according to Point-Topic) by then, because broadband adoption is slowing down after an initial growth spurt.

In the last few weeks, the U.S.'s three largest Internet service providers reported adding 1.2 million subscribers in the third quarter, down from 1.54 million in the same quarter last year, according to a tally by UBS analyst John Hodulik.

But the U.S. does have a few aces up its sleeve. Apart from satellite broadband it has widespread cable networks, which provide an alternative to DSL. Cable has some technical advantages over phone lines, and a new cable modem technology called Docsis 3.0 could allow U.S. Internet speeds to leapfrog those in countries dominated by DSL in a few years.

On the phone side, the country's second largest telecommunications company, Verizon Communications Inc., is spending $23 billion to connect homes directly with super-fast fiber optics.

"Twenty percent of the U.S. is getting a decent network," Burstein acknowledges. The new network can match or outdo the 100 megabits per second Internet service widely available in Japan and Korea, but Verizon isn't yet selling service at that speed.

___

AP Business Writer Dibya Sarkar contributed to this report from Washington, D.C.

___

On the Net:

Columbia Institute for Tele-Information: http://www.citi.columbia.edu

Cafe Latte attack steals data from Wi-Fi PCs

2007-10-17T18:35:00.000-07:00

Robert McMillan Wed Oct 17, 4:56 PM ET

San Francisco (IDGNS) - If you use a secure wireless network, hackers may be able to steal data from your computer in the time it takes to have a cup of coffee.

At the Toorcon hacking conference in San Diego this coming weekend, security researcher Vivek Ramachandran, will demonstrate a technique he's developed to attack laptops that use the WEP encryption system to log on to secure wireless networks.

Developed in the late 1990s, WEP was the default method of securing Wi-Fi networks. Though the WPA (Wi-Fi Protected Access) system replaced it, about 41 percent of businesses continue to use WEP. That percentage is even higher among home users, security experts say.

That's unfortunate because WEP has been riddled with security problems. In fact, WEP was blamed for the recent TJX Companies data breach in which thieves were able to access 45 million credit- and debit-card numbers.

To date, however, researchers have tended to focus on exploiting WEP flaws in order to break into wireless networks. That generally meant that the attacker would roll up near the WEP-encrypted router, crack the WEP key used to encrypt network traffic, and then log on to the network.

Ramachandran, a senior wireless security researcher with AirTight Networks, has taken a look at the client side of things and developed a way of tricking a WEP-enabled client into thinking that it is logging on to a network that it already knows.

His technique, which he calls the Cafe Latte attack, allows an attacker to circumvent firewall protection and attack the laptop or to set up a "man in the middle" attack and snoop on the victim's online activity. "Until now, the conventional belief was that in order to crack WEP, the attacker had to show up at the parking lot," he said. "With the discovery of our attack, every employee of an organization is the target of an attack."

There are several steps to Cafe Latte, all of which exploit known flaws in the WEP architecture. First, the attacker programs a laptop computer to act like a malicious wireless network, setting up shop in an Internet cafe or an airport. The malicious PC then begins communicating with other Wi-Fi laptops in range, figuring out the name of the WEP-enabled routers that these laptops are programmed to look for and then cracks the keystream encryption code required to send messages to the victim's laptop.

Knowing the keystream only gets the attacker halfway. To truly crack the WEP encryption key and read messages coming from the victim, the attacker must somehow trick the victim into sending a large amount of information -- about 70,000 messages, actually -- to the malicious network. Those messages could then be analyzed and cracked using WEP-cracking tools.

Cafe Latte does this by taking advantage of the way the Internet's ARP (Address Resolution Protocol) ensures that two computers do not share the same IP address. ARP is used when a new computer joins a LAN to announce the IP address it will be using and to ensure that no other machine shares that address. These network messages are ignored by the victim's PC unless it shares that address. Then it sends a message back to the attacker's PC saying that the IP address in question is already being used.

Once the attacker gets a response from the victim's PC, he knows he has guessed the correct IP address and he can bombard the victim's PC with the same message, essentially saying over and over again "I'm joining the network and I'd like to use this IP address. Are you already using it?"

As the victim's laptop continues to reply, "Yes, I am," the attacker eventually stores up enough samples of encrypted messages to be able to figure out the WEP key. Now messages from the victim can be read by the attacker.

"It's definitely a novel attack," said Jon Ellch, a Wi-Fi security researcher who also goes by the name johnny cache. While an attacker could use this WEP key to log on to the victim's WEP network, the real danger here is from the man-in-the-middle attack, which would let the attacker see everything the victim is doing on the Internet, he added.

Still, a victim might notice that something was up during the estimated 30 minutes that Cafe Latte requires in order to crack the WEP key, Ellch said. The attack would have a better chance of succeeding if the laptop were simply turned on and trying to connect to the Wi-Fi network in the background, he said. "If they're trying to do something with the Internet, obviously it's not going to pan out so well."

Toorcon runs from Friday to Sunday.

You might wear computing's next wave

2007-10-14T19:25:00.000-07:00

By BRIAN BERGSTEIN, AP Technology Writer Fri Oct 12, 4:01 PM ET

BOSTON - From clothes riddled with sensors to name tags that detect our moods, computing's next wave could unleash small devices that increasingly augment everyday activities with digital intelligence.

That was the predominant vision at a conference on "wearable computing" held this week in Boston, where researchers showed off prototypes and discussed ideas.

Some attendees took wearable computing to its extreme, donning cyborg-like miniaturized displays attached to eyepieces. But most of what was on exhibit seemed much closer to jumping into a mainstream commercial product.

For example, researchers from the Swiss Federal Institute of Technology (known as ETH Zurich) showed off stretchable, threadlike sensors that can be woven into shirts to detect their wearers' posture. People with back pain or injuries could be prompted on a PC or a mobile device to straighten up, pronto.

Stephane Beauregard of Germany's University of Bremen displayed a shoe-borne sensor whose tiny accelerometers perform electronic dead reckoning — providing real-time location tracking in places satellite navigation systems either can't reach or can't describe with precision. For now the sensor has to be held in place by the shoelaces, but Beauregard expects a version that can fit inside a boot heel could be a year away. His first intended market is firefighters and other emergency responders.

Graduate students at the Massachusetts Institute of Technology's Media Lab had black plastic badges around their necks that analyze multiple factors — including motion and speech patterns — to detect the level of engagement two people are exhibiting in a conversation.

Information gathered from the badges, which weigh just a few ounces and are a bit smaller than a deck of cards, can be sent wirelessly to a computer or a phone to give their wearers helpful tips. Sales reps could be advised that a customer's interest seems to be waning. A doctor could be alerted to indications of depression in a patient being monitored remotely.

The badges might find their first use in gathering reams of data for social network analysis, the study of how groups form and interact. There's big money in applying such research in corporations, which want to ensure that important knowledge doesn't stay trapped in organizational silos. But a lot of data for social network analysis is gathered from e-mail traffic, which only says so much about how people connect with each other.

MIT graduate student Daniel Olguin Olguin said the devices were tested on 25 employees at a German bank and produced surprising insights about alternative ways the office might be laid out. Now Hitachi Ltd. is interested in making the badges for corporate consultants to use with their clients, he said.

Each badge could probably be made for under $100, "and in the future, of course, all of this will be smaller and integrated into your name card," Olguin said.

A prototype shown off by Carsten Mehring of the Colorado School of Mines was far more about convenience. He has embedded sensors into gloves so that snowboarders or motorists could control portable music devices with the faintest squeeze of their fingers — and nary a glance away from a snowy slope or the road.

"The idea," he said, "is to wear your remote, not to carry it."

50 years ago, Sputnik changed technology

2007-10-04T07:22:00.000-07:00

By SETH BORENSTEIN, AP Science Writer Wed Oct 3, 3:46 PM ET

WASHINGTON - With a series of small beeps from a spiky globe 50 years ago Thursday, the world shrank and humanity's view of Earth and the cosmos expanded.

Sputnik, the first artificial satellite, was launched by the Soviets and circled the globe Oct. 4, 1957. The Space Age was born. And what followed were changes to everyday life that people now take for granted.

What we see on television, how we communicate with each other, and how we pay for what we buy have all changed with the birth of satellites.

Communications satellites helped bring wars and celebrations from thousands of miles away into our living rooms. When we go outside, weather satellites show us whether we need to carry an umbrella or flee a hurricane. And global positioning system satellites even keep us from getting lost on unfamiliar streets.

Sputnik gave birth to more than mere technology. The threat of a Soviet-dominated space spurred the U.S. government to increase tenfold money spent on science, education and research. Satellite pictures of Earth inspired an embryonic environmental movement.

Spy and communications satellites also kept the world at relative peace, experts say. Just last week, scientists used commercial satellite images to document human rights violations in Myanmar.

When Sputnik was launched, the public thought a space future would consist of gigantic space stations and colonies on the moon and other planets. The fear was warfare in space raining down on Earth.

"The reality is that the things we expected did not come to pass, and the things that we did not fathom changed our lives in so many ways that we cannot even envision a life that's different at this point," said Roger Launius, senior curator at the Smithsonian Institution's National Air and Space Museum.

America got a taste of that in May 1998. Just one communications satellite malfunctioned. More than 30 million pagers went silent. Credit card payment approvals didn't work. National Public Radio and CNN's Airport Television Network went off the air in some places.

"The civilization we live in today is as different from the one that we lived in the mid-1950s as the mid-1950s were from the American revolution," said Howard McCurdy, an American University public policy professor. "It's hard to imagine these things happening without space. I guess I could have a computer, but I wouldn't be able to get on the Internet."

All thanks to an 184-pound metal ball with spikes shot into space by a country that doesn't exist anymore.

Because Sputnik was launched by a centralized communist government, people feared that space would help totalitarianism, said Georgia Tech University history professor Steve Usselman.

However, satellites "clearly undermined state authority, particularly national authority," Usselman said. "It's taken us in exactly the opposite direction."

As satellites went commercial, they spurred on financial markets, opened up information to people across the globe — which is not what centralized governments want, Usselman said.

Spy satellites also enabled countries to keep an eye on their enemies.

"Except for crazy guys in airplanes, nobody can pull off a sneak attack," McCurdy said. "I think it made the world much less dangerous than it was in 1956."

President Lyndon B. Johnson in 1967 said that it was thanks to satellites that "we know how many missiles the enemy has and, it turned out, our guesses were way off. We were doing things we didn't need to do. We were building things we didn't need to build. We were harboring fears we didn't need to harbor."

Weather satellites now give people an accurate view of threats from nature, as well as vastly improved everyday forecasts, said Keith Seitter of the American Meteorological Society. They save lives when hurricanes approach, giving days of notice instead of hours.

"It's very hard to be surprised these days with the kind of data we have available with satellites," Seitter said. "Certainly 50 years ago that wasn't the case."

In television, satellite communications let upstart networks like HBO, CNN and ESPN develop and feed cable systems via satellite. That brought world events live to people around the globe. But it also allowed people to isolate themselves with niche channels, Usselman said.

Henry Lambright, a professor at Syracuse University, said satellites have had practical benefits, but "the more important benefits are looking at Earth as a whole and looking outward at Earth in the cosmos."

Initial pictures of Earth from space, especially Apollo images from the moon, were embraced by an environmental movement to show how fragile the planet is.

The orbiting Hubble Space Telescope and others have given people views of the universe that not only go trillions of miles away, but billions of years back in time.

"The launch of Sputnik actually triggered heightened interest among the American people, not only in space, but in science, mathematics and education," said White House science adviser John Marburger. "It also opened up people's eyes to the possibility that space could actually be used for something."

Nearly half of cities see home prices fall

2007-09-02T08:48:00.000-07:00

A 287-city report finds the slowest growth in two decades, with metro areas in California and Florida showing year-over-year declines of as much as 8%.

By Marilyn Lewis

It's housing whiplash: The boom is biting back in the places where it ran highest and fastest just a couple of years ago, a government report for the second quarter shows.

Nationally, the Office of Federal Housing Enterprise Oversight (OFHEO) said prices were essentially flat, growing just 0.1% from April through June, and nearly half of cities profiled showed declines for the quarter. Not since 1994 have home prices grown so little over a quarter.

Compared with a year ago, prices were up 3.2%. But that number reveals nothing about the recent mortgage market turmoil, whose influence will show up in third-quarter numbers, revealed in late November. Also, the OFHEO index, while prized for its scope -- it tracks prices in 287 metro areas -- can appear rosier than some other instruments because it does not contain refinances or mortgages larger than $417,000.

Of those 287 metro areas, 131 showed price declines for the quarter. Over the past four quarters, 61 areas reflect declines. But over five years, no metro area shows up in the red.

"These newest data show price declines in many areas that were once at the center of the housing boom," said OFHEO chief economist Patrick Lawler. The worst declines were in California, Florida and Nevada, all centers of huge housing booms until recently, and in Michigan, which is reeling from epic job losses.
Best and worst
The biggest decline was in the Merced, Calif., area. Homes there lost 8.65% of their value over this time last year and 3.76% from the past quarter. Merced's experience underscores Lawler's point: Even with the whiplash correction, Merced prices show growth of nearly 90% in the last five years.

Runners-up for the biggest decline included the California metro areas in and around Santa Barbara, Stockton, Salinas, Modesto, Yuba City, Sacramento, Santa Rosa, Santa Cruz, San Luis Obispo, Oxnard and Vallejo, and Reno, Nev., in the California orbit. Prices dived in Florida communities in and around Punta Gorda, Sarasota, Cape Coral, Palm Bay, Port St. Lucie and West Palm Beach.

Smaller cities in the West and Northwest were the stage for much of the best price growth last quarter. Topped by Wenatchee, Wash.'s nearly 24% yearly price increase -- 5% for the quarter and nearly 80% growth in five years, the fastest growth areas were dominated by Washington, Utah, Colorado, Oregon and Texas. The list also includes cities in Alabama, the Carolinas, Virginia, Mississippi and Pennsylvania.

The OFHEO report tracks data from the previous quarter, but there has been nothing in the interim to suggest that prices have stopped slowing, "I don't know if we are going to go into a steep decline or just keep coasting to the bottom," says Amy Crews Cutts, the deputy chief economist at Freddie Mac. "Stabilization is key."

Cutts has been surprised by the downturn's persistence. "I had originally been thinking (it would end in) the middle of this year." But the August financial crisis probably has pushed any recovery "into 2008," and that's "predicated on the financial markets getting their act together pretty quickly."
Bad news mounts
Other news underscores the seriousness of the downturn:

* The National Association of Realtors reported last week that median price of existing homes fell in July to $228,900 -- a 0.6% drop from the previous month and the fifth straight monthly decline. The volume of house sales hasn't been this low in nearly five years.

* The widely respected Standard & Poor's/Case-Shiller Home Price Index shows that prices fell 3.2% on average in the second quarter. It was the biggest drop recorded in the report's 20-year history. Unlike OFHEO, Case-Shiller includes "jumbo" loans over $417,000 not held by Freddie Mac and Fannie Mae. The report tracks prices in 20 cities and found prices declining in 17 of them.

* Inventory -- the supply of single-family homes on the market -- is at 9.2 months nationally, which is to say it would normally take that long for the backup to sell. Nearly a year's supply of condos is currently on the market. Inventories in a balanced market run at about six months, says Walt Molony of the National Association of Realtors. "During much of the boom we averaged 4.5 months," he says. The low point, in January 2005, was 3.6 months.

* Mounting defaults and foreclosures have inspired North Carolina, Ohio, Minnesota and Maine limit subprime lending. Others are trying to help borrowers refinance. The New York Times reports that in about 30 states lawmakers have introduced nearly 100 bills to curb deceptive lending and foreclosures.

Bubble theorists are growing louder in the insistence that prices must revert all the way to pre-boom levels before a recovery begins. Bruce Marks, the CEO of the Neighborhood Assistance Corporation of America, believes prices could drop 10%, 15% or even, in some places, 25%.

"You are not seeing bubbles bursting in certain parts of the country -- you are seeing a nationwide decline," says Marks, whose nonprofit advocacy organization lends to lower-income buyers.

Cutts discounts that view. It would take a catastrophe like the Great Depression to see that kind of thing, she says. "I know it feels like the sky is falling. It's bad out there." But she says sales of new and existing homes are down 20% in the past two years, more resembling pre-boom 2001 than the 1930s.
Sobered
Although few analysts share the extent of Marks' pessimism, but plenty are sobered by the past quarter's performance. The trend "is horrible," Ian Shepherdson, the chief U.S. economist for High Frequency Economics told his newsletter readers, adding, "the market is "much worse than headline sales numbers suggest -- and still deteriorating."

Robert J. Shiller, the chief economist at MacroMarkets and originator of the Case-Shiller system of market analysis, said in a news release that "the pullback in the U.S. residential real estate market is showing no signs of slowing down."

The research firm Global Insight told The New York Times to expect a decline of 4%, roughly 10% after inflation, from this year's peak to a low in 2009. The company forecasts prices in California to drop 16% to 20%, counting inflation.

Cutts is not sanguine about the near term, either. She sees potential for more subprime mortgages failing. Currently, most delinquencies are in Northeastern industrial cities plagued with layoffs and poor economies.

Most risky loans, however, are concentrated on the coasts. There, housing became so unaffordable that large numbers of borrowers purchased time-bomb subprime loans that they could only temporarily afford to repay -- for houses they could not realistically support.

Already, 2.9% of subprime loans issued just last year are in default. That's alarmingly high, Cutts says, and an unprecedented number of borrowers are not making even the first few payments.
A variety of regional problems
For signs of recovery, look to New England, where economic activity appears to be increasing. Cutts expects that, before too long, prices will hit bottom and at least stabilize. Boston was first, in 2006, to show falling prices from year to year, and, with the region's strong, diversified economy, Cutts and other economists are watching it for signs that it also could lead the way back.

Regions hardest hit by falling prices are Florida, the northern industrial cities of the Midwest in Michigan and parts of Ohio, Illinois and Indiana, and the once-white-hot growth markets of the arid West, including parts of Nevada, Arizona and California.

Housing in the former industrial Rust Belt will take extra long to recover. "Job losses were so deep that it's going to take a modern miracle to show a turnaround there," Cutts says.

The housing scene in the arid West is troubling, particularly in California, she says. That's where the riskiest mortgages were sold to feed demand as prices soared to record levels. California foreclosures still aren't showing up in massive numbers, but they're increasing surprisingly fast, she says, particularly among the riskiest of the mortgages, issued just last year.

In San Diego and fast-growing inland cities, the economic pressure from collapsing housing prices may become exacerbated by job losses in the subprime-mortgage industry, making it harder for housing to pull out of the tailspin.

"As the lenders go down, they fire a lot of people," says Cutts. "I saw that 40,000 mortgage-related jobs (nationally) have been lost this year. There are a lot of subprime lenders headquartered in California."

Mike Inselmann is concerned about California, too -- and Florida and maybe even Nevada. The co-founder of the housing market research firm American Metro/Study says that despite strong economies, these markets have "more serious issues."

He blames local regulatory obstacles to growth for creating a housing scarcity, especially in California, where the strong economy was driving housing demand.

"Everything got disconnected between supply and demand and pricing," he says, and as a result, he says, prices were pushed artificially high. That invited speculation, flipping, risky lending and, eventually, overbuilding.

The collapse was inevitable. Then, the coup de grace: "The breath was knocked out of the whole marketplace when the subprime deal blew up in April and May, and that whole thing has reached hysterical levels of fear."
Discretionary buyers step back
Florida's cosmopolitan appeal has amplified its troubles from overbuilding and run-up prices: The real estate market is a haven for Latin Americans with discretionary cash as well as a magnet for northern retirees and workers anticipating retirement. As prices rose, these discretionary buyers retreated, leaving legions of empty homes to too few local buyers. "When the chill enters the marketplace, those people can sit on their hands (and wait)," Inselmann explains.

Las Vegas, a similar market on the other side of the country, still is growing, just more slowly. Now 5,000 newcomers arrive monthly, many for casino jobs; before, it was 7,000. The city is awash in new condos that investors had hoped to flip or chose not to keep. They compete with even-newer developments coming on line, says Mark Weinberg, who's been an agent there for Prudential Americana Group Realtors for 13 years.

"I gotta be honest," he says. "I've seen the inventory extend out; I've seen people, unfortunately, losing their homes." A home that used to sell in three or four months now takes four to seven months or more. Weinberg's wife, a loan officer, lost a job when her employer went bankrupt.

Builders concentrated on million-dollar condos aimed at out-of-towners, leaving a paucity of homes for working people, say analysts. As in Florida, "the rich people are suddenly saying, 'You know, I don't need a condo in Vegas right now,' " says Cutts, of Freddie Mac.

But Las Vegas always reinvents itself, Weinberg says. With "job growth consistently every month, population growth every month, very low unemployment and money still pouring into development on The Strip," he is anticipating a recovery by late 2008.

Cutts, too, has the end in sight. "If homes are being bought for the long run, housing is still a very good deal," says Cutts. Eventually, values will return, she adds. After the collapse of the Southern California defense industry in the early 1990s, prices took 10 years to reach previous levels.

Dollar gains amid anxious trading

2007-08-30T19:19:00.000-07:00

hu Aug 30, 1:44 PM ET

LONDON (AFP) - The dollar gained slightly against the euro on Thursday as more volatile trading on global stock markets helped underpin the US currency.

In late European trading, the euro dropped to 1.3652 dollars, from 1.3676 dollars in New York late on Wednesday.

The dollar fell to 158.18 yen, from 116.13 yen on Wednesday.

"In the current environment movements in other markets, rather than data are what's driving currencies, and rising risk aversion is helping support the dollar," said Ian Stannard, currency strategist at BNP Paribas.

The dollar is seen as a safe-haven in times of financial instability and therefore tends to rise when conditions on markets are turbulent.

Choppy trading showed no sign of ending on Thursday, with a pattern established since the beginning of the month of large falls followed by large gains set to continue.

In the US on Thursday, data showed the US economy grew at a 4.0 percent pace in the second quarter, indicating strong momentum heading into the turbulence from housing and credit woes of August.

The Commerce Department marked up its estimate of gross domestic product (GDP) from last month of 3.4 percent growth, based on new data showing stronger US exports and business investment.

It was the strongest year-on-year growth spurt since the first quarter of 2006, but many economists say the world's biggest economy was slowing in the third quarter, hurt by a severe housing slump and the recent credit squeeze.

The Labor Department also reported 334,000 new jobless claims for the week ending August 25, while economists had predicted 322,000 new claims.

The figure was the highest since the 341,000 in the week ending April 14 and prompted concerns that troubles in the US housing sector were spreading to the labour market.

Sentiment on global stock markets had been buoyed on Wednesday after the release of a letter from Federal Reserve chairman Ben Bernanke to Senator Chuck Schumer.

The letter said the Fed was "prepared to act as needed to mitigate the adverse effects on the economy arising from the disruptions in financial markets."

This led may to conclude that the Fed would cut interest rates in September.

Attention has now turned to a speech on Friday by Bernanke in Jackson Hole, Wyoming, with market participants looking for hints on whether the cut will materialise.

"Bernanke is likely to leave many in the market disappointed and play down the prospect of a cut, emphasising that the Fed will only lower rates as the economy slows, and not because of what's happening in the markets," added analyst Stannard.

In France OECD deputy-director Adrian Blundell-Wignall told reporters: "To cut interest rates in response of a crisis like this would be a mistake in my opinion.

"The Fed should only cut interest rates in response to its basic objectives which is the inflation rate and the health of the US economy."

The euro was changing hands at 1.3652 dollars, against 1.3676 dollars late on Wednesday, 158.18 yen (158.84), 0.6774 pounds (0.6778) and 1.6417 Swiss francs (1.6406).

The dollar stood at 115.86 yen (116.13) and 1.2025 Swiss francs (1.1995).

The pound was being traded at 2.0154 dollars (2.0173).

On the London Bullion Market, the price of gold climbed to 666 dollars per ounce, from 664.25 dollars late on Wednesday.

10 reasons to be paranoid

2007-08-30T14:21:00.000-07:00

Every bit of your virtual existence is being monitored -- get scared accordingly

By Dan Tynan
August 27, 2007

The truth is out there ... and so is your data. And just because there are no virtual black helicopters following you doesn't mean somebody somewhere doesn't have a bead on who you are and what you are doing.

From buttinski bosses to spies and spooks, there are plenty of reasons to be, well, a little paranoid about the vulnerability of your data and the potential loss of your privacy. To help you gauge the appropriate level of hysteria, we've rated each threat on our Paranoia Meter, using a scale of 1 (Don't worry, be happy) to 5 (Be afraid, be very afraid). Though we've taken a lighthearted approach, concerns about data privacy are not all fun and games.

“You can look at 'paranoia' as just a good way of having a long horizon,” says Jim Harper, director of information policy studies at the Cato Institute. “Incentives exist for data practices to be abused very badly in the future. Being paranoid about them today is being rational about protecting yourself tomorrow.”

Here are 10 ways to practice your paranoia:

Paranoia No. 1: Your boss is watching
Paranoia No. 2: Google knows what you searched last summer
Paranoia No. 3: There's a spook in your inbox
Paranoia No. 4: Information brokers are bungling your data
Paranoia No. 5: The Feds are on your tail
Paranoia No. 6: Zombies abound
Paranoia No. 7: Hollywood wants to terminate you
Paranoia No. 8: Your ISP knows too much
Paranoia No. 9: Your Wi-Fi net is wide open
Paranoia No. 10: You are your own worst enemy
Dan Tynan is contributing editor at InfoWorld.

Get paranoid: Your boss is watching
Reason No. 1: Privacy and the workplace just don't mix

Ever get the feeling your boss -- or your boss's IT department -- is lurking through the network, spying on you? Odds are quite good your instinct is right. And the bigger the organization, the more likely it monitors employees' e-mail, IM, or Web surfing.

According to a 2005 survey by the American Management Association and The ePolicy Institute, three out of four companies monitor where their employees go on the Web, and more than half scan their e-mail. One out of four organizations report having terminated employees for e-mail abuse, and another 25 percent have canned workers for inappropriate Web surfing. Think that blog is safe for speaking your mind? Think again. Two percent of companies have fired workers over offensive blog entries, according to the 2006 version of the survey.

And then there’s background checks (80 percent of businesses conduct them, according to Spherion), drug tests (50 percent), surveillance cameras, and that GPS transponder in the company car.

This doesn't mean employers are evil. They do have a lot to worry about: trade secrets leaking out via e-mail, employee misrepresentation, harassment suits stemming from inappropriate e-mail or Web surfing, folks just plain goofing off on the company dime.

“There is enormous pressure on companies to expand their workplace surveillance,” notes Frederick Lane, author of The Naked Employee: How Technology Is Compromising Workplace Privacy.

“The biggest problem is that increased surveillance inevitably collects non-work-related information about employees and offers employers more opportunity to make employment decisions -- hiring, firing, promotion, etc. -- based on criteria other than qualifications and job performance,” Lane says.

“Workplace privacy”? That's just another oxymoron.

Get paranoid: Google knows what you searched last summer
Reason No. 2: Lusting after your personal data is the lifeblood of this beast

Not long ago, Google was the cuddly search engine that could. Now it's a bona fide data monster, and your personal information is its meat.

Google's pending acquisition of DoubleClick has shed new light on just how much data the G-men control, from search histories to e-mail, calendars, blogs, videos, and more. So notable is Google's stranglehold over personal data that even Microsoft claims to offer more privacy than Google, which is enough to tell you the universe has shifted.

The question is, What will Google do with this vast trove of information? Global privacy counsel Peter Fleischer points out that Google alone challenged the Department of Justice in January 2006 when the department demanded millions of search terms from the top four engines. And Google did voluntarily agree to anonymize the search data it retains after 18 months.

But privacy advocates are far from convinced. The next time everyone's favorite Uncle asks the company to display its assets, Google might not prevail. And if Google were ever acquired or chopped into bits, that data could be its most valuable commodity.

Worse, Google Desktop may represent a security risk to the data on your hard drive. In a Ponemon Institute survey of IT pros conducted in June, more than 70 percent believe Google Desktop is still vulnerable to cross-site scripting attacks.

The solution? Be very careful about how you use Google products. When in doubt, log out.

Get paranoid: There's a spook in your inbox
Reason No. 3: Every call is a could-be conference call with Uncle Sam

Remember when the CIA was a dark, malevolent force lurking in the shadows of our lives, tapping our phones, reading our mail, and planting explosive devices in Castro's cigars? Well, they're baaaack. Only now it's the National Security Agency, and they're snooping into your e-mail, cell phone conversations, and Lord knows what else.

What we do know is fairly limited. According to an account in The New York Times, the spooks are heavily involved in data mining, combing through billions of electronic records, looking for patterns that might identify the behavior of terrorists.

We know that the Electronic Frontier Foundation is suing AT&T for allowing the spooks to tap into their datacenters and that the government is trying to quash the suit by claiming such information is a state secret -- which is about as far from a denial as you can get.

We also know Attorney General John Ashcroft, Acting Attorney General James Comey, and FBI Director Robert Mueller nearly resigned over domestic spying activities in 2004, forcing the Bush administration to change tactics.

And we know that Congress recently handed the spooks a virtual blank check for spying on conversations with foreign nationals, although they promise to revisit said blank check in six months.

And even if we did tell you what the agency is doing, we'd have to kill you -- and then flush all evidence of your existence down the memory hole.

“Until recently, we didn't have to worry much about the government spying on us,” says Larry Ponemon, director of the Ponemon Institute, a privacy management consultancy. “Now somebody decides that you're a terror threat or they don't like you for some reason, and you can't get on a plane. It may not necessarily happen to you, but it could happen to someone you know.”

Bottom line: Keep your nose clean and watch the plainclothes.

Get paranoid: Information brokers are bungling your data
Reason No. 4: Shoddy report vendors put the "credit" in discrediting your reputation

Anybody who requests a background or credit check on you -- or provides them to others -- has a ton of sensitive information about you that (a) may not be accurate and (b) is highly vulnerable to spills. That includes data brokers, credit bureaus, banks, insurance companies, cell carriers, and your employer.

Report vendors have morphed into one-stop data-mining shops, selling everything from credit scores to criminal records. A 2004 study by the U.S. Public Interest Research Group found that 80 percent of all credit reports contained errors and that one in four were serious enough to keep you from obtaining credit or getting a job.

Not surprisingly, report vendors' track records for protecting this information is abysmal (of course, Uncle Sam's record isn't too hot, either). According to the Privacy Rights Clearinghouse, nearly 160 million Americans have had sensitive personal information exposed by data breaches since January 2005.

What to do? Find out what information is out there by requesting a free copy of your credit report. Correct any mistakes and opt out whenever possible. Most data brokers now give you the option of removing your name from their marketing lists (although not credit or background checks); privacy policies on their Web sites usually spell out how. In September, ReputationDefender is launching its MyPrivacy service, which will remove you from some brokers' lists for a small fee.

The moral of this story: Keep your friends close and your data brokers closer.

Get paranoid: The Feds are on your tail
Reason No. 5: That letter in your doctor's hand may be hazardous to your health

If the National Security Agency is spying on you, you're probably connected in some way to a terrorist investigation -- even if it's just because you invited your neighbor Ahmed over for a barbecue.

But the FBI can investigate you for all kinds of reasons, and you may never know it until they slap on the cuffs. Are you a vegan, a member of People for the Ethical Treatment of Animals, or part of an antiwar organization? All of these groups have been investigated for “domestic terrorism” since September 11, according to documents obtained by the American Civil Liberties Union under the Freedom of Information Act.

Under the Patriot Act, FBI agents can issue NSLs (national security letters) to your employer, bank, ISP, doctor, library, or any other entity demanding your records without a warrant. Recipients of NSLs must comply with the FBI's demands and cannot notify the person under investigation. Between 2003 and 2005, the Feds issued more than 140,000 such letters, according to a March 2007 report by the inspector general for the Department of Justice.

In a random sample of nearly 300 NSLs, the inspector general found possible violations of FBI procedures or the law in 48 of them, or about one out of every six.

Worse, you can be an absolute saint and still be the target of an NSL. According to a November 2005 report in The Washington Post, “Senior FBI officials acknowledged in interviews that the proliferation of national security letters results primarily from the bureau's new authority to collect intimate facts about people who are not suspected of any wrongdoing.”

Feeling paranoid yet?

Get paranoid: Zombies abound
Reason No. 6: Hackers, crackers, and phishers -- need we say more?

We are in the midst of a zombie epidemic that shows no signs of slowing. During the second half of July, the volume of spam e-mails containing variations on the Storm worm increased tenfold. The result? A zombie network estimated by IT security company SecureWorks at more than 1.7 million PCs -- big enough to do serious damage to the Net.

The degree of your personal risk depends almost entirely on what you do and don't do online, says Bill Rosenkrantz, director of product management at Symantec.

“On one hand, the hackers are definitely out there, they are very creative, and there is significant financial gain available to them,” Rosenkrantz says. “On the other hand, you have decent control over that. If you don't randomly download files onto your system, have a full security solution on your desktop, and keep your browser and your OS updated, the risk is probably a 3 on a scale of 5. If you don't do any of that, your risk is probably closer to a 5.”

In the case of Storm, the solution is relatively straightforward. Because the zombies connect to one another via a P2P network, IT managers can mitigate damage by blocking each PC's ability to use p-to-p networking.

In short, be careful out there.

Get paranoid: Hollywood wants to terminate you
Reason No. 7: Copping the latest 50 Cent single could translate to doing time

No, the Recording Industry Association of America and the Motion Picture Association of America aren't spying on you. They've got people for that, specifically companies such as BayTSP and SafeMedia, which infiltrate peer-to-peer networks so they can record file swappers' IP addresses and the types and number of files they're sharing. An IP address isn't proof positive of your identity, but it's good enough for most civil suits -- unless, of course, it belongs to a dead person or someone who doesn't actually own a computer.

If you never visit p-to-p nets, you're probably safe. If you do, using anonymous IP networks, Web proxy services, or open Wi-Fi connections can make your identity much harder to trace, says Peter Eckersley, staff technologist for the Electronic Frontier Foundation.

“Aside from the huge, open p-to-p networks like Gnutella/LimeWire or eDonkey/eMule, many people share files with their friends on small-scale networks,” Eckersley adds. “In those situations, copyright holders would have to send undercover agents to infiltrate those groups if they wanted to trace the participants.”

Given the revenue at stake and the history of the players involved, if you're swapping tunes with a small circle of friends, be sure to keep your attorney's phone number handy, just in case.

Get paranoid: Your ISP knows too much
Reason No. 8: Detailed logs. Of everything you've ever done online

If you think Google knows more about you than your parents do, imagine the kind of dope your ISP could drop if pushed to give up the goods.

As the gateway to all our personal Internet communications, service providers could create detailed logs of everything you've ever done online: e-mail, Web surfing, IM, file downloads, and more. The potential for using such records in criminal investigations (or worse) is huge, which is why some lawmakers have been pushing legislation that requires ISPs to retain user data for a year or longer.

“We are more trusting of ISPs than we should be,” says Jim Harper, director of information policy studies at the Cato Institute. “You may not be able to see it, but there's a big stream of data going out of your house through your ISP. It's foolish to rely on ISPs to protect us from their own interests or the government's interests in us."

And it's that second party's interests that send the deepest shivers down most folks' spines.

“I've even heard stories that some ISPs are reselling anonymous data about their traffic,” Harper adds. “Won't that suck if we find out the anonymized data they've been selling can be de-anonymized and re-identified.”

Can you trust your ISP? Don't be so sure.

Get paranoid: Your Wi-Fi net is wide open
Reason No. 9: Oh, I'll just hop on to this FraudDaddy3 Wi-Fi connection and pay bills while I wait for the bus

Got a secure Wi-Fi connection? Good for you. But your neighbors may not be so lucky.

According to an October 2006 survey by the Wi-Fi Alliance, three out of 10 home networks are insecure. More surprisingly, one out of four business Wi-Fi networks is totally open, according to a May 2006 survey by RSA.

That same RSA survey found that 20 percent to 30 percent of access points in major cities throughout the world use the user name and password supplied by their router manufacturer, allowing knowledgeable "war drivers" to log in to the device and change its security settings.

Aside from sucking up bandwidth, war drivers can use your connection to send spam, download porn, and snoop around your shared folders.

Using an open Wi-Fi network yourself isn't exactly safe, either. You could log on to an open network in an airport or other public space and end up on an “evil twin,” a Wi-Fi network set up to mimic a legit one but operated by some creep with a laptop and a mobile access point, notes Paul Henry, vice president at Secure Computing. The crooks could then sniff your data, grab passwords and other sensitive information, and gain access to your corporate network or steal your identity.

If your home net isn't already locked down, now's the time. And if you must access open Wi-Fi nets, use end-to-end encryption for the sensitive stuff.

Get paranoid: You are your own worst enemy
Reason No. 10: Having 185 million close personal friends does have its downside

Got a MySpace page? LinkedIn résumé? Facebook profile?

When it comes to sharing personal data (sometimes a bit too personal), many people are their own worst enemy. Letting it all out online is fine, until the day of that big job interview when you're asked to explain how you ended up in that Geeks Gone Wild video.

Roughly one out of five employers look at social networks when making hiring decisions, according to a survey by Viadeo, a European business social network. And with the ongoing proliferation of the social networking phenomenon, that number is only likely to grow.

“In general, people should be more concerned about the image they portray in places like MySpace and Facebook,” says Beth Givens, director of the Privacy Rights Clearinghouse. “More and more employers are searching them. Or one day you want to volunteer for an organization like Big Brothers or Big Sisters. You don't want to look like a drunk on the beach.”

OK, fine, you're hot. But does the world have to know it? Consider being a little more anti-social.

Dan Tynan is contributing editor at InfoWorld.

Honeypots as sticky as ever

2007-08-30T14:08:00.000-07:00

New developments make honeypots even more valuable

By Roger A. Grimes
August 24, 2007

Longtime readers of my column know what a honeypot proponent I am. I run several around the world, collecting information on malware and malicious hackers, and I think every company should have one.

Companies should have a honeypot, not to learn hacker and malware tricks, but as an early warning system. All computer security defenses will ultimately fail. And if they fail and a bad thing gets by your defenses, what's the next best thing? Early warning.

Take a box you're getting ready to throw away, and make it a honeypot. Stick it somewhere in your environment where it's likely to get noticed by an intruder, and tell it to page your incident response team (or you) if anything unexpected tries to connect to it. It's a fake computer asset, and nothing (once you've fine-tuned the false positives out) should ever connect to it. When something does, it's more than likely malicious. I've caught many hackers this way, identified bots that no other defenses found, and even participated in the capture of a Russian hacker. Honeypots work. They are high value and low noise. I've always been perplexed about why they haven't had stronger adoption and use in the computer security community.

Perhaps part of the problem is that the honeypot development world can be quite frozen at times. Months and months go by without any significant updates, but this month has seen a cornucopia of new developments and updates. Here are some of my favorites:

New honeypot book
Niels Provos (creator of Honeyd and senior staff engineer at Google) and Thorsten Holz have written an excellent honeypot book in "Virtual Honeypots: From Botnet Tracking to Intrusion Detection."

As a seasoned honeypot and honeyclient professional (and honeypot book author), I had high hopes for this book -- and it delivers. Niels and Thorsten provide a solid reference to beginners and more experienced honeypot users alike. The book covers how to install and use (step by step) dozens of honeypot products.

The list of what they cover is far too long to report here, but let's say they get to 95 percent of what any honeypot enthusiast would want to read about. My favorite subjects in the book are user-mode Linux, Honeyd, Honeywall, honeyclients, collecting malware with honeypots, tracking botnets, and analyzing malware.

The only downsides I could even come up with is that the book deals with a lot of Unix/Linux-only products, just like the honeypot software world, which might be a put-off for Windows-only readers. And it didn't cover Kfsensor, my favorite Windows honeypot product. Other than that, it is an excellent, excellent book that I would recommend to any honeypot enthusiast. In the end, what I really liked about this book is its coverage of a wide range of products and its practical application to capturing and analyzing malware. It's a great addition to the books on honeypots already written by Lance Spitzner and myself.

Updated Honeyd for Windows
Honeyd, originally a Unix/Linux-only product by Niels Provos, is one of the best virtual honeypot software programs in existence. It is very flexible and useful. Michael Davis did the original Honeyd port to Windows (thank you very much, Michael), but that version didn't keep up as Windows XP and later came out. Changes in Microsoft Windows and a few other notorious bugs made it hard for me to ever recommend using Honeyd for Windows over the last year or so.

Instead, I'd suggest that people use the Unix/Linux version of Honeyd, but that meant learning new skills if you were a Windows-only person. Or they could use Kfsensor.

Jesper Jurcenoks, co-founder of netVigilance, has released an updated version of Honeyd for Windows. You can get it at the netVigilance Web site. Jesper and his company took the time to do a complete rewrite and free update of Honeyd for Windows. He even corrected one bug that remains in the Linux/Unix version to make sure it didn't get replicated to the Windows version, and netVigilance offers a $99 GUI configurator, which can save you hours of configuring and troubleshooting. Thanks to Jesper and netVigilance (and Michael Davis for his earlier contributions) for allowing us Windows security types to play with Niels' excellent honeypot software.

CaptureBAT
CaptureBAT is a neat, free tool for Win32 honeypots that analyzes file, registry, and process information. It's an excellent addition to Sebek in that it provides far more information. It works on all Win32 systems, including Vista, and comes with the ability to exclude predefined types of activity (which is a must when you're doing real-time file and registry analysis).

Capture-HPC
Capture-HPC is a high-interaction honeyclient. The New Zealand Honeypot Project, which produced Capture-HPC, also wrote an excellent white paper on using Capture-HPC to identify malicious Web servers. The group includes the paper, data, and tools for anyone to replicate, and it inspected more than 300,000 URLs (nearly 149,000 hosts) found on 194 malicious servers. It's an interesting read.

If you haven't investigated the honeypot world in a while, this is the time to come back and get involved.
Roger A. Grimes is contributing editor of the InfoWorld Test Center. He also writes the Security Adviser blog and the Security Adviser column.

Monster.com Shuts Down Rogue Server

2007-08-27T15:10:00.000-07:00

By Brian Prince
August 23, 2007

As many as 1.6 million job seeker identities may have been lifted.

Officials at Monster.com confirmed that they had identified and shut down a rogue server accessing contact information through the unauthorized use of compromised legitimate employer/client log-in credentials.

The server contains names, addresses, phone numbers and e-mail addresses. Monster.com is currently analyzing the number of job seeker contacts impacted by the situation and will be communicating with those affected as appropriate, officials said. The company did not offer any details about the location of the server that it shut down.

Last week, researchers at SecureWorks found a server containing data from 46,000 people that was stolen by hackers running ads on job hunting sites and injecting those ads with a Trojan.

When a user views or clicks on one of the malicious ads, their PC is infected and all the information that enters into their browser—such as financial information entered before it reaches SSL protected sites—is captured and sent off to servers used by the hackers, SecureWorks officials said.

The discovery seems to have been part of a larger effort by hackers to target job hunting sites, as Symantec also reported finding another remote server with more than 1.6 million entries with personal data belonging to people who had posted their resumes on Monster.com. Symantec dubbed the Trojan Infostealer.Monstres, and stated the Trojan was using the credentials of recruiters to log in to the Web site and perform searches for resumes of candidates in certain countries or working in certain fields.

The personal details of those candidates were then uploaded to a remote server under the control of the attackers.

"Monster is in the process of reaching out to its entire employer population to mitigate any ongoing issues," officials at the job hunting site said. "In addition, Monster is placing a security alert on the Monster.com site."

PointerCheck out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog.

Yahoo adds features to popular e-mail

2007-08-27T15:07:00.001-07:00

By RACHEL KONRAD, AP Business Writer Mon Aug 27, 8:09 AM ET

SAN FRANCISCO - Yahoo Inc. will introduce new features Monday for its popular Web-based e-mail program, including software that allows computer users to type text messages on a keyboard and send them directly to someone's cell phone.

The enhancements make it easier to send e-mail, instant messages or text messages from a single Web site — no need to launch or toggle between separate applications or devices. The features will be available to users in the United States, Canada, India and the Philippines.

The most obvious beneficiaries will be parents, who will be able to use their keyboards to type messages sent to their children's cell phones — no thumb-twisting typing on a dial pad, said Yahoo Vice President John Kremer.

"We're giving you the right way to connect at the right time with right person," said Kremer, whose two preteen sons vastly prefer text and instant messages to e-mail.

The changes come amid fierce competition among providers of free, Web-based e-mail services. Yahoo and Microsoft Corp.'s Hotmail have long dominated the niche, but Google Inc.'s Gmail has grown quickly since its introduction in April 2004.

In March, Yahoo announced that it would provide unlimited storage space, and earlier this month Redmond, Wash.-based Microsoft said Hotmail would increase free storage from 2 to 5 gigabytes. Time Warner Inc.'s AOL, the fourth largest e-mail provider, began offering unlimited storage last summer. Google provides nearly 3 gigabytes.

Sunnyvale-based Yahoo bills the changes as the most significant overhaul of Yahoo Mail since its launch in 1997. The new version replaces a one-year-old beta program and adds new features, including text messaging, a more comprehensive e-mail search engine and an easier to read and edit contacts database.

Users who don't want the upgrades — or whose computers are too slow to handle them — can opt to remain with the current version, which Yahoo will call "Classic."

The new version allows users to click on a contact and then select whether to send that person an e-mail, instant message or text message. You could send an e-mail or instant message if you know the recipient is at the computer — or a text message if the recipient is on the road with a cell phone.

"This gives people the ability to reach anybody in their contact database anytime," said Mike McGuire, vice president of research at industry analysis firm Gartner Inc. "For good or evil, it's going to be much easier for anybody to get a hold of you."

Teen 'unlocks' iPhone from AT&T network

2007-08-27T15:06:00.001-07:00

By PETER SVENSSON, AP Technology Writer Sat Aug 25, 2:20 AM ET

NEW YORK - Armed with a soldering iron and a large supply of energy drinks, a slight, curly haired teenager has developed a way to make the iPhone, arguably the gadget of the year, available to a much wider audience.

George Hotz of Glen Rock, N.J., spent his last summer before college figuring out how to "unlock" the iPhone, freeing it from being restricted to a single carrier, AT&T Inc.

The procedure, which the 17-year-old posted on his blog Thursday, raises the possibility of a cottage industry springing up to buy iPhones, unlocking them and then selling them to people who don't want AT&T service or can't get it, particularly overseas.

The phone, which combines an innovative touch-screen interface with the media-playing abilities of the iPod, is currently sold only in the U.S.

An AP reporter was able to verify that an iPhone Hotz brought to the AP's headquarters on Friday was unlocked. Hotz placed the reporter's T-Mobile SIM card, a small chip that identifies a phone to the network, in the iPhone. It then connected to T-Mobile's network and placed calls using the reporter's account.

T-Mobile is the only major U.S. carrier apart from AT&T that is compatible with the iPhone's cellular technology, but smaller carriers also use the technology, known as GSM. In Europe and Asia, GSM is the dominant network technology.

The hack is complicated and requires skill with both soldering and software, and missteps may result in the iPhone becoming useless, so few people will be able to follow the instructions.

"But that's the simplest I could make them," Hotz said.

Technology blog Engadget on Friday reported successfully unlocking an iPhone using a different method that required no tinkering with the hardware. The software was supplied by an anonymous group of hackers that apparently plans to charge for it.

AT&T spokesman Mark Siegel and Apple spokeswoman Jennifer Bowcock said their companies had no comment on Hotz' exploit. Hotz said the companies had not been in touch with him.

Apple shares rose $4.23, or 3.2 percent, to close at $135.30 on Friday. AT&T shares gained 26 cents, or 0.7 percent, to close at $40.36.

The iPhone has already been made to work on overseas networks using another method, which involves copying information from the SIM chip, or Subscriber Identity Module.

The SIM-chip method does not involve any soldering, but does require special equipment, and it doesn't unlock the phone — each new SIM chip has to be reprogrammed for use on a particular iPhone.

Both hacks leave intact the iPhone's many functions, including a built-in camera and the ability to access Wi-Fi networks. The only thing that won't work is the "visual voicemail" feature, which lists voice messages as if they were incoming e-mail.

Since the details of both hacks are public, Apple may be able to modify the iPhone production line to make new phones invulnerable.

Analysts said it's unlikely Apple would overhaul the iPhone's wiring to thwart the new hack because the difficulty of the procedure is likely to keep it confined to hardcore hobbyists.

"I'm having a hard time figuring out where the real pain is going to come from in this," said David Chamberlain, principal analyst with market researcher In-Stat who follows mobile devices and services. "Just selling the piece of hardware, they've made a nice profit off that."

Apple has said it plans to introduce the phone in Europe this year, but it hasn't set a date or identified carriers.

There is apparently no U.S. law against unlocking cell phones. Last year, the Library of Congress specifically excluded cell-phone unlocking from coverage under the Digital Millennium Copyright Act. Among other things, the law has been used to prosecute people who modify game consoles to play a wider variety of games.

Hotz collaborated online with a large number of people to develop the unlocking process. Of smaller core group, two were in Russia.

"Then there are two guys who I think are somewhere U.S.-side," Hotz said. He knows them only by their online handles.

Hotz himself spent about 500 hours on the project since the iPhone went on sale. On Thursday, he put the unlocked iPhone up for sale on eBay, where the high bid was at $12,600 late Friday. The model, with 4 gigabytes of memory, sells for $499 new.

"Some of my friends think I wasted my summer but I think it was worth it," he told The Record of Bergen County, which reported Hotz's hack Friday.

Hotz heads for college on Saturday. He plans to major in neuroscience — or "hacking the brain" as he puts it — at the Rochester Institute of Technology.

___

Associated Press Writer Jordan Robertson in San Francisco contributed to this story.

Is the Internet Over?

2007-08-23T16:47:00.000-07:00

08.21.07

It's old, vulnerable, and overloaded. Yeah, the Net has its problems, but the thing is, it works.

By John C. Dvorak

I used to joke around about shutting down the Internet so that its protocols and basic architecture could be rewritten from scratch. I was semiserious. More recently, Elton John, who apparently can't use a computer, said the Net should be shut down for five years so that the arts can flourish. Okay, whatever. Myself and Elton John aside, we're actually now seeing serious initiatives that may result in the closing of the Internet as we know it.

There have always been undercurrents that have tried to eat away at the foundations of the current Internet. One is Internet2, a parallel-universe Internet that would be used by academia and perhaps the military. It would have ultra-high-speed file transfer without a lot of the latency issues that we experience with the current model.

A few years ago, people were chatting up Internet2, but most of that chit-chat has died down. Begun in 1996 to much hoopla, the project seems somewhat bogged down by the academicians it aims to serve. In the meantime, another parallel project, called National LambdaRail, appeared. It promoted more new technologies and ideas to achieve ultra-high-speed international networking. It recently merged with Internet2.

ADVERTISEMENT

Meanwhile, our old-fashioned plain-vanilla Internet is seriously planning on changing from IP version 4 to IP version 6. This is, for the most part, because of the never-ending complaint that "we're running out of IP addresses." IPv6 is supposed to be able to solve some security and spam issues, too. The problem here seems to be integrating IPv6 into the current network without causing all sorts of routing complications and other problems. From what I can tell, it's a nightmare.

Japan has just announced a 7.8 billion yen project to develop all-new security-centric architectures to replace the Internet in that country. This is supposed to be rolled out by 2020. Every so often, the Japanese get an itch to leapfrog everyone, and the results have been spotty. Their last overhyped project was the 1982 "Fifth Generation" scheme whereby Japan Inc. was going to jump past all current computer technology and develop a massively parallel architecture that actually works. It generated a lot of fretting and little else.

Not to be left out are the English. The House of Lords recently demanded that the Internet be rewritten from scratch because of the "wild West" nature of the current system. The primary concern is that of identity. The "nobody knows you're a dog when you're on the Internet" kind of thing seems to upset the upper crust in the U.K., although I doubt that many of them can even send an e-mail. Still, they are now all experts.

The fact of the matter is that the Net, as designed, is more robust and versatile than anyone imagined, and the likelihood that a new Internet would be as reliable might be sheer folly. Despite predictions that the Net was overtaxed and would collapse under its own weight, it keeps humming away.

There are four current concerns about the Internet. The main one seems to be security. How vulnerable are the Net and its users to various security attacks? This involves the anonymity factor as well. Old-line thinking does not like the idea that you can hide on the Net. They fear something bad will come from this.
ADVERTISEMENT

The second concern is that we are out of IP addresses (as mentioned above), and we've been forced to share them.

The next serious concern is the eventuality of IPTV and the likelihood that most TV will be running over the Internet someday. This has already been predicted to triple the load on the Net from the outset, with continued increases in bandwidth demand.

Then there is simply the Net's age. It's old. We know a lot more about protocols than we did in 1969 when the proto-Internet first appeared as Arpanet. Over time, the Net has been a transport mechanism for an amazing hodgepodge of protocols and subsystems, many of them quite old. Some think that newer is always better and that we need to scrap the old and reinvent the wheel.

Reinventing the wheel is problematic when that wheel is attached to a wagon that's moving. There is more to this than merely upgrading a recent "build" of AOL. The only way any change will work is literally to roll out a parallel system that can be used jointly with the current Internet. You know, like having a Mac and a PC on the same desk, or something like that.

That way we can make the change at our own pace—if we even want to change, that is. I'm not holding my breath that anything will happen for years to come.

IBM: Internet Threatens To Eclipse TV

2007-08-23T16:19:00.000-07:00

Mark Long, newsfactor.com 33 minutes ago

According to a new survey from the IBM Institute for Business Value, the amount of personal time that consumers now spend on the Internet rivals the amount of time they spend watching TV.

A total of 66 percent of the new survey's respondents reported viewing television programs from one to four hours per day, versus 60 percent who reported the same levels of personal Internet use. Moreover, researchers said the traditional TV set is increasingly taking a back seat to PCs and cellular handsets among consumers between the ages of 18 and 34.

In addition to conducting the new survey online, IBM researchers stopped young people on the streets of New York to record opinions on videotape. IBM said its informal street sample returned surprisingly similar results to its official survey.

As one of the respondents put it in an IBM video clip now available on YouTube, "If I had to pick between TV and the Internet at this point in my life, I would almost always choose the Internet." When asked why, he replied, "interactivity, for one, and No. 2, my entire life is on the Internet."

Traditional TV's Demise

So are we approaching the end of television as we have come to know it? Keep in mind that IBM's new survey was conducted online, which suggests that its results are skewed in favor of those already tasting the fruit of the Internet's vast global tree.

But with computer prices in freefall and a global push already underway to put computers into the hands of more people in developing nations, the Internet's rise to the top of media markets worldwide might not be as far off as traditional broadcasters, publishers, and advertisers would like to think.

"Just as the 'Kool Kids' and 'Gadgetiers' have replaced traditional landlines with mobile communications, cable and satellite TV subscriptions risk a similar fate of being replaced as the primary source of content access," noted IBM Media & Entertainment Strategy and Change practice leader Saul Berman.

Consolidated Content

IBM's surveyors said that today's Internet audiences are more in control than ever and increasingly savvy about finding ways to filter out marketing messages. And when it comes to mobile and Internet entertainment, consumers say what they really want is consolidated, trustworthy content.

Advertising agencies are going to have to move beyond their traditional creative roles and become brokers of these and other consumer insights, IBM's researchers said. In particular, online marketers will be forced to experiment to find new ways to make advertising more compelling, or risk being ignored.

Moreover, cable companies will need to evolve to embrace home media portals, while broadcasters and publishers will need to move to new media formats that cater to the evolving preferences of today's sophisticated online consumers, the researchers added.

Other TV Viewing Trends

Out of the 2,400 households responding to IBM's survey, which was conducted from mid-April through mid-June, 81 percent said they have already watched, or want to watch, video on their PCs, and 42 percent have watched or want to watch mobile video.

"Given the rising power of individuals and communities, media and entertainment industry players will have to become much better at providing permission-based advertising and related consumer-driven ratings services," said IBM Global Business Services Communications Sector managing partner Bill Battino.

With respect to the digital video recorder (DVR) market, 24 percent of U.S. respondents said that they have a DVR in their home and that at least 50 percent of their TV viewing takes place on replay. The good news for broadcasters is that 33 percent of U.S. respondents reported watching more television content now than before they owned a DVR.

On the other side of the Atlantic Ocean, however, video-on-demand services prove to be twice as popular as DVRs among UK consumers. Moreover, fewer than one-third of UK respondents said they had changed their overall TV consumption as a result of DVR ownership.

Google Sky allows users to tour galaxies

2007-08-22T14:21:00.000-07:00

By DAN NEPHIN, Associated Press Writer 5 minutes ago

PITTSBURGH - The heavens are only a few mouse clicks away with Google Inc.'s latest free tool. A new feature in Google Earth, the company's satellite imagery-based mapping software, allows users to view the sky from their computers.

The tool provides information about various celestial bodies, from stars to planets, and includes imagery from the Hubble Space Telescope and other sources. It also allows users to take virtual tours through galaxies, including the Milky Way, from any point on Earth they choose.

"By working with some of the industry's leading experts, we've been able to transform Google Earth into a virtual telescope," Lior Ron, a Google product manager, said in a statement.

The new software also promises users the ability to see planets in motion and witness a supernova.

There are other programs that provide information and pictures of the universe, but Google Sky blends it seamlessly, said Andrew Connolly, a University of Washington associate professor of astronomy and part of Google's visiting faculty program.

"What's unique about this is you have all of the imaging data over the whole of the sky actually streaming. So I can look at something that covers most of the sky, say our Milky Way galaxy, and I can zoom right into a tiny galaxy that's in the formation cycle," he said.

Google engineers stitched together "terabytes and terabytes" of images and other data, Connolly said. A terabyte can hold the text of roughly 1 million books.

"Sky in Google Earth will foster and initiate new understanding of the universe by bringing it to everyone's home computer," said Dr. Carol Christian of the Space Telescope Science Institute.

Current Google Earth users must download a new version from http://earth.google.com. The software works on computers running Microsoft Corp.'s Windows, Apple Inc.'s Mac OS X and Linux operating systems.

Google, the leading Internet search engine, already provides surface images of Mars and the Moon through its Web site, along with animated and satellite-based maps of Earth.

Google Sky was developed at the company's Pittsburgh engineering office.

YouTube videos to have 'overlay' ads

2007-08-21T19:45:00.001-07:00

By ANICK JESDANUN, AP Internet Writer 18 minutes ago

NEW YORK - Video advertising is coming to YouTube, but it won't be the type common at sites elsewhere. Starting Wednesday, the popular video-sharing site plans to feature semitransparent "overlay" ads at the bottom of selected video clips.

The ad disappears after about 10 seconds if the viewer does nothing; the featured clip automatically pauses if the viewer clicks on the overlay to launch the full pitch.

YouTube said it was trying to avoid pre-rolls that precede the main feature at sites like Microsoft Corp.'s MSN, which partners with The Associated Press on a video news service.

Shiva Rajaraman, product manager for YouTube, said internal tests show more than 70 percent of people give up when they see a pre-roll. By contrast, less than 10 percent decide to close an overlay, which they can exit by clicking on an "X" in a corner.

The overlay format also gives advertisers more flexibility, he said, because they aren't constrained to keeping a video ad at 15 or 30 seconds to avoid defection. Because a viewer chooses to watch, a video ad can run much longer — clicking on one pre-launch overlay launched a 2-minute trailer for "The Simpsons Movie."

YouTube, which Google Inc. bought last year for $1.76 billion, is still trying to justify its hefty sales price. Despite its huge audience, YouTube generated about $15 million in revenue last year, based on figures provided in Google's annual report.

The site already has been showing display ads, but video ads look to be far more lucrative, particularly as they attract brand-name advertisers already used to buying video spots on television.

Initial video advertisers on YouTube include Warner Music Group Corp., News Corp.'s 20th Century Fox and Time Warner Inc.'s New Line Cinema. They will accompany video clips from selected partners, including Warner Music, the band Killswitch Engage and dozens of heavy video contributors accepted into a user-partner program.

Marketers can target their ads by user demographics, location, time of day or genre, such as music videos or sports. They won't be able to buy ads by keywords, though, the way Google allows merchants to purchase text ads triggered by a user's search terms.

And unlike Google's pay-per-click search ads, advertisers will be charged by eyeball — $20 per thousand viewers — regardless of whether the user clicks on the overlay.

Revenues will be split with the video owner, although officials won't say how. The video owner can decline all ads or selected ones, such as those from competitors.

Despite differences with Google's keyword ads, which generate the bulk of the company's revenues, officials said the two share a common goal of being nonintrusive.

"Ads need to provide value to the user community," said Eileen Naughton, Google's director of media platforms. "We've proved over and over again on Google that ads are really useful information when users raise their hands and engage with them."

Apple's notebook market share climbs to 17.6 percent

2007-08-21T19:40:00.000-07:00

Jim Dalrymple - MacCentral 1 hour, 12 minutes ago

While Apple may be focusing a lot of its attention on the iPhone lately, consumers are clearly still interested in the company’s computer offerings. Data from one market research firm shows Apple’s notebook business broke 17 percent while another research firm said Apple has moved into third place among computer makers.

According to NPD, Apple’s U.S. retail notebook market share for June 2007 was 17.6 percent, an increase of 2.2 percentage points over the same period last year when Apple posted a 15.4 percent market share.

As good as the notebooks are doing, Apple’s overall standing among computer makers is up too.

According to data from research firm IDC, Apple’s continued rise in computer sales puts it in third place overall among all computer makers in the U.S. This is the first time since 1996 that Apple finds itself this high on the list of top selling manufacturers.

Dell took the top spot with HP coming in second place of total unit sales. With Apple taking the number three spot, Gateway and Acer round out the top five.

The good news continues for Apple — with increased notebook sales pushing it forward, the company now has an overall market share of 5.9 percent, up 1.1 percentage points from the 4.8 percent it posted this time last year.

In its most recent financial quarter Apple sold 1.76 million Macs, a 33-percent rise over what it shipped in the third quarter of 2006 and 2.5 times the industry-wide growth rate published by market-research firm IDC.

Mac sales for the quarter marked a record for the company, topping the previous quarterly high of 1.61 million Macs shipped during the fourth quarter of 2006.

While there was a rise in desktop sales for the quarter — 634,000 units compared to 529,000 for the same period in 2006 — laptop unit sales skyrocketed 42 percent to 1.13 million portables. All told, 64 percent of the Macs sold during the quarter were laptops.

Update: Clarified Apple's market share was in the U.S. and fixed the language for the percentage increases. 10:20 pm ET

Core 2 E6850: The Sweetest CPU of All

2007-08-21T10:51:00.000-07:00

Has it really been only just over a year?

Thirteen months ago, we wrote our first review of Intel's Core 2 Extreme X6800 processor. Since then, Intel has been a juggernaut, shipping new CPU models based on the Core 2 architecture, including the first quad-core desktop CPU, built by embedding two Core 2 dies on a single package and sharing the front side bus, as well as mobile and server CPUs based on Core 2.

Last month, Intel began shipping newer processors, built around the new G stepping, and increasing the front side bus speed to an effective 1333MHz. At that time, we took a look at the mainstream Core 2 E6750 and the new member of the Core 2 Extreme line, the QX6850.

Today, though, we look at the CPU that's really the current sweet spot in terms of price/performance ratios: the Core 2 E6850. Clocking in at 3.0GHz, this sub-$300 CPU runs at a marginally higher clock speed than the original Core 2 Extreme X6800, but is priced nearly 75% lower. Just as importantly, the E6850 is rated at a TDP (thermal design power) of 65W. We decided to pop in an E6850 in our standard test platform, built around an Intel P35-based motherboard, and put the CPU through its paces. We compare the results against a Core 2 E6750 and AMD's fastest mainstream desktop CPU, the Athlon 64 X2 6000+.

A Note about Motherboards
If you want to run one of Intel's new CPUs, you may need a new motherboard. Intel began shipping boards based on their new P35 and G33 chipsets back in June, which support the faster 1333MHz front side bus.

Test Systems and Benchmarks

We installed a Core 2 E6850 into a system consisting of an MSI P35 Platinum motherboard, using DDR2-800 memory.

POSTS:

Why buy this 2 core chip when i could buy a Q6600 and overclock it using the stock fan to over 3 GHz, and get 4 cores for the same price. I dont see how this is a sweet spot when almost ALL the Core 2 processors with a decent motherboard will run stably at over 2.8 GHz - ive built about ten such systems in the past 9 mths and they all run stable with the intel box fans at over 2.8 GHz. And dont give me that "for those who dont overclock" as the latter will probably be buying a dell and reading PC Magazine. In my opinion "those who dont overclock" a Core 2 duo chip is really an education issue. If you go to newegg and read the thousands of customer reviews on Core 2 Duo Chips 95% of them are talking about overclocking - so how is this chip a "9" and the sweetspot and you dont even mention the word overclock in your article

Question: Which revision of the MSI board did you use?

Comment: The price/performance is a tough argument for me. We are talking about a 40%+ increase in price over the E6750 with only about an average performance increase of around 10%. On the other hand, it's likely to add only around 10% or less to the overall cost of the system. Still, tough for me to say it hits the price/performance sweet spot. I would still give that to the E6750.

Suggestion: I would have loved to have seen the Q6600 thrown into the mix. Wilmark makes a good point about the potential benefits of quadcore. It would be nice to see the current performance gap between the E6850 and Q6600.

While it's true the E6850 and Q6600 are about the same price, you're missing a key point (which Loyd clearly mentions) ==> the thermal design power of an E6850 is only 65w ... so it will run VERY cool relative to a Q6600 (with a TDP of 105w). And there are still some of us who elect to run systems at their designed specs rather than overclock them Smile I have two fundamental requirements for systems I build: (1) QUIET, and (2) STABLE. An E6850-based system with an Intel chipset and a good 3rd party heatsink/fan combo (Zalman 9500) easily meets both of these criteria. A Q6600 solution will also ... which I would use depends very much on what use the system is for. At the moment I'm building two new systems => one in an HTPC case (for which I'll use the E6850 since the cooling in a crowded case like that is a factor) and one for my study (for which I'll use the Q6600 ... since the Antec P182 case I'm using has much better airflow). Bottom line: I'd say BOTH the E6850 and Q6600 are at "sweet spots) in price/performance ... it simply depends on the projected use of the system.

As for the arguement that the E6750 is more of a "sweet spot" ... clearly that's a matter of opinion => and just how price-sensitive you are. If the $75 or so savings is important to you, then by all means use an E6750 ... but for the small price differential many of us would prefer to get the E6850. The performance of either is not likely to disappoint Big Smile

Hello again Loyd. You know how to get us to chatter about your CPU reviews.

I am still waiting and eager to see you put an overclocked E4400 or E4500 into the comparison. Flight simulator supports up to four cores and therefore the Q6600 overclocked will yield better performance than the E6850, although most games will benefit from the latter CPU if overclocking is not in the mix.

Any good P35 motherboard that cost over $115 can yield over 3GHz from the E4xxx CPUs. Using stock Intel cooling, with the FSB set at only 300MHz an E4500 will be at 3.3GHz, compare that to the non-overclocked E6850 and let us know which is the winner, in performance and cost.

Clearly there are some trade offs between the Q6600 and E6850. I would never suggest overclocking as a primary method of comparison (that comment came for Wilmark). What I think would be interesting is to see an analysis of the tradeoffs. Clearly the E6850 is a more energy efficient processor, and it should have an overall performance advantage in single benchmarks. However, since most of us are running multiple apps, the question is: How much multitasking does it take before the Q6600's 4 cores pass the E6850's 2 cores in performance?

Now that there is a quad-core CPU at such a reasonable price, I would love to see at what point it's multi-core design offers a practical advantage over a comparably priced dual-core CPU.

Perhaps you've already seen this, but if not it comes pretty close to what you are asking for:

http://www.tomshardware.com/2007/07/20/overclocking_marathon_day_4/

As for the overclocking, if you're going to compare, I think you have to compare overclocked to overclocked. Otherwise, you're really just saying: "I'm going to buy the cheaper CPU and want to know if OC'ing gets me the same performance as the stock speed of the higher priced CPU. BTW, I've seen the E6750 top 4GH on air cooling, although not stock cooling.

mostlyprudent:

Perhaps you've already seen this, but if not it comes pretty close to what you are asking for:

http://www.tomshardware.com/2007/07/20/overclocking_marathon_day_4/

As for the overclocking, if you're going to compare, I think you have to compare overclocked to overclocked. Otherwise, you're really just saying: "I'm going to buy the cheaper CPU and want to know if OC'ing gets me the same performance as the stock speed of the higher priced CPU. BTW, I've seen the E6750 top 4GH on air cooling, although not stock cooling.

Thank you for the link, I had not read that one from Tom's Hardware.

I agree with your overclocked to overclocked suggestion, and that is one of the problems with the article from Tom's Hardware, they did not include a comparison that included the same hardware, with just swapping out the CPUs.

As in this thread, when I write to Loyd, I already know the answers to any questions or suggestions, I make them for the benefit of the readers of this forum. While Core 2 Duo CPUs have been pushed to over 5GHz it takes special cooling and extra cost, which negates the reason that people purchase inexpensive CPUs. Also, most people are unaware of overclocking or how to do it, therefore those people will purchase components or computers based upon stock CPU speed and a price they can afford. Often overclocking is done for cost reasons, to save money and have a more powerful computer.

As to overclocking my own CPU, I want my computer to be able to last for years, so I only use very slight or no voltage increases [for the CPU only, none for RAM, chipset, and etc.], and I use Intel's supplied cooling if appropriate. Also, the FSB is important as this impacts more than the CPU. In my above example, an E4500 at a FSB of 300 would yield 1200MHz quad pumped. The E6850 or E6750 is already quad pumped at 1333MHz, which can limit further overclocking especially price/performance overclocking, which many overclockers use as a reason to overclock. So, a P35 motherboard will be very happy running an E4xxx CPU at a 50% overclock while using inexpensive DDR2 800 RAM and stock Intel cooling.

Most people overclock to either make their $115 Core 2 Duo yield more performance than a $1000 CPU, while a few [including some companies] use a $1000 CPU overclocked to yield performance yet unseen from non-overclocked CPUs.

Thank you for your input, your points are valid.

In Japan, 3D images in your pocket

2007-08-21T10:15:00.000-07:00

TOKYO (AFP) - Japanese mobile phones already let users shoot films and share them with friends. It may not be long before the images go another step -- becoming completely three-dimensional.

Japan's Hitachi, Ltd. has developed a lightweight 3D display that can potentially be adapted for mobile devices such as telephones.

The gadget, using what is known as stereoscopic vision display, weighs only one kilogram (2.2 pounds) and resembles an upside-down, multiangular pyramid full of mirrors on top of a liquid crystal display.

"It's very small and portable," Rieko Otsuka of Hitachi's Advanced Research Laboratory said Tuesday.

Taking advantage of the portability of the display, the company expects it can be put to use to show museum pieces at schools so they will appear as if they are standing up right in front of students.

Otsuka expects to put the device to further use.

"I'd like to see the technology eventually applied to mobile phones, so people could see images three-dimensionally from their handsets," she said.

Review: New iMac tempts a Windows user

2007-08-16T17:47:00.001-07:00

By PETER SVENSSON, AP Technology Writer Wed Aug 15, 4:16 PM ET

NEW YORK - Apple Inc. has dropped "Computer" from its name, but its computer business is still growing, even if the iPod player is the company's real star.

Apple's resurgence started with the first iMac, in 1998. Little by little, Apple has been persuading people to opt for Macintosh computers over Windows PCs.

After Apple refreshed its iMac line last week, I decided to test one from the perspective of a Windows user. I found it to be a powerful if not completely irresistible enticement to switch.

If you haven't looked at iMacs in a while, they now look like half a laptop — the display half, with the processor and other components built into the flat-panel screen. The new iMacs ditch the plasticky look that's been a hallmark of the line since the beginning, replacing it with an aluminum casing that's even thinner than before.

It's very sleek-looking, but do you remember the first iMacs? They resembled colorful television sets and looked more fun than a pack of bubble gum. Then there was a special edition with a transparent gray cover, through which you could see the copper coils on the back of the cathode-ray tube. That was hot.

With the latest models, the iMac has grown up, gone to business school and now wears a suit — a very well-cut suit. It won't look out of place anywhere, but it's not as exciting.

The basic model costs $1,199 and has a 20-inch screen. Another $300 gives you a faster processor and graphics card and a bigger hard drive. The top model, for $1,799, has all those components but a 24-inch screen instead. All have one gigabyte of memory. The prices are roughly $300 less than the previous line, for the same size screen.

I tested the middle model, but with an extra gigabyte of memory, which costs $150. When I removed the extra memory, I didn't find a difference in how fast the unit started up, switched between programs or rendered a high-definition movie in iMovie.

That tells me that most users will probably be fine with the cheapest model and the standard 1 GB of memory, because processor speed is not that important anymore. Apple's operating system clearly makes good use of memory; Microsoft Corp.'s new Windows Vista will barely give you the time of day on 1 GB.

I found the iMac very easy to get working on, even though I haven't used a Mac intensively for some time. Getting online through my home wireless network using the built-in Wi-Fi card was a cinch, as was video chatting using the built-in camera and my AOL Instant Messenger account. The iMac's iTunes software immediately found the iTunes music library on my home PC and gave me access to the songs.

Along with the new computers, Apple updated its iLife suite of software, which normally sells for $79 but comes free with the iMac.

The iMovie program, in particular, has been thoroughly revised, with a new and very handy interface. Despite little experience with movie editing, it took me just half an hour to boil down an hour of footage into a 2-minute high-definition movie of my baby, shot with a brilliant camera from Panasonic, the HDC-SD1 (street price $750). Uploading the movie to a gallery on Apple's .mac Web service took only a few more steps.

That's the Apple experience in a nutshell: Tight integration of hardware, software and Web services, along with great interface design, allowed me to download, edit and upload the video without ever going to the user manual.

So why am I not completely sold?

Well, I found some flies in the ointment. I'd call them "maggots in the apple," but that's trite and makes too big a deal of them.

I had problems accessing files on my home PC via the wireless network. The iMac would only sometimes show the PC's shared folders. There's probably a fix for this, but this is something that should work out of the box.

Like many other computers, the iMac has three different modes of inactivity: display off, sleep mode and shut down. The trouble is, there's no clue which state your iMac is in, and different inputs can be used to wake the computer up. If the display is off, moving the mouse will turn it on. But if it's in sleep mode, you need to click the mouse. If it's off, neither of those will work, and you have to press the power button.

Turning on a computer shouldn't be a guessing game. Sure, minimalism is great, but it wouldn't have killed the design to put in an LED that indicates the computer's state of relaxation.

In the iMac's favor, power consumption in operation is low, at around 75 watts according to my meter. That's comparable to a laptop, and about half of what a powerful desktop PC will draw, excluding the monitor (Remember: the iMac's power usage includes the built-in monitor). In Sleep mode, the iMac draws just 2 watts.

My other complaint is with how the screen displays small type, like the body text of Web sites. It looks faint and blurry on the iMac screen. This isn't unique to the iMac, as it has to do with how Apple's operating system places text relative to the pixel grid on LCD monitors.

Microsoft's ClearType technology produces text that has better contrast and is more legible. It's less faithful to the design of the font, which is why Apple resists it. But I'm not a graphic designer and not particularly appreciative of the beauty of fonts, and I should have the option to engage something like ClearType on the iMac.

These are minor complaints.

The iMac deserves to be a strong contender for any PC user looking to get a new computer. If I was looking to replace my PC right now, I would be sorely tempted. Even the Windows software I've accumulated over the years isn't a real reason not to switch, because Macs can now run Windows, too (with some additional software purchases).

However, unless you're shopping for a computer in preparation for the fall semester, wait to get an iMac in October, when Apple is to roll out a new version of its operating system, called "Leopard," with improvements to the user interface. If you've already bought a computer, the upgrade will cost $129.

From VCR to DVD: Update Your Oldies

2007-08-16T17:36:00.000-07:00

From VCR to DVD: Update Your Oldies
08.01.07

By Neil Randall

With the VCR approaching extinction, this is a very good time—maybe even an essential one—to convert your old VHS tapes to DVD. Your kid's first steps, for instance, or that shown-only-once holiday movie you taped off a local channel.

The easiest way to make the conversion is to purchase a standalone DVD/VCR combo recorder that lets you dub from one medium to the other. Sony, Toshiba, and Panasonic (among others) offer such models, with easy interfaces for performing the conversion. But do you really want to buy a piece of dying technology?

Another way is to connect your VCR to a standalone DVD recorder and follow the manufacturer's instructions for both units. But you may already have a DVD recorder—your PC. And, in fact, your PC offers something the standalone hardware does not: the ability to edit the video. You might want to do this not only for videos you made yourself—to cut out the extraneous material—but also to combine two copies of a favorite movie (if a different portion of each one has deteriorated, for example).

The entire process takes 5 to 6 hours, but in the end you'll have a DVD version of your movie and, even better, a copy of the video stored on your drive. And unlike tapes, these copies won't degrade with multiple plays. —

1 Equipment
The goal is to transfer the video from the videotape to the hard drive, edit it, and then burn it onto a DVD. So first you need a tape player. Either a VCR or a camcorder that plays your tapes will do, but here we'll assume the former. You also need a video card with video capture capabilities, which several manufacturers offer (the ATI All-in-Wonder X1900 ships with the device shown at left, which lets you connect your VCR to the card itself), or a separate video capture card or device, available from companies such as ADS Tech (its Video Xpress is pictured above), Hauppauge, or Pinnacle. You'll also need appropriate patch cables for the capture, software to import the video and edit it, and software to burn it to DVD. And, of course, you need a DVD-recordable drive and blank DVD discs.
ADS Video Express.

On the software side, your capture card or device will almost certainly include a feature for capturing video, and third-party apps are also widely available. Regardless, Microsoft Windows XP and Vista both come with Windows Movie Maker (WMM), a decent-enough utility for this purpose, especially when you're dealing with amateur video from camcorders. WMM also lets you edit your video—experiment with it using video clips you already have on your PC, even before getting a capture device.

Connect The Source

2 Connect the Source
First, install the video capture card or connect the capture device to your PC (via USB, FireWire, or standard RCA cables). Next, connect the VCR (with the tape inside it) to the capture hardware by running the appropriate cables between them, and then start the capture software. The next step depends on the actual software, but the basic procedure involves playing the tape in the VCR and pressing the Record or Capture button in the capture program's window. I'd recommend halting the process after a minute or so and checking to make sure you're satisfied with the volume. Happy? Then start over, and simply wait until all the video footage you want has been fully captured. — From Raw to Burn

3 Now You Have Got Raw Video
Load the video into the editing software and edit it as you wish, using the software's interface. (For a library of PC Magazine video-editing tips and tricks, see go.pcmag.com/videosolutions.) WMM provides a storyboard along the bottom of the screen from which you edit and preview your video. Add titles, effects, and transitions if you want to do so, and save often.
Burn, Baby, Burn

4 Burn, Baby, Burn
When finished, launch your DVD creation software. (With many packages, the editing and creation software work together.) DVD creation software is readily available from third parties, but if you have Vista, Windows DVD Maker (which I use here) will do the trick. In fact, if you edit your video in WMM, DVD Maker launches automatically when you instruct WMM to publish a movie project to DVD. If you merely want a copy of a movie from your VCR, you won't need to add anything, although you can divide the movie into scenes for easier navigation (a process that takes considerable time). Of course, you can also add menu titles, graphics, and any other elements you want.

Once you've finished, put a disc into your DVD drive and record. The DVD encoding process can be a lengthy one—several hours is not uncommon—so this is a very good time to get some work done or, better still, leave the computer and go watch a movie.

Compact Disc celebrates 25th anniversary

2007-08-16T16:07:00.000-07:00

By TOBY STERLING, Associated Press Writer 1 hour, 51 minutes ago

EINDHOVEN, Netherlands - It was Aug. 17, 1982, and row upon row of palm-sized plates with a rainbow sheen began rolling off an assembly line near Hanover, Germany.

An engineering marvel at the time, today they are instantly recognizable as Compact Discs, a product that turns 25 years old on Friday — and whose future is increasingly in doubt in an age of iPods and digital downloads.

Those first CDs contained Richard Strauss' Alpine Symphony and would sound equally sharp if played today, says Holland's Royal Philips Electronics NV, which jointly developed the CD with Sony Corp. of Japan.

The recording industry thrived in the 1990s as music fans replaced their aging cassettes and vinyl LPs with compact discs, eventually making CDs the most popular album format.

The CD still accounts for the majority of the music industry's recording revenues, but its sales have been in a freefall since peaking early this decade, in part due to the rise of online file-sharing, but also as consumers spend more of their leisure dollars on other entertainment purchases, such as DVDs and video games.

As the music labels slash wholesale prices and experiment with extras to revive the now-aging format, it's hard to imagine there was ever a day without CDs.

Yet it had been a risky technical endeavor to attempt to bring digital audio to the masses, said Pieter Kramer, the head of the optical research group at Philips' labs in the Netherlands in the 1970s.

"When we started there was nothing in place," he told The Associated Press at Philips' corporate museum in Eindhoven.

The proposed semiconductor chips needed for CD players were to be the most advanced ever used in a consumer product. And the lasers were still on the drawing board when the companies teamed up in 1979.

In 1980, researchers published what became known as the "Red Book" containing the original CD standards, as well as specifying which patents were held by Philips and which by Sony.

Philips had developed the bulk of the disc and laser technology, while Sony contributed the digital encoding that allowed for smooth, error-free playback. Philips still licenses out the Red Book and its later incarnations, notably for the CD-ROM for storing computer software and other data.

The CD's design drew inspiration from vinyl records: Like the grooves on a record, CDs are engraved with a spiral of tiny pits that are scanned by a laser — the equivalent of a record player's needle. The reflected light is encoded into millions of 0s and 1s: a digital file.

Because the pits are covered with plastic and the laser's light doesn't wear them down, the CD never loses sound quality.

Legends abound about how the size of the CD was chosen: Some said it matched a Dutch beer coaster; others believe a famous conductor or Sony executive wanted it just long enough for Beethoven's 9th Symphony.

Kramer said the decision evolved from "long conversations around the table" about which play length made the most sense.

The jump into mass production in Germany was a milestone for the CD, and by 1982 the companies announced their product was ready for market. Both began selling players that fall, though the machines only hit U.S. markets the following spring.

Sony sold the first player in Japan on Oct. 1, with the CBS label supplying Billy Joel's "52nd Street" as its first album.

The CD was a massive hit. Sony sold more players, especially once its "Discman" series was introduced in 1984. But Philips benefited from CD sales, too, thanks to its ownership of Polygram, now part of Vivendi SA's Universal Music Group.

The CD player helped Philips maintain its position as Europe's largest maker of consumer electronics until it was eclipsed by Nokia Corp. in the late 1990s. Licensing royalties sustained the company through bad times.

"The CD was in itself an easy product to market," said Philips' current marketing chief for consumer electronics, Lucas Covers. It wasn't just the sound quality — discs looked like jewelry in comparison to LPs.

By 1986, CD players were outselling record players, and by 1988 CDs outsold records.

"It was a massive turnaround for the whole market," Covers said.

Now, the CD may be seeing the end of its days.

CD sales have fallen sharply to 553 million sold in the United States last year, a 22 percent drop from its 2001 peak of 712 million, according to Nielsen SoundScan.

Napster and later Kazaa and BitTorrent allowed music fans to easily share songs over the Internet, often illegally. More recently, Apple Inc. and other companies began selling legal music downloads, turning the MP3 and other digital audio formats into the medium of choice for many owners of Apple's iPods and other digital players.

"The MP3 and all the little things that the boys and girls have in their pockets ... can replace it, absolutely," said Kramer, the retired engineer.

CDs won't disappear overnight, but its years may be numbered.

Record labels seeking to revive the format have experimented with hybrid CD-DVD combos and packages of traditional CDs with separate DVDs that carry video and multimedia offerings playable on computers.

The efforts have been mixed at best, with some attempts, such as the DualDisc that debuted in 2004, not finding lasting success in the marketplace.

Kramer said it has been satisfying to witness the CD's long run at the top and know he had a small hand in its creation.

"You never know how long a standard will last," he said. "But it was a solid, good standard and still is."

___

Associated Press Business Writer Alex Veiga contributed to this report from Los Angeles.

Mexico City pollution harms child lung growth: study

2007-08-15T18:00:00.000-07:00

Wed Aug 15, 3:19 PM ET

MEXICO CITY (Reuters) - Contaminated air that hangs over the Mexican capital, one of the world's biggest cities, does more damage to children than cigarette smoke and may cause chronic lung diseases when they are adults, a study showed on Wednesday.

In a study of 3,170 eight-year-old children at schools in the city, scientists found the pollution prevented young lungs from growing and working properly.

"Strikingly, the effect of pollutant exposure ... among the children in (the) study was slighter greater than the effect of exposure to maternal smoking among children in the United States," researchers at Mexico's National Public Health Institute wrote in the August issue of American Journal of Respiratory and Critical Care Medicine.

Perched at 7,300 feet in a bowl-shaped valley where the air is thin and vehicle fumes get trapped, Mexico City has tried to cut its smog levels by closing factories, hauling old cars off the roads, modernizing aging buses and promoting bicycle use.

But contamination in the metropolitan area, home to some 18 million people, is still a problem.

"Although we could not identify specific sources (of the pollutants), the effect is likely to be due to vehicular exhaust," the researchers who led the three-year study wrote.

Their research is considered a step beyond previous studies that documented reversible, short-term breathing problems that big polluted cities can cause children.

Microsoft ups Hotmail storage to 5 GB

2007-08-15T17:56:00.000-07:00

By JESSICA MINTZ, AP Technology Writer Wed Aug 15, 4:18 PM ET

SEATTLE - Microsoft Corp. will soon let users of its Hotmail service store 5 gigabytes of photos and other e-mail messages, more than double the previous limit.

Of course, only a small number of Hotmail users will ever approach that threshold, a reality the software maker acknowledged in a blog post this week outlining the storage boost and other upgrades to the free, Web-based service.

"Just when you were wondering how you'd ever fill up 2 or 4 GB of mail, we've given you more storage," wrote Ellie Powers-Boyle, a program manager for Windows Live Hotmail.

Microsoft's new limit, from 2 GB currently, will leapfrog Google Inc.'s nearly 3 GB. Yahoo Inc. and Time Warner Inc.'s AOL e-mail services already include unlimited free storage.

Yahoo has the most active users in the United States among Web-based e-mail services, according to Nielsen/NetRatings. Hotmail ranks second, followed by AOL at third and Google's Gmail at fourth.

Microsoft said Hotmail will also get faster in coming weeks thanks to performance improvements. E-mail users will also see a new "report phishing" button and a way to combine duplicate contacts in the address book.

When Hotmail users log in, they currently see a page filled with news headlines and photos from Microsoft's MSN sites — not their inbox. Soon, Microsoft will let users choose to go straight to their e-mail and skip the extra content.

"We know this is going to be a big hit with a lot of you out there in blog land," Powers-Boyle wrote.

Nine in 10 Americans say ban texting while driving

2007-08-08T14:34:00.000-07:00

Tue Aug 7, 10:36 AM ET

NEW YORK (Reuters) - Ninety-one percent of Americans believe sending text messages while driving is as dangerous as driving after having a couple of drinks, but 57 percent admit to doing it, a poll released Tuesday said.

The Harris Interactive survey commissioned by mobile messaging service Pinger Inc. found 89 percent of respondents believe texting while driving is dangerous and should be outlawed.

Even so, 66 percent of the adults surveyed who drive and use text messaging told pollsters they had read text messages or e-mails while driving. Fifty-seven percent admitted to sending them.

The state of Washington in May passed the first ban in the United States on texting while driving and at least six other states including New York, California and Florida are considering similar legislation, Pinger said in a statement releasing the survey results.

The survey found that men and women sent text messages while driving at equal rates but that the young did so more frequently. Sixty-four percent of those who admitted to sending text messages while driving were aged 18 to 34 while 6 percent were 55 or older.

The poll surveyed 2,049 U.S. adults from June 29 to July 3, giving the survey a margin of error of plus or minus three percentage points.

5 Free Online Video Editing Sites Reviewed

2007-08-07T13:29:00.000-07:00

Some people would be surprised that you can edit photos online without locally installed software, but surely video editing is too resource-intensive to be done over the web, right? Wrong! We review five online services that let you do things like scene transitions, cuts, splices, loops, audio overlays—and they're all free. We tested the following:

* Cuts
* Eyespot
* JumpCut
* Motionbox
* One True Media

None of these free services is going to put installed video editors like Pinnacle Studio or the $800 Adobe Premier out of business. If you're willing to spend about $50, you can go with Pinnacle Studio or Ulead VideoStudio. But these free online services offer a way for regular Joes to have fun manipulating their multimedia digital content and also give them an easy way to share them with friends and the world at large.
Online Video Editors

Let's begin with our first video editing site in this roundup: Cuts.

Cuts

Cuts, the most recent entry in the online video editing game, states its mission as enabling "easy control of the video experience." This is contrasted with what networks and cable offer you. As the name implies, the web app, still in beta, lets you edit out the boring parts, add captions, insert sound effects, and produce loops. It also lets you share your creation via email or by embedding the video into your blog. The service doesn't actually perform the edits on the original video, but creates sort of an overlay that presents your edits.

Cuts works on online video, not directly on your home camcorder creations. Of course, you can upload your video to YouTube, MySpace, or Google Videos and then use Cuts on it. They plan to regularly add video hosting/sharing sites to this list, but that's it, at time of review.

Working with Cuts involves three major steps:

* Bring a video—enter the URL of the video
*
* Make the edits—cut scenes, add captions, add sounds
*
* Share it.

In addition to entering a URL from one of the three sites mentioned above, you can also edit a video for which you have the direct FLV (Flash Video) URL, such as those provided by blip.tv. FLV is the format used by YouTube, Google Videos, Yahoo! Videos, and MySpace.

Once you've entered your video URL, the service loads it (the time it takes, of course, depends on the length and quality of the video), and then you're taken to the Cutter:

You create all effects by dragging their buttons onto the timeline at the bottom. A feature that will let you zoom in on the timeline is labeled "coming soon." When you move the time indicator along the timeline, the video window doesn't show what will appear at that moment, but the first frame of the next scene. Note you can't use your own sounds, but must choose from the 28 prerecorded ones on the grid of buttons. We find the choices rather juvenile (think fart) and wish we could use sounds we created or found. We'd think it's very likely that people would want to add some music track to their video, as other sites reviewed here can do.

Adding captions is also simple: You go to the Captions table, drag the one button there to the timeline, enter some text, and you're done. Captions can be up to 50 letters long. You can control how long the caption appears by dragging the edge of its bar on the timeline.

The skipping and looping tools require the web app to analyze your video, which only took six seconds on a video that was 1.5 minutes long, but the time varied, probably depending on how busy the server was. This analysis finds and marks "scene changes" with a vertical rule on the timeline. You click the Skip/Loop tab again, and then you can drag buttons for either of those functions to one of these vertical lines on the timeline.

When you choose Loop, a dropdown list gives you a choice of how many times you want the scene to loop, up to five times.

We were surprised that Cuts doesn't offer scene transitions, especially since it has a tool that determines scene changes in the video you're editing.

When you go to save your edited video, you're required to enter a title and description, and given the option to add tags and make the video visible to the world. After the cut is saved, it is added to your My Cuts page (which, of course, requires you to have signed up).

When you click on a video in My Cuts, it loads all your captions, sound effects, cuts and loops for it, and then you can re-edit it or share it via an HTML snippet for your blog, a URL to cut and paste, an email button that opens your default email client. There are also buttons to send your Cut to social sites Digg, del.icio.us, furl, BlinkList, and reddit.

If there's a YouTube video you like, but think it just goes on too long or needs captions to illustrate or comment on what's going on, you'll have fun with Cuts. All the effects worked for us without a hitch. We think it's pretty limited compared with other services, however. We think the site's claim that it's easy is true, but as is often the case, that ease comes at the expense of capability.

Cuts' developers have plans in the works to offer similar editing for DVDs and longer downloaded videos such as TV shows. We have to wonder what people will want to cut out of those? The company also wants to work with cable and satellite providers to enable them to air edited versions of show. We thought they already had that capability, but maybe Cuts plans to make it easier and give them a way to keep the original content intact while displaying the edited versions.

Eyespot

Eyespot's tagline is "Movie Making for All of Us." It's pretty much a YouTube with editing: It hosts your uploaded videos and makes them available (optionally) for all to see. Eyespot goes beyond Cuts in allowing you to add music of your own choice and to apply scene transitions, though there are only two of these—fade and dissolve.

A simple signup asking for your email, a username and password is required before you can do anything.

After you finish this simple signup, your choices are

* Upload files
* Get free videos and music
* Start mixing
* Watch movies
* Manage your account

The service accepts lots of video file formats, including ASF, AVI, DivX, DV, FLV, MOV, MPEG, MPG, MP4, RM, WMV, 3GP, and 3G2—most everything you'd probably use. It also lets you upload picture files in the usual formats, including BMP, GIF, JPEG, JPG, PNG, and TIFF. Finally, for your soundtracks, you can upload audio in AAC, MP3, MP4, RM, WAV, and WMA file formats. One WMA file we tried uploading didn't appear in our Eyespot media; we suspect DRM was to blame. A progress bar appears when you choose a file to upload, which can take several minutes for video. The maximum file size is 100MB, and you can actually upload 10 at a time, though that does slow things down.

One very slight oddity was that after you choose the file from a standard File>Open dialog, you have to hit a green Download button, which on our test system appeared below the bottom of the browser window; since the progress bar is already showing, this at first led us to think something was broken. If you don't have any media of your own, you can use clips from Eyespot's partner sites, accessible from the Saved Media link on the Media page. For example, Paramount makes some clips available for your mixing pleasure.

Once you've uploaded your videos and photos, it's time for the Mixer:

The "timeline" in this service is just a row of rectangles for your videos and images, which you drag onto the rectangles in the order you want them played. You can have up to 100 of these rectangles. There are a bunch of effects, as you can see in the screen above: In addition to monochrome colorizing, there are slow and fast motion, and video distortion options. The latter include fun things like 1970s, 1940s, and 1890s looks, as well as effects called mosaic, trance, and Warhol—all in all there are 32 choices. Clicking Transition on the left menu gives you just three choices: Fade In, Fade Out, and Dissolve. These you drag into their own rectangles between the clips you've entered. The same goes for titles: You type your text in, you get a title rectangle, and then drag it where you want it in the mixing rectangles.

If one of your video clips is going on too long or has some boring parts you want to cut out, you can choose Trim/Play, right under its thumbnail, which brings up a popup that lets you do just that:

Soundtracks get their own bar below the rectangle, onto which you drop your tracks. We could only get one song to play per mix, and the sound in the video clip plays as well as the audio file you've overlaid.

After you've got all you clips, effects, dissolves, and music in the mixer, it's time to hit "Mix and Play" if you've entered anything in the rectangles that don't make sense, you'll get a message box telling you to fix it. An example would be a dissolve without a clip before and after. When all is correct and you've hit mix, the display will look something like this:

The Mix Time is how long it takes to create your mix, not the play time of the resulting mix. If Eyespot's servers are busy, you'll get a message like "There are five mixes ahead of yours." But we didn't experience much delay. We could only apply one effect at a time. For example, we weren't able to get slow motion and "Warhol" on the same clip.

After you're happy with your multimedia creation, it's time to share it with the world. On your Media page, you can choose to have your video Public or Private; it's Public by default, so be sure to choose Private when you upload or change it on the media item's page. Eyespot lets you share content in several ways: You can publish it on your blog via a button (we're not sure how Eyespot knew about our LiveJournal blog, but there it was in the choices), add it to groups you belong to in Eyespot. Joining these is as simple as going to the Groups link, clicking on a group (or starting a new one) and clicking Join. Thereafter, your joined groups with appear among your Publish choices. Finally, you can one-click upload the video to video sharing sites Veoh and blip.tv.

Alternatively, EyeSpot lets you download your creation in Mac, PC, iPod, PSP, and DivX formats.

For any type of editing, an Undo feature is nice, but Eyespot unfortunately doesn't have it. In place of a specifically named "Help" feature, there's a FAQ link, which effectively serves the same purpose. A very minor complaint is that the anchor links on this page didn't take us to the chosen topic in Firefox. Otherwise everything worked fine in that browser.

We found the AJAX and Flash-powered Eyespot to be a fun piece of webware to fool around with. The collection of special effects can keep media junkies happily creating and remixing for hours. It's quite easy to figure out.

JumpCut

The beta Jumpcut, a 2007 Webby Award nominee and Yahoo acquisition, is another YouTube-type site with the added capability of letting you mix and mash up your media. After a simple signup, you get started by either uploading your video files (they can be in .MPG, .MP4, .MOV, .FLV, .AVI, or .WMV format), remixing a video already hosted on the site, or play with a demo clip. Like Eyespot, the maximum accepted file size is 100MB. You can upload pictures in .JPG, .BMP, .PNG, .GIF, or .TIFF formats, while audio file uploads are limited to .MP3 and .WAV files. Choosing the Public or Private option for you uploads is clearer in JumpCut than in Eyespot, and you can assign tags at upload time. There's no progress bar during the uploading, just a spinning wheel, so you're in the dark as to how much long the upload will take. An alternative is to upload via an email address, which the service assigns you when you sign up.

There's also a Multiple Upload option that boasts another award; it is nice looking, but we're not sure why it's not just the default, as it doesn't offer drag and drop. This method actually does show a live percent uploaded for each file. If you upload multiple still images, this method will create a little slideshow movie of them. Some of the transition styles are amusingly titled: None, Smooth, Ken Burns, Slide Across, Diagonal Wipes, Net Love, Quiet. We couldn't actually tell the difference between Quiet and None.

Right off the bat, we got an error uploading a 500KB .WMV file that we had no trouble uploading to Eyespot. We then tried uploading a smaller file, with the same result. Switching from Firefox to Internet Explorer fared no better, and finally, we decided to go over to a Mac and try it in Safari. Same result, with the download stalling at the same exact percent completion—58%. We figured that maybe our wireless Internet connection had something to do with it, and so we plugged directly into the Ethernet connection. Same result.

We were sorry to experience this problem in this beta product, because it's one of the nicer looking and full-featured services. We hope it was just a beta hiccup. So we continued testing its capabilities with videos already on the site, successfully uploaded by others.

A wizard can walk you through the process of creating your movie, or you can go directly to the editor. Mashups with Flickr and Facebook get you started, but the one with Flickr didn't find our pictures after we allowed access.

In the JumpCut editor, you add videos to the mix by dragging them to the bottom of this window:

You can drag them around to get the order you want.

When you add a clip, a progress bar shows it loading into your movie; doesn't take long. You get a choice of 13 transitions—wipes, fades, dissolves, circles, L Cut, and Ken Burns among them. And Jumpcut gives you 31 effects to apply—things like messing with colors, many overlays of shapes and figures, rain. Titles for you movie come in many fonts and presentations such as zooming, scrolling across the screen, and more.

You upload audio files to use in your movies. We had no problem doing this, and we could add music to play in the background of over movie, and we could adjust the volume of the song and the clip audio individually for a good mix of levels.

Help is in the form of a searchable blog, a Tips page, and a Quick Guide. We didn't find an entry for the Slice choice. There's also a Tips button, which brings up a panel of the editors basic operation.

Since Jumpcut doubles as a video sharing site á la YouTube, it's easy to give your work of art some exposure. At the bottom right-hand side of the Create page, you can press Publish, to bring up this page:

The place anyone visiting Jumpcut can find published videos is called the Wall:

As you can see from the left-hand sidebar, there are lots of ways to select the videos you want to see: by popularity, newness, and so on. One sweet option is Most Loved. Each movie's page has a heart below the video, which you can click to show that you love it; the number of people who love the movie appears next to the heart:

Jumpcut offered the most effects of the tools we looked at, a clean, clear interface, and community features. We only hope they'll work out the upload problems (we noticed other users having problems uploading on the site's help blog, so we're not alone in experiencing this). Yahoo! doesn't seem to have changed Jumpcut or integrated it into the main Yahoo set of sites yet, but the movie editing site will add some slick tools to the personal portal giant's arsenal.

Motionbox

Motionbox's tagline is "Personal video sharing made easy," and the implication is that it's more like aYahoo! Photos or Picasa Online for videos—a way to make your videos available to friends and loved ones without sending huge files. It's about taking those little movielets from your digital still camera with a bit of movie capability or from your cell phone that can do the same. We're not talking about major feature-length productions, here.

One nice difference with Motionbox is that when you sign up, you can designate a default of Private for your media. The supported file formats for your uploaded videos are AVI, MOV, DV, MPG, MP4, WMV, ASF, and QT. It also assigns you an upload e-mail address to send videos from you phone or other mobile device.

The uploader lets you choose multiple files for simultaneous uploading:

During uploading, it displays a progress bar for each individual file as well as for the overall upload status. Unlike some other online video editing services, Motionbox is not about mixing still pictures with video and sound, so there's no uploading photos or audio.

After you've uploaded some video, you can move over to your My Videos page:

Note the nice use of tooltips on the right that augment the menu choices. Note also the "video e-card" choice, showing Motionbox's goal of getting your vids to family and friends. A number of cutesy formats can be applied to the background in your cards:

On the page for an individual video clip, you'll see text boxes with code that you can use on your blog and a direct URL link to the video.

The service has the simple goals of letting you combine, trim, and reorder your video clips into one movie, so, for example, you could send a friend one video instead of three of the same event. The mixer has a nice timeline that shows an exact moment in the video (note the triangle and pointer in the thumbnail below the video window):

The slider on the right just above the "timeline" lets you choose how many seconds each thumbnail represents. So you order and trim the videos in a mix, and that's it. It would be nice if you could add more video clips from this mixing page; you have to have selected them ahead of time, though you can remove one.

Your options after this editing process are the same as for videos you've merely uploaded: Share (via email ), video e-card, mixer (again), group (which lets you add the video edit to any Motionbox group you've joined), Favorites, Playlists, and Delete. At the time of review, there were 56 groups, with diverse names like Activism and Social Justice, Critters!, and Toilets of the World.

Help consists of a small FAQ and some nicely presented How To guides.

Motionbox is a nice looking service, but it just doesn't do very much. A few special effects—even just transitions and loops—would make it more appealing.

One True Media

Like Motionbox, the free One True Media is primarily about creating montages by splicing your uploaded video clips. But it turns out to offer a lot more than Motionbox: transitions, music backgrounds, and text frames among them. The site also offers a premium version for $39.99 annually or $3.99 a month, and some options you'll see in the free service are labeled "Premium" and are only available if you pony up. Premium does more transitions, special effects, fonts, themes. It also enables DVD burning, gives you 20GB storage for your media, and lets you download your edited video to iPod or QuickTime file formats. We're looking at free here, so look for an in-depth review of that paid service at a later date.

The site accepts the following file formats: MPEG (.MPEG, .MPG, .MP4), QuickTime (.MOV), Audio Video Interleave (.AVI), Windows Media Video (.WMV), 3G Mobile Phone Video (.3GP), and JPEG (.JPG or .JPEG). When you create a video montage with the free version of One True Media, you get the option of having the work's title display at the beginning. This is even before you upload video clips. By default, the uploader supports multiple files, which we think makes sense. When you start uploading, you see a small, spinning, circular arrow and the percent complete, one file at a time. Uploading was fast compared with the other services.

When you've got some files uploaded, you click Done, and you're taken to your video's page:

Note the options to burn a DVD or photo book on the right. When you click on the DVD option, you get this page, showing a choice of case art for your DVD:

But it turns out to be a bit of a come-on, since you have to pay for the Premium service to actually burn a CD. Still, for 40 bucks it's not exorbitant for DVD burning software.

Back to stuff you can do with the free version. Here's the editor, which lets you crop your video, change the background song and its length, add more video clips, text slides, and remove stuff:

You can drag and drop each clip to the position you want. To make cuts, you click "clip this video" and you get a screen showing a frame for each second of the video, each of which can be designated as the new start or end of the clip. There are six free transitions—random, dissolve, reveal, push, and fade through black or white (Premium adds 12 more, such as Swirl and Pixelate).

Back on the video's main page, you can also change the music, choose a thumbnail, and choose one of seven "Themes" to apply. These offer cute intro scenes and different music, such as one appropriate for Valentines Day, friendship, or Offbeat.

For sharing your creations, you can click on Post next to a video in your My Studio page to get a URL link, code for your blog, an email option, and direct posting to YouTube, TypePad, or your TiVo channel. You can also add it to the One True Media gallery from here, or try out the beta Share to Mobile to send it to someone's phone. The site's Gallery can be sifted into 15 categories, with names like Birthday/Anniversary, Funny, and Vacation/Travel. This service seems less aggressive about getting you to put your videos into its own community.

You can also download your movie to iPod or QuickTime format, and the service offers to send you a DVD of it if you get the Premium account; the first one is free with a Premium upgrade, after that they cost from $10 to $20 based on the number you order.

Finally, One True Media offers a Collections feature, which lets you group together related videos and photos for easy, organized access. Oddly, it seemed that you had to upload directly into a collection rather than being able to move your content from My Studio.

Help is in the form of a fairly thorough FAQ, but the ability to search it would be nice.

We found One True Media to be one of the more capable and well-working web services in this review roundup. You can do quite a lot without spending any money on the Premium version.

Final Thoughts: Roll 'Em!

Among the free services we tested for this review roundup, JumpCut offered the most editing tools and effects. Unfortunately, this site gave us uploading headaches on both a Windows PC and a Mac, so it's hard to recommend unconditionally, unless you're just interested in editing videos you find on the site. Jumpcut also has one of the nicest interfaces, though all the services we tested were pretty slick looking. One True Media was another relatively full featured service, with several transitions, simple text frames, and the ability to download your movies, and even burn a DVD if you pay for it. Eyespot offered a good number of fun effects though only two transition styles, plus the ability to download your creations.

Most of these sites weren't just concerned with letting you edit video, but also were heavily about getting your creations shared in the larger world. They all gave your URLs and emailing capability for your edit, but varied in the strength of their own community or group features. We thought that Jumpcut, with its Wall and nice-looking Groups page with many ways to slice and dice public videos did the best job making videos findable and accessible to the world.

Pointer Graphic for FingerlinksRead our roundup of Free Online Photo Editors.

Online video editing is just getting started. In fact, we've read that several more video sharing sites—The N, Grouper, and VMIX—are about to add the capability, and there are technology companies out there ready to offer them the tools they need, Videoegg and Movie Masher among them. We definitely haven't finished coverage of online video editors, as more and more video sharing sites with this capability keep popping up.

To conclude our roundup, here we present a comparison table of each service reviewed today:

Is Your PC a Graphics Wimp?

2007-08-06T17:17:00.001-07:00

By Stephen H. Wildstrom Mon Aug 6, 8:08 AM ET

A pretty river flows past Pleasantview. Its rippling waters reflect clouds and the graceful arches of a bridge. Unless, that is, you're playing Electronic Arts' (NasdaqGS:ERTS - News) The Sims 2 video game on an Intel (NasdaqGS:INTC - News) computer with underpowered graphics. If so, the water appears as a featureless patch of monochromatic blue, and many other graphic subtleties of the game are lost.

My plunge into the world of The Sims was part of an experiment that chipmaker Advanced Micro Devices (NYSE:AMD - News) set up for me out of naked self-interest. AMD is best known as Intel's fierce rival in processors. But it also competes in graphics systems, and AMD -- which owns ATI Technologies, a maker of graphics adapters -- was seeking to demonstrate its superiority there.

Graphics performance has long been a concern for dedicated gamers and for users of advanced professional software, such as computer-assisted design tools. But it may soon become a lot more important to everyone else.Why? Microsoft's Vista operating system makes far greater use of 3D graphics than does any previous version of Windows. Its features include a "Flip 3D" interface, which lets you page quickly through all the windows open on your system. Microsoft (NasdaqGS:MSFT - News) wants software developers to make better use of such capabilities.

Sufficient, But Not Superior

AMD set me up with two midrange Velocity Micro desktops, which retail for about $800 each. The two systems are identical except for their processors and graphics adapters. The all-Intel model has a G965 Express graphics chip, while the AMD version uses the company's own ATI Radeon Xpress processor. Both systems run on Windows Vista Home Premium. Just to keep AMD honest, I extended the test to two additional Intel Vista systems of my own, a Lenovo (lnvgf.pk.PK) ThinkPad T61 with NVIDIA's Quadro graphics, and a ThinkPad X61s with an Intel GM965 Express display adapter.

The Intel 965 family of graphics chips dominates the market for adapters. They are standard in most low- to midpriced desktops and in laptops with Intel processors. And they're just about universal in subcompact notebooks -- meaning anything with a display measuring 12 inches or less. They are inexpensive, relatively power-thrifty -- a big factor in laptop design -- and very popular with manufacturers.

In my tests, all the Intel chips had enough heft to display Vista's spiffy graphics features, such as animated icons and transparent windows. But they fell way short of the ATI and NVIDIA (NasdaqGS:NVDA - News) systems in games. The Intel chips don't meet minimum requirements for running Linden Lab's Second Life virtual-world software on Vista.

The Eye of the Beholder

Most games are designed to inspect the hardware they're running on and adjust graphics features for best performance. You can override The Sims' decision to turn off such features as reflections for Intel 965 graphics, but the images don't look as good as they ought to, and you pay a price in sluggish performance. (When asked to respond, Intel said the 965 chips were not optimized for 3D games, but their performance will be improved when Intel releases new software in a few weeks. Existing owners will be able to download it.)

My advice to shoppers, who typically focus on processor speed and memory, is to pay more attention to graphics. The Intel 965 is fine if your needs are minimal. In a lightweight notebook, where battery life is key, it's probably the only choice.

For better graphics performance, consider a system using ATI or NVIDIA graphics. Unfortunately, model designations are complicated, and there's no single specification to guide you. Examining systems at a computer store should let you see how different systems look running Second Life or The Sims. If something looks good to you in the shop, it will do fine.

Lenovo to sell laptops with Linux

2007-08-06T17:10:00.001-07:00

By Jim Finkle Mon Aug 6, 9:57 AM ET

BOSTON (Reuters) - Lenovo Group Ltd. (0992.HK), the world's No. 3 PC maker, said on Monday it would start selling laptop computers preloaded with Linux software from Novell Inc. (NOVL.O) instead of Microsoft Corp.'s (MSFT.O) Windows operating system.

The laptops are slated to go on sale in the fourth quarter of this year and will be sold to Lenovo's business customers as well as to consumers.

Lenovo announced its plans at the start of LinuxWorld, an annual conference for information-technology managers being held in San Francisco this week.

The Linux operating system has been one of the fastest-growing types of software on servers and other types of powerful business computers over the past decade.

Last year, Microsoft entered into a business partnership with Novell that includes joint product development on server software. Microsoft also sells Novell products and both companies agreed to provide patent protections for each other's customers.

PC makers have been reluctant to embrace Linux, but that view is starting to change.

In May, No. 2 PC maker Dell Inc. (DELL.O) began selling three models to U.S. consumers that come preloaded with another version of Linux, from a nonprofit group known as Ubuntu.

It introduced them after Chief Executive Michael Dell asked customers to post suggestions for new products on the company's Web site. Linux PCs were overwhelming the most-requested item.

Ubuntu founder Mark Shuttleworth, who runs privately held Canonical Inc. which sells service contracts to maintain Ubuntu software, said in an interview last month that he expects Dell to expand its Linux PC program.

He also said that he is in negotiations with other large PC makers that want to introduce models preloaded with Ubuntu.

Computer security problems found at IRS

2007-08-03T18:32:00.000-07:00

By JIM ABRAMS, Associated Press Writer 1 hour, 23 minutes ago

WASHINGTON - IRS employees ignored security rules and turned over sensitive computer information to a caller posing as a technical support person, according to a government study.

Sixty-one of the 102 people who got the test calls, including managers and a contractor, complied with a request that the employee provide his or her user name and temporarily change his or her password to one the caller suggested, according to the Treasury Inspector General for Tax Administration, an office that does oversight of Internal Revenue Service.

The caller asked for assistance to correct a computer problem.

The report said that by failing to question the identity of the caller the employees were putting the IRS at risk of providing unauthorized people access to taxpayer data that could be used for identity theft and other fraudulent schemes.

"This is especially disturbing because the IRS has taken many steps to raise employee awareness of the importance of protecting their computers and passwords," said Inspector General J. Russell George.

Only eight of the 102 employees contacted either the inspector general's office or IRS security offices to validate the legitimacy of the caller.

The report said the IRS took measures to improve security after two similar test telephone calls in 2001 and 2004. "However, the corrective actions have not been effective," it said.

The IRS agreed with recommendations from the inspector general that it should take steps to make employees more aware of hacker tactics such as posing as an internal employee and to remind people to report such incidents to security officials.

The IRS has nearly 100,000 employees and contractors with access to tax return information processed on about 240 computer systems and more than 1,500 databases.

Apple Shares Fall on Production Rumors

2007-08-01T12:08:00.000-07:00

08.01.07
Total posts: 1

By Reuters

SAN FRANCISCO, July 31 (Reuters) - Apple Inc. shares fell nearly 7 percent on Tuesday on rumors including talk of production cuts in iPhones or iPods.

But there was little consensus about whether there was any specific problem at the company, whose shares had risen nearly 60 percent since it announced the iPhone in early January.

Apple spokeswoman Natalie Kerris declined comment.

Analysts who cover the company and options markets said there was speculation Apple was either cutting production of the iPhone or its iPod media player.

"There is unconfirmed chatter that iPod production is reduced. That is why the option volatility in Apple is elevated suggesting this uncertainty," said Paul Foster, options strategist at Web information site theflyonthewall.com.

Apple's August option implied volatility—which measures as a percentage how much the stock will move up or down over a rolling 12-month period—stood at 43 percent early on Tuesday, above its 26-week average of 37 percent, according to market research firm Track Data.

"There are occasional rumors on Apple, often unconfirmed. A lot of them end up being wrong or short-term," said Shaw Wu, an analyst with American Technology Research.

He noted Apple confirmed last week it expected to sell more than 700,000 iPhones in its current quarter and 10 million next year. AT&T Inc (T.N: Quote, Profile, Research) is the exclusive U.S. carrier for the phone.

"As I understand it, iPhone production actually has been going up, since they obviously are going to ship a lot more than what they did in the first two days," Wu said.

Apple stock fell $9.67, or 6.8 percent, to close at $131.76 on Nasdaq, its lowest close since July 9. (Reporting by Scott Hillis, additional reporting by Duncan Martell in San Francisco and Doris Frankel in Chicago)

Copyright Reuters 2007. All rights reserved. Users may download and print extracts of content from this website for their own personal and non-commercial use only. Republication or redistribution of Reuters content, including by framing or similar means, is expressly prohibited without the prior written consent of Reuters. Reuters and the Reuters sphere logo are registered trademarks or trademarks of the Reuters group of companies around the world.

Risky Business: Using Web Apps Over Wi-Fi

2007-08-01T10:49:00.000-07:00

Jeremy Kirk, IDG News Service 1 hour, 24 minutes ago

Users who access Google Inc.'s Gmail or the Facebook social-networking site over Wi-Fi could put their accounts at risk of being hijacked, according to research from Errata Security Inc., a computer security company.

It's not just those sites but any rich Web applications that exchange account information with users, including blogging sites such as Blogspot or even software-as-a-service offerings such as Salesforce.com, that could pose a risk for users, wrote Errata's Robert Graham, CEO, and David Maynor, chief technology officer, in a paper.

Most Web sites use encryption when passwords are entered, but because of the expense, the rest of the information exchanged between a browser and a Web site is not encrypted, they wrote in a paper presented at the Black Hat 2007 security conference in Las Vegas this week.

Using a packet sniffer, which can pick up data transferred between a wireless router and a computer, it's possible to collect cookie information while a user is accessing one of those sites over Wi-Fi.

Cookies consist of bits of data sent to a browser by a Web site to remember certain information about users, such as when they last logged in. Included in the cookie can be a "session identifier," which is another bit of unique information generated when people log into their accounts.

By collecting cookie information and the session identifier with the packer sniffer and importing it into another Web browser, the hacker can get inside a person's account. The attacker may not, however, be able to change a person's password, since many Web 2.0 applications require a second log-in to change account information.

Nonetheless, it could allow a hacker to create blog postings, read e-mail or do other malicious activity. Meanwhile, the victim is directed to a version of the Web page they intended to visit, which Errata calls "sidejacking."

There is a remedy, however. "The consequence of this is that users should never use a Wi-Fi hotspot unless they are using VPN (virtual private networking) or SSL (secure sockets layer) to access their accounts," they wrote.

Analysis: Don't Buy Into Free Security Suite Hype – Yet

2007-07-31T11:31:00.000-07:00

07.31.07

By Neil Rubenking

Crawler LLC released Spyware Terminator 2.0 this past Friday, touting it as "the industry's first, totally free, full Internet security suite". But competitor CyberDefender quickly fired off an email to Crawler (and to PC Magazine) pointing out that their CyberDefenderFREE 2.0, released last November, was the first free Internet security suite, and asking for a retraction.

There's no question that CyberDefender was first, and there's no question that both are free. The catch is, neither product is a security suite, not as the term is generally understood.

When evaluating a security suite, PC Magazine expects to see a number of specific elements. It should have a robust full-featured personal firewall with protection against inbound attack, and against outbound security breaches. It must scan and remove both viruses and spyware, and it should offer real-time virus and spyware protection as well. We expect protection against spam, as well as some degree of additional security in the form of parental control, protection of private data, or both.

Norton Internet Security 2007 fits this profile, as do ZoneAlarm Internet Security 7, McAfee Total Protection, and many others.

CyberDefenderFREE 2.0 offers virus and spyware protection, and, at first glance, seems to include much more. But there's no firewall, just an option to turn an existing firewall on or off. The spam filtering feature is actually aimed at "protection from spyware, viruses, and phishing attacks" and does little to block ordinary spam. It does offer phishing protection and a module that makes sure you have all the latest security updates, but that doesn't make it a security suite.

Spyware Terminator 2.0 will scan and remove spyware and also protect against spyware installation. There's an option to integrate ClamAV, a separate free product. But the rest of the security features are low-rent.

Spyware Terminator 2.0 rates Web sites much the way SiteAdvisor does, but relies on user ratings rather than on SiteAdvisor's massive automated testing. It includes "Host Intrusion Prevention", but this feature is really just a new-program warning. That is, after your first full scan it pops an alert any time it sees a new program. And it offers a toolbar for Internet Explorer and Firefox with numerous features, most of them unrelated to security.

We'll have a full evaluation of Spyware Terminator 2.0 available shortly – but as an antispyware product, not as a security suite.

So the winner of this little spat is – nobody. If you want the full protection of a security suite, neither of these products comes close.

Test your knowledge of online scams

2007-07-26T19:45:00.000-07:00

By ANICK JESDANUN, AP Internet Writer Thu Jul 26, 1:03 AM ET

NEW YORK - Think you're smart at recognizing online scams? Take a quiz to find out.

McAfee Inc.'s SiteAdvisor service has created a 10-question test to see whether you can spot "phishing" attempts to steal passwords and other personal information by mimicking popular Web sites such as eBay Inc.'s PayPal and News Corp.'s MySpace.

In eight questions, you are presented with two Web sites or e-mail messages and are asked to identify the authentic one. The final two questions test your general knowledge about scams.

Afterward, the McAfee site presents telltale signs to look for, such as misspellings and suspicious Web addresses.

You can also download a tool that can help warn of sites known or suspected to be phishing scams. SiteAdvisor researchers also identify sites that produce spyware, viruses, excessive pop-up ads, junk e-mail or other threats.

Visit http://www.siteadvisor.com/quizzes/phishing_0707/ to take the quiz.

Your plant just called to say ... I'm thirsty!

2007-07-25T15:40:00.000-07:00

31 minutes ago

NEW YORK, July 25 (Reuters Life!) - Imagine answering your cell phone to hear your Scotch Moss plant telling you in a fake Glaswegian accent that it needs a drink.

This scenario is not far from reality with a group of postgraduate students at New York University developing a way for over-watered or dry plants to phone for help.

The "Botanicalls" project uses moisture sensors placed in the soil which can send a signal over a wireless network to a gateway that places a call if the plant's too dry or wet.

Recorded voices are assigned to each plant to match its biological characteristics and to help increase the charm of the phone message and give plants their own personality.

Interactive communications student Rebecca Bray, who developed the concept with three colleagues, said the technology was not new but it's the way of communicating by voice and adding personality to the plants that's different.

"They will call and tell you they are thirsty and need a lot of water. They are also really polite," Bray told Reuters.

"We wanted to make sure that you weren't just getting phone calls that were really needy. So we have them calling you back when you've watered them to say thank you for watering me."

For example, the Scots Moss is given a fake Scottish accent as it was not originally from Scotland despite its name. A prolific spider plant was given a cheerful, friendly voice.

"We wanted to provide a system so that the plants could actually survive by communicating to people," said Bray who developed the system with Rob Faludi, Kati London and Kate Hartman.

She said they were surprised how many people have approached them to acquire this service for homes and businesses but didn't expect the system to become available commercially for at least another six months.

"We hope that the system will help people learn how to take better care of their plants over time and maybe not even need the phone calls after a while," Bray said.

Apple posts record quarterly profit

2007-07-25T15:25:00.001-07:00

6 minutes ago

SAN JOSE, Calif. - Apple Inc.'s fiscal third-quarter profit soared more than 73 percent, fueled by demand for its Macintosh computers, the strength of its iPod media players and the sales of 270,000 iPhones in the first two days on the market.

For the quarter ended June 30, Apple's profit rose to $818 million, or 92 cents per share, up from $472 million, or 54 cents a share in the year-ago quarter.

Sales grew to $5.41 billion from $4.37 billion last year.

Analysts polled by Thomson Financial expected Apple to report earnings of 72 cents per share on sales of $5.28 billion while Apple itself had projected earnings of 66 cents per share on quarterly sales of $5.1 billion.

"We're thrilled to report the highest June quarter revenue and profit in Apple's history, along with the highest quarterly Mac sales ever," said Steve Jobs, Apple's CEO. "IPhone is off to a great start — we hope to sell our one-millionth iPhone by the end of its first full quarter of sales — and our new product pipeline is very strong."

The gadget maker's highly anticipated iPhone launched on June 29 and sold out within days. Wall Street analysts and investors have had lofty expectations for the multimedia cell phone, driving up Apple's stock more than 30 percent during the quarter.

Apple's silence on how many iPhones were available at launch added to the frenzy and analysts were hoping to gain some insight on the iPhone's initial sales impact and outlook when the Cupertino-based company was to discuss its quarterly earnings during a conference call late Wednesday.

Shares of Apple tumbled more than 6 percent Tuesday after AT&T Inc. — the iPhone's exclusive U.S. carrier — said it activated 146,000 iPhones on June 29 and 30, a number that disappointed investors following some analyst forecasts that Apple would sell 500,000 or more iPhones in its first weekend.

Officers used GPS coordinates from cell phone to track man's location

2007-07-25T15:21:00.000-07:00

10 minutes ago

PENSACOLA, Fla. - A man charged with dialing 911 to chat with dispatchers nearly 300 times in the last month remained in jail Wednesday. Cheveon Alonzo Ford, 21, was arrested Tuesday night and charged with making obscene and harassing telephone calls.

He told authorities he began calling 911 because "I have no minutes on my phone and 911 is a free call," the Escambia County Sheriff's Office said in a news release.

Ford was being held on a $50,000 bond Wednesday afternoon.

Officers used GPS coordinates from Ford's cell phone to track his location to the west Pensacola home where he was arrested, the Pensacola News Journal Reported.

"His phone service had been cut off and 911 was the only number he could dial from the phone," said Bob Boschen, communication chief for Escambia County.

Boschen said many of Ford's 292 calls were sexual in nature.

"When he would call and a male dispatcher would answer, he would hang up," he said. "Our policy says that if a caller is belligerent in nature we have to get enough information to process the call and then we can disconnect," he said.

Ford never asked dispatchers for help or indicated he was in trouble.

McAfee sets Rootkit Detective free

2007-07-25T15:15:00.000-07:00

Matt Hines 31 minutes ago

San Francisco (InfoWorld) - On July 26, McAfee will begin offering a new application called Rootkit Detective, designed to detect and remove dangerous rootkit attacks. The software will also help end-users ward off the threats, as well as funnel new intelligence into the company's ongoing research operations.

Following in the footsteps of SiteAdvisor -- the free Web site security program acquired by McAfee in April 2006 that warns users about potentially dangerous sites and search results -- company officials said that the new tool will be offered at no charge from its Web site via download, with benefits for both end-users and its researchers.

The freeware program promises the ability to find and remove so-called rootkits -- self-cloaking malware attacks that install themselves as kernel modules or drivers and are most often used to hide other types of threats such as keyword-logging programs -- and send data about the attacks that are discovered back to McAfee.

As greater numbers of PC users have employed more sophisticated antimalware tools in recent years, hackers have rushed to adopt the rootkit model as a means for circumventing anti-virus systems and keeping their attacks hidden on people's computers.

According to the most recent estimates released by Santa Clara, Calif.-based McAfee, more than 7,325 new rootkit variants have been discovered since the beginning of 2007, a dramatic 100 percent increase over the 3,284 rootkits the company's researchers uncovered during all of 2006.

Rootkit Detective specifically promises to find hidden kernel processes and registry entries, as well as remove them when a user reboots their system. The tool also claims the ability to test the integrity of a PC's kernel memory and track any modifications that might also highlight rootkit activity.

As part of a beta program, Rootkit Detective -- which was developed within McAfee's Avert Labs -- has already been downloaded by more than 110,000 users, including businesses and consumers, company officials said.

"Dealing with rootkits will always be an arms race; the whole process is a game of challenge-and-response between the hackers and security community, and as the authors have advanced the complexity of their attacks, we need to continually update our own technologies to keep up," said Joe Telafici, vice president of operations at McAfee Avert Labs. "We started putting rootkit detectors into our products in 2006, and this is the next stage in advancing our detection technologies."

While most rootkit-fighting programs use what Telafici labeled a "tainted view" approach to finding the attacks -- that is, comparing results of system calls to the kernel to look for potential issues -- Rootkit Detector uses a variety of means to find hidden processes and registry keys that might evade such tactics, he said.

The approach is also particularly effective at helping McAfee find new rootkit variants, based on the detailed manner in which it monitors a machine's kernel and memory, according to the researcher.

Telafici goes as far as to claim that Rootkit Detector can find and remove every known rootkit reported to its researchers thus far.

"The bad guys are spending a lot of time trying to hide their work from simpler tools, but we can still see these programs making their calls, and we've already used the tool to find several new variations that we weren't previously aware of," he said. "We use a variety of means to detect processes, files, and registry keys that might otherwise remain hidden, and to bypass cloaking techniques employed by the rootkit authors."

In passing out Rootkit Detective to consumers and businesses free of charge, McAfee is hoping that, as with SiteAdvisor, people will actively use the application to submit virus samples to Avert Labs.

After analyzing any new attacks, McAfee will create a signature for any rootkits it tracks and channel that information into its other client security products.

"Gathering information this manner is a very effective way for us to get a handle on threats we haven't seen before, and it should get new kits flowing in that we can begin researching to adapt to throughout our product lines," Telafici said. "It's great to be able to offer something valuable for end-users that can really help protect them, while allowing us to find new attacks and develop technologies to address for our customers."

The Rootkit Detector launch underscores recent efforts by anti-virus providers to launch technologies aimed at fighting the most complex, cutting-edge attacks being aimed at users by hackers.

Last week, rival Symantec introduced a beta version of its Norton AntiBot program, which is designed to thwart the growing problem of PC-hijacking botnet attacks. However, unlike McAfee's latest offering, AntiBot is a for-pay product that will retail to consumers for less than $30.

Apple shares fall on iPhone numbers

2007-07-24T17:47:00.000-07:00

By JORDAN ROBERTSON, AP Technology Writer 7 minutes ago

SAN JOSE, Calif. - AT&T Inc. wiped some of the glow off Apple Inc.'s iPhone on Tuesday, releasing numbers that showed fewer people than expected signed up for service in the first two days of the multimedia cell phone's release.

AT&T — the iPhone's exclusive carrier — said it activated 146,000 iPhones on June 29 and 30, a number that disappointed investors following some analyst forecasts that Apple would sell 500,000 or more iPhones in its first weekend.

The news interrupted a steady rise in Apple's stock price that started with the iPhone's release. The 18 percent surge generated $18 billion in shareholder wealth.

On Tuesday, Apple shares fell $8.81, or more than 6 percent, to $134.89, wiping out more than $7 billion of Apple's market value.

Analysts cautioned against reading too much into AT&T's activation numbers, saying the actual number of iPhones sold may be much higher but was not reflected in the figure because many users had activation problems and couldn't sign up for a few days.

"It's just had such a run on overexpectations, I don't see this as any sort of disappointing metric in terms of the iPhone overall," said Ingrid Ebeling, an analyst with JMP Securities. "I think it's just gotten a little overhyped over the past month."

Also weighing on Apple's stock Tuesday was a report from CIBC World Markets that said demand for the iPhone has experienced a "significant decline" in the past 10 days, a slowdown driven in part by dissatisfaction with the slow data transfer speeds on AT&T's network. CIBC used store visits and a survey of iPhone buyers to reach its conclusions.

CIBC said it expects Apple and AT&T to boost their marketing push for the iPhone and the companies could introduce a new model in November — earlier than expected — that operates on a faster network. The two models now available cost $499 and $599.

Apple spokeswoman Jennifer Bowcock did not immediately return a call for comment Tuesday.

Apple is expected to release more information on the iPhone's sales in its third-quarter earnings report on Wednesday. The company has been tightlipped about its near-term sales forecasts, saying only that it hopes to sell 10 million worldwide by 2008.

Shaw Wu, an analyst with American Technology Research, said the little information Apple is likely to release will be closely watched by investors looking for signs of the iPhone's momentum.

"Even though it's only two days of information, it's definitely going to be looked at carefully," Wu said.

Analysts are expecting Apple to continue its strong profit growth. According to a survey by Thomson Financial, Apple is expected to earn 72 cents a share on $5.29 billion in revenue for the third quarter.

Ultra-flexible fiber optics on the way

2007-07-23T17:04:00.001-07:00

By BEN DOBBIN, AP Business Writer 8 minutes ago

ROCHESTER, N.Y. - Corning Inc. is finding its way around very tight corners to help high-speed Internet service reach high-rise apartments and condominiums.

The world's largest maker of optical fiber said Monday it has developed a new fiber that is at least 100 times more bendable than standard fiber, clearing a major hurdle for telecommunications carriers drawing fiber into homes.

"This is a game-changing technology for telecommunications applications," said Corning's president, Peter Volanakis. "We have developed an optical fiber cable that is as rugged as copper cable but with all of the bandwidth benefits of fiber."

Three Corning scientists invented low-loss optical fiber in the early 1970s. The gossamer-thin strands of ultra-pure glass delivering voice, video and data at the speed of light have replaced copper as the backbone of America's telephone and cable television networks and enabled the phenomenal growth of the Internet.

Current optical fiber doesn't carry light well when it is bent around corners and routed through a building, making it difficult and expensive to run fiber all the way to homes and businesses. The ultra-flexible technology allows the fiber to be bent with virtually no signal loss, Corning said.

Corning said the improvements will enable carriers to economically offer high-speed Internet, voice and high-definition TV service to virtually all high-rise buildings.

In standard fiber, the light signal leaks out at bends or turns and "with two 90-degree turns, the signal is lost," Corning spokesman Dan Collins said. "This design relies on nanostructures that serve as a mirror or a guardrail, and as the fiber is turned or bent, the light doesn't leak out. We have wrapped the fiber around a ball point pen and it retains its effectiveness."

Michael Render, a market researcher in Tulsa, Okla., said the new product "would be an important breakthrough" in fiber-to-the-home systems.

More than 1 percent of North American homes are now directly connected to fiber, but many of them are single-family dwellings, Render said.

"There obviously are a large number of people that live in multi-tenant buildings, and improvements in the way to get fiber to those individual living units could be very significant," he said.

Render said the technology would make it easier to bring fiber "all the way to each individual living room, for example, or at least to each floor," instead of taking it only to the basement and then using existing wiring to reach the living unit.

There are more than 25 million high-rise apartment homes in the United States and more than 680 million worldwide. "The high cost of installation and difficulty in delivering fiber to the home made this market unappealing to most providers," Volanakis said in a statement.

Corning formed a working team with New York-based Verizon Communications Inc. in February to tackle the problems of installing fiber in multiple-dwelling buildings. Verizon is the only major U.S. phone or cable company to aggressively draw fiber to existing homes.

"This fiber technology will enable us to bring faster Internet speeds, higher-quality high-definition content and more interactive capabilities than any other platform which exists today," said Paul Lacouture, a Verizon Telecom executive.

Chips: High tech aids or tracking tools?

2007-07-23T11:58:00.000-07:00

Demonstrators prepare to march against microchip implants planned for Alzheimer's patients, in front of the Alzheimer's Community Care Headquarters in West Palm Beach, Fla., May 12, 2007. March organizer Katherine Albrecht, left, said a payer before starting the march. (AP Photo/Gary I. Rothstein)

By TODD LEWAN, AP National Writer Sun Jul 22, 6:23 AM ET

CityWatcher.com, a provider of surveillance equipment, attracted little notice itself — until a year ago, when two of its employees had glass-encapsulated microchips with miniature antennas embedded in their forearms.

The "chipping" of two workers with RFIDs — radio frequency identification tags as long as two grains of rice, as thick as a toothpick — was merely a way of restricting access to vaults that held sensitive data and images for police departments, a layer of security beyond key cards and clearance codes, the company said.

"To protect high-end secure data, you use more sophisticated techniques," Sean Darks, chief executive of the Cincinnati-based company, said. He compared chip implants to retina scans or fingerprinting. "There's a reader outside the door; you walk up to the reader, put your arm under it, and it opens the door."

Innocuous? Maybe.

But the news that Americans had, for the first time, been injected with electronic identifiers to perform their jobs fired up a debate over the proliferation of ever-more-precise tracking technologies and their ability to erode privacy in the digital age.

To some, the microchip was a wondrous invention — a high-tech helper that could increase security at nuclear plants and military bases, help authorities identify wandering Alzheimer's patients, allow consumers to buy their groceries, literally, with the wave of a chipped hand.

To others, the notion of tagging people was Orwellian, a departure from centuries of history and tradition in which people had the right to go and do as they pleased, without being tracked, unless they were harming someone else.

Chipping, these critics said, might start with Alzheimer's patients or Army Rangers, but would eventually be suggested for convicts, then parolees, then sex offenders, then illegal aliens — until one day, a majority of Americans, falling into one category or another, would find themselves electronically tagged.

The concept of making all things traceable isn't alien to Americans. Thirty years ago, the first electronic tags were fixed to the ears of cattle, to permit ranchers to track a herd's reproductive and eating habits. In the 1990s, millions of chips were implanted in livestock, fish, dogs, cats, even racehorses.

Microchips are now fixed to car windshields as toll-paying devices, on "contactless" payment cards (Chase's "Blink," or MasterCard's "PayPass"). They're embedded in Michelin tires, library books, passports, work uniforms, luggage, and, unbeknownst to many consumers, on a host of individual items, from Hewlett Packard printers to Sanyo TVs, at Wal-Mart and Best Buy.

But CityWatcher.com employees weren't appliances or pets: They were people made scannable.

"It was scary that a government contractor that specialized in putting surveillance cameras on city streets was the first to incorporate this technology in the workplace," says Liz McIntyre, co-author of "Spychips: How Major Corporations and Government Plan to Track Your Every Move with RFID."

Darks, the CityWatcher.com executive, dismissed his critics, noting that he and his employees had volunteered to be chip-injected. Any suggestion that a sinister, Big-Brother-like campaign was afoot, he said, was hogwash.

"You would think that we were going around putting chips in people by force," he told a reporter, "and that's not the case at all."

Yet, within days of the company's announcement, civil libertarians and Christian conservatives joined to excoriate the microchip's implantation in people.

RFID, they warned, would soon enable the government to "frisk" citizens electronically — an invisible, undetectable search performed by readers posted at "hotspots" along roadsides and in pedestrian areas. It might even be used to squeal on employees while they worked; time spent at the water cooler, in the bathroom, in a designated smoking area could one day be broadcast, recorded and compiled in off-limits, company databases.

"Ultimately," says Katherine Albrecht, a privacy advocate who specializes in consumer education and RFID technology, "the fear is that the government or your employer might someday say, 'Take a chip or starve.'"

Some Christian critics saw the implants as the fulfillment of a biblical prophecy that describes an age of evil in which humans are forced to take the "Mark of the Beast" on their bodies, to buy or sell anything.

Gary Wohlscheid, president of These Last Days Ministries, a Roman Catholic group in Lowell, Mich., put together a Web site that linked the implantable microchips to the apocalyptic prophecy in the book of Revelation.

"The Bible tells us that God's wrath will come to those who take the Mark of the Beast," he says. Those who refuse to accept the Satanic chip "will be saved," Wohlscheid offers in a comforting tone.

___

In post-9/11 America, electronic surveillance comes in myriad forms: in a gas station's video camera; in a cell phone tucked inside a teen's back pocket; in a radio tag attached to a supermarket shopping cart; in a Porsche automobile equipped with a LoJack anti-theft device.

"We're really on the verge of creating a surveillance society in America, where every movement, every action — some would even claim, our very thoughts — will be tracked, monitored, recorded and correlated," says Barry Steinhardt, director of the Technology and Liberty Program at the American Civil Liberties Union in Washington, D.C.

RFID, in Steinhardt's opinion, "could play a pivotal role in creating that surveillance society."

In design, the tag is simple: A medical-grade glass capsule holds a silicon computer chip, a copper antenna and a "capacitor" that transmits data stored on the chip when prompted by an electromagnetic reader.

Implantations are quick, relatively simple procedures. After a local anesthetic is administered, a large-gauge hypodermic needle injects the chip under the skin on the back of the arm, midway between the elbow and the shoulder.

"It feels just like getting a vaccine — a bit of pressure, no specific pain," says John Halamka, an emergency physician at Beth Israel Deaconess Medical Center in Boston.

He got chipped two years ago, "so that if I was ever in an accident, and arrived unconscious or incoherent at an emergency ward, doctors could identify me and access my medical history quickly." (A chipped person's medical profile can be continuously updated, since the information is stored on a database accessed via the Internet.)

Halamka thinks of his microchip as another technology with practical value, like his BlackBerry. But it's also clear, he says, that there are consequences to having an implanted identifier.

"My friends have commented to me that I'm 'marked' for life, that I've lost my anonymity. And to be honest, I think they're right."

Indeed, as microchip proponents and detractors readily agree, Americans' mistrust of microchips and technologies like RFID runs deep. Many wonder:

Do the current chips have global positioning transceivers that would allow the government to pinpoint a person's exact location, 24-7? (No; the technology doesn't yet exist.)

But could a tech-savvy stalker rig scanners to video cameras and film somebody each time they entered or left the house? (Quite easily, though not cheaply. Currently, readers cost $300 and up.)

How about thieves? Could they make their own readers, aim them at unsuspecting individuals, and surreptitiously pluck people's IDs out of their arms? (Yes. There's even a name for it — "spoofing.")

What's the average lifespan of a microchip? (About 10-15 years.) What if you get tired of it before then — can it be easily, painlessly removed? (Short answer: No.)

Presently, Steinhardt and other privacy advocates view the tagging of identity documents — passports, drivers licenses and the like — as a more pressing threat to Americans' privacy than the chipping of people. Equipping hospitals, doctors' offices, police stations and government agencies with readers will be costly, training staff will take time, and, he says, "people are going to be too squeamish about having an RFID chip inserted into their arms, or wherever."

But that wasn't the case in March 2004, when the Baja Beach Club in Barcelona, Spain — a nightclub catering to the body-aware, under-25 crowd — began holding "Implant Nights."

In a white lab coat, with hypodermic in latex-gloved hand, a company chipper wandered through the throng of the clubbers and clubbettes, anesthetizing the arms of consenting party goers, then injecting them with microchips.

The payoff?

Injectees would thereafter be able to breeze past bouncers and entrance lines, magically open doors to VIP lounges, and pay for drinks without cash or credit cards. The ID number on the VIP chip was linked to the user's financial accounts and stored in the club's computers.

After being chipped himself, club owner Conrad K. Chase declared that chip implants were hardly a big deal to his patrons, since "almost everybody has piercings, tattoos or silicone."

VIP chipping soon spread to the Baja Beach Club in Rotterdam, Holland, the Bar Soba in Edinburgh, Scotland, and the Amika nightclub in Miami Beach, Fla.

That same year, Mexico's attorney general, Rafael Macedo, made an announcement that thrilled chip proponents and chilled privacy advocates: He and 18 members of his staff had been microchipped as a way to limit access to a sensitive records room, whose door unlocked when a "portal reader" scanned the chips.

But did this make Mexican security airtight?

Hardly, says Jonathan Westhues, an independent security researcher in Cambridge, Mass. He concocted an "emulator," a hand-held device that cloned the implantable microchip electronically. With a team of computer-security experts, he demonstrated — on television — how easy it was to snag data off a chip.

Explains Adam Stubblefield, a Johns Hopkins researcher who joined the team: "You pass within a foot of a chipped person, copy the chip's code, then with a push of the button, replay the same ID number to any reader. You essentially assume the person's identity."

The company that makes implantable microchips for humans, VeriChip Corp., of Delray Beach, Fla., concedes the point — even as it markets its radio tag and its portal scanner as imperatives for high-security buildings, such as nuclear power plants.

"To grab information from radio frequency products with a scanning device is not hard to do," Scott Silverman, the company's chief executive, says. However, "the chip itself only contains a unique, 16-digit identification number. The relevant information is stored on a database."

Even so, he insists, it's harder to clone a VeriChip than it would be to steal someone's key card and use it to enter secure areas.

VeriChip Corp., whose parent company has been selling radio tags for animals for more than a decade, has sold 7,000 microchips worldwide, of which about 2,000 have been implanted in humans. More than one-tenth of those have been in the U.S., generating "nominal revenues," the company acknowledged in a Securities and Exchange Commission filing in February.

Although in five years VeriChip Corp. has yet to turn a profit, it has been investing heavily — up to $2 million a quarter — to create new markets.

The company's present push: tagging of "high-risk" patients — diabetics and people with heart conditions or Alzheimer's disease.

In an emergency, hospital staff could wave a reader over a patient's arm, get an ID number, and then, via the Internet, enter a company database and pull up the person's identity and medical history.

To doctors, a "starter kit" — complete with 10 hypodermic syringes, 10 VeriChips and a reader — costs $1,400. To patients, a microchip implant means a $200, out-of-pocket expense to their physician. Presently, chip implants aren't covered by insurance companies, Medicare or Medicaid.

For almost two years, the company has been offering hospitals free scanners, but acceptance has been limited. According to the company's most recent SEC quarterly filing, 515 hospitals have pledged to take part in the VeriMed network, yet only 100 have actually been equipped and trained to use the system.

Some wonder why they should abandon noninvasive tags such as MedicAlert, a low-tech bracelet that warns paramedics if patients have serious allergies or a chronic medical condition.

"Having these things under your skin instead of in your back pocket — it's just not clear to me why it's worth the inconvenience," says Westhues.

Silverman responds that an implanted chip is "guaranteed to be with you. It's not a medical arm bracelet that you can take off if you don't like the way it looks..."

In fact, microchips can be removed from the body — but it's not like removing a splinter.

The capsules can migrate around the body or bury themselves deep in the arm. When that happens, a sensor X-ray and monitors are needed to locate the chip, and a plastic surgeon must cut away scar tissue that forms around the chip.

The relative permanence is a big reason why Marc Rotenberg, of the Electronic Privacy Information Center, is suspicious about the motives of the company, which charges an annual fee to keep clients' records.

The company charges $20 a year for customers to keep a "one-pager" on its database — a record of blood type, allergies, medications, driver's license data and living-will directives. For $80 a year, it will keep an individual's full medical history.

___

In recent times, there have been rumors on Wall Street, and elsewhere, of the potential uses for RFID in humans: the chipping of U.S. soldiers, of inmates, or of migrant workers, to name a few.

To date, none of this has happened.

But a large-scale chipping plan that was proposed illustrates the stakes, pro and con.

In mid-May, a protest outside the Alzheimer's Community Care Center in West Palm Beach, Fla., drew attention to a two-year study in which 200 Alzheimer's patients, along with their caregivers, were to receive chip implants. Parents, children and elderly people decried the plan, with signs and placards.

"Chipping People Is Wrong" and "People Are Not Pets," the signs read. And: "Stop VeriChip."

Ironically, the media attention sent VeriChip's stock soaring 27 percent in one day.

"VeriChip offers technology that is absolutely bursting with potential," wrote blogger Gary E. Sattler, of the AOL site Bloggingstocks, even as he recognized privacy concerns.

Albrecht, the RFID critic who organized the demonstration, raises similar concerns on her AntiChips.com Web site.

"Is it appropriate to use the most vulnerable members of society for invasive medical research? Should the company be allowed to implant microchips into people whose mental impairments mean they cannot give fully informed consent?"

Mary Barnes, the care center's chief executive, counters that both the patients and their legal guardians must consent to the implants before receiving them. And the chips, she says, could be invaluable in identifying lost patients — for instance, if a hurricane strikes Florida.

That, of course, assumes that the Internet would be accessible in a killer storm. VeriChip Corp. acknowledged in an SEC filing that its "database may not function properly" in such circumstances.

As the polemic heats up, legislators are increasingly being drawn into the fray. Two states, Wisconsin and North Dakota, recently passed laws prohibiting the forced implantation of microchips in humans. Others — Ohio, Oklahoma, Colorado and Florida — are studying similar legislation.

In May, Oklahoma legislators were debating a bill that would have authorized microchip implants in people imprisoned for violent crimes. Many felt it would be a good way to monitor felons once released from prison.

But other lawmakers raised concerns. Rep. John Wright worried, "Apparently, we're going to permanently put the mark on these people."

Rep. Ed Cannaday found the forced microchipping of inmates "invasive ... We are going down that slippery slope."

In the end, lawmakers sent the bill back to committee for more work.

New Study Shows Most Internet-Dependent Businesses Losing Costly Battle Against DNS Attacks

2007-07-17T06:01:00.000-07:00

Press Release Source: Mazerov Research and Consulting

Tuesday July 17, 9:01 am ET
Despite Deploying Multiple Security Measures, Majority Still Hit by Malware; Many Predict High Likelihood of Losing Productivity, Revenue -- Even Entire Business -- If They Were to Experience Significant Internet Disruption

DENVER--(BUSINESS WIRE)--A recent independent study of 465 IT and business professionals has revealed that companies are having to deploy a costly and often complex melange of security measures to keep their DNS (Domain Name Systems) protected from malicious attackers. Even so, many businesses remain vulnerable, as over half the respondents reported having fallen victim to some form of malware attack. Over one third had been hit by a denial-of-service attack while over 44 percent had experienced either a pharming or cache poisoning attack. Findings showed both external and internal DNS servers were equally vulnerable, as both types succumbed to attacks with roughly the same frequency.

Mazerov Research and Consulting -- an international provider of technology and market research -- conducted the study on behalf of Secure64 Software Corporation.

Internet Dependence

The findings underscore a disturbing trend as businesses are forced to find new ways to protect their IT infrastructure from Internet-based intrusions, yet are placing an incredibly high degree of dependency on continuous Internet connectivity. In this survey of businesses decision-makers, over half (54 percent) explained their companies are 'totally or extremely dependent' on uninterrupted Internet connectivity; another 26 percent said their company was very dependent. Only 6 percent said their company was not very dependent on Internet connectivity. Growing business dependence on Internet connectivity is the very vulnerability that allows malware to attack DNS.

Reliability, Immunity, Availability Most Important

Not surprisingly, respondents placed a high premium on being able to count on their DNS to work consistently and to ward off potentially crippling attacks. When asked to name an essential or extremely important attribute of a DNS solution, the top five responses included:

* Reliability (67 percent)
* Immunity to exploits, rootkits and malware (54 percent)
* Availability during denial-of-service attacks (52 percent)
* Simple to manage (48 percent)
* Fast query responses -- low latency/high performance (46 percent)

However, respondents admitted that trying to achieve these "must-have" DNS characteristics was challenging and required a significant investment in time, money and effort. Three-fourths of all respondents devote valuable resources to continuously patch their operating systems. Others reported having to harden operating systems, invest in dedicated firewalls, and add DNS appliances, DoS mitigation services and other network security devices. On average, respondents typically use at least 3.5 overlapping methods simultaneously to shore up their DNS security.

Downtime and Potential Damage, Loss

When asked how long their business could weather being taken offline before significant problems occurred, IT personnel were more sensitive to the issue than those occupying C-suites. According to the study, C-level executives estimated they could withstand losing Internet connectivity for just over two hours (126 minutes), whereas IT managers estimated it would only be 105 minutes before significant problems arose. Other IT personnel -- who may be most directly responsible for maintaining Internet uptime -- estimated an even shorter timeframe at an average of 72 minutes.

Respondents were also asked to assess what the likely impact would be on the health of their business if they were to experience a loss of Internet connectivity for a significant period of time. Maybe most alarming was 12 percent of participants claimed they would be extremely or somewhat likely to go out of business completely. Other responses included:

* Loss of productivity (74 percent)
* Unable to conduct the most basic business functions (54 percent)
* Loss of significant revenue (40 percent)
* Brand damage would suffer (39 percent)

When asked what the most catastrophic problem would be in the event of a major Internet disruption, 37 percent feared losing email whereas 47 percent identified the disruption of other Web-dependent services such as e-commerce, VOIP and customer support. Surprisingly, only 17 percent indicated that a failure of their DNS -- the underlying system that makes email and other Web services possible -- would be their most catastrophic problem.

"IT professionals are clearly facing a Sisyphean task when it comes to keeping their DNS secure," stated Bob Mazerov, founder and principal of Mazerov Research. "What's particularly interesting is that most respondents perceived the loss of email and other Web services as being a bigger problem than the loss of DNS. This suggests an enduring lack of focus, attention and awareness among IT and business professionals regarding the important and primary role DNS plays within the infrastructure of today's Internet-dependent enterprise."

About the Research Study

Mazerov Research & Consulting, LLC of Denver conducted the survey of IT professionals in February/March of 2007. The Internet-based survey was conducted online among 465 respondents nationwide, all with authority in their IT department and authority over DNS; among decision-makers across a breadth of industries from government to manufacturing to media and tourism; and included VARs, Integrators and ISPs. Virtually all economic sectors were included. The survey was also conducted across company size from under $1 million to over $250 million in revenue and from large and small IT staffs. A survey of 465 conducted using this method yields a margin of +/- 4.5 percent.

Complete survey results are available on the Mazerov Research & Consulting Web site at http://www.mazerovresearch.com.

About Secure64

Headquartered in Greenwood Village, Colorado, Secure64 is a software developer providing secure, self-protecting, high performing server applications. Secure64's core technology is SourceT®, a patented Genuinely Secure(TM) micro OS designed from the ground up to make the micro OS and any applications running on it immune from rootkits and malware, and resistant to network attacks. Unlike conventional operating systems with insecure architectures, SourceT does not need to be hardened, patched and protected to minimize exposure to vulnerabilities. By simplifying and consolidating network infrastructures, SourceT-based applications help IT professionals reduce the costs and risks from potential security breaches while achieving unparalleled levels of reliability and performance. For more information, visit www.secure64.com.

About Mazerov Research & Consulting

Headquartered in Denver, Colorado, Mazerov Research and Consulting (MR&C) enables its clients to enter the market more effectively, garner market share more efficiently, and develop winning programs more economically through insightful, thoughtful use of marketing research and strategic consulting. We help our clients -- small, medium and large companies in a broad range of industries -- make better decisions, launch successful products and services, craft and execute more effective marketing and advertising programs, and support more effective sales programs. Since 1993, MR&C has helped clients develop over $5 billion in new products, improved sales performance, and advertising programs.

Contact:

Mazerov Research & Consulting
Robert Mazerov, 303-741-2369
Wireless: 303-808-5144
www.mazerovresearch.com

Source: Mazerov Research and Consulting

World's fair to have walls made of water

2007-07-11T13:58:00.000-07:00

By BRIAN BERGSTEIN, AP Technology Writer 9 minutes ago

CAMBRIDGE, Mass. - Walking through walls will be possible and even encouraged. When next year's world expo opens in Zaragoza, Spain, fairgoers will encounter a building with walls made of thin sprays of water. Inside, there will be normal building stuff: a cafe, an exhibition space and overhead lighting.
ADVERTISEMENT

The water will come from thousands of little jets that can be switched on and off, rapid-fire, by computer-controlled sensors.

The resulting effect will enable images and text to scroll in the water walls. Or as a person approaches, the sensors could shape the water flow to make a door appear anywhere in the wall, and then close it after the person ambles through.

The 5,400-square-foot building also can vanish in moments, as the roof can be lowered from its 16-foot height all the way to the ground.

Surely these are cool tricks, but so what?

The Massachusetts Institute of Technology architects who developed the idea say it's a boundary-pushing artistic statement, in the tradition of the Crystal Palace and White City of long-ago world's fairs. Current estimated cost is about $3 million.

"One of the dreams of architecture in recent years has been to create reconfigurable, interactive, dynamic buildings, but of course if you do it with bricks it's not so easy," MIT researcher Carlo Ratti said.

Yet this is not purely whimsical. The theme of the Zaragoza fair is water and sustainable development, and Ratti points out that by using all recycled water, which in turn provides evaporative cooling and no need for air conditioning, the building has a low environmental footprint.

And even if other buildings aren't about to be made of water (ice hotels, notwithstanding), Ratti says future structures should adopt the water pavilion's goal of "total control of every single element, so nothing gets wasted."

Hands on with Casio's YouTube digital camera

2007-07-11T09:42:00.000-07:00

Martyn Williams 18 minutes ago

San Francisco (IDGNS) - Casio Computer has developed its first digital cameras with a video mode optimized for YouTube. They come with software that can upload clips to the popular video-sharing Web site with a single click.

Called the Exilim EX-S880 and EX-Z77, the cameras are the result of a deal between Casio and Google, which owns YouTube, that gives Casio exclusive rights to the YouTube features until the end of this year.

The cameras will be released worldwide, starting in the U.S. in August, followed by Europe and Asia soon after. We had a chance to try out the higher-end of the two, the EX-S880, which will be priced at $300, in Tokyo on Wednesday. They are both digital still cameras that also shoot video, rather than dedicated video cameras.

Like many other Exilim models, the EX-S880 is thin and fits into a shirt pocket. At 94 millimeters by 60 mm by 17 mm, it's not much larger than a cell phone and weighs about the same, at 128 grams.

Behind the 3X optical zoom lens is an 8.1 megapixel image sensor that delivers pictures at up to 3,264 pixels by 2,448 pixels resolution. There are seven still image modes, including 16:9 and 3:2 aspect ratio settings, and six video modes, which range from a 320 pixel by 240 pixel low-quality mode to an 848 pixel by 480 pixel wide-screen, high quality mode at 30 frames per second. Video is recorded in MPEG4 H.264 as a Quicktime .mov file.

The camera doesn't need to be switched between its still and video modes thanks to two shooting buttons. One, on the top of the camera, takes still images and another, in the upper right corner at the rear, is for video. The lack of a still/video mode confused me initially and I couldn't figure out how to shoot a movie until someone explained the buttons to me. After getting the secret it proved very easy to use.

So how do you get a clip onto YouTube? First, you switch to YouTube-optimized mode in the shooting mode selection screen, which sets the capture to 640 pixels by 480 pixels at 30 frames per second. Then you shoot as many videos as you like.

You then slip the camera into a dock, which comes with the device and plugs into your PC (Windows XP SP2, 2000 SP4 and Vista only). This automatically starts a video management application on the computer and grabs the movie files. The application can be set up with a YouTube account, default title name and other settings, so getting the video online involves simply clicking the upload button. Alternatively, you can enter information specific to the clips and then upload them.

Once the upload was complete it took about 10 minutes for the clips to appear on YouTube. While it's not particularly difficult to upload clips manually to YouTube, the software certainly makes it much easier, especially if you have several clips to put online.

In addition to the YouTube features, the camera is packed with optimized modes for still images such as fireworks, twilight, parties, sports, candlelight portrait, and others.

Casio plans to sell both cameras worldwide. In the U.S. the EX-S880 will be priced at $300 and the EX-Z77 at $230. They'll also be launched in Europe from August and be available at about the same time in Asia.

Phishing tool constructs new sites in two seconds

2007-07-10T09:56:00.000-07:00

Jeremy Kirk 28 minutes ago

San Francisco (IDGNS) - Software developers like to make installation of their programs simple and quick. So do hackers.
ADVERTISEMENT

Analysts at RSA Security early last month spotted a single piece of PHP code that installs a phishing site on a compromised server in about two seconds, the vendor noted in its monthly online fraud report for June, released on Tuesday.

The code contains all of the HTML (Hypertext Markup Language) and graphics needed for the fraudulent Web site, which spoofed a financial institution that RSA did not name in the report. The ".exe" file automatically installs the code and graphics in the right directories, RSA said.

It means the hacker did not have to repeatedly access the compromised server to upload graphics or other code for the site, potentially reducing the chance of the computer's security software or network software detecting something awry, RSA said.

"By using such kits, fraudsters will be able to further automate the process of hijacking servers and creating new phishing sites," the report said.

It doesn't bode well for combatting the problem of phishing, where hackers try to elicit passwords or financial information via look-alike Web sites.

Despite efforts to quickly shut sites down, phishing sites averaged a 3.8-day life span in May, according to the Anti-Phishing Working Group, which released its latest statistics on Sunday.

Data from market analyst Gartner released last month showed that phishing attacks have doubled over the last two years.

Gartner said 3.5 million adults remembered revealing sensitive personal or financial information to a phisher, while 2.3 million said that they had lost money because of phishing. The average loss is $1,250 per victim, Gartner said.

New games merge fantasy with real world

2007-06-11T16:21:00.000-07:00

By GREG BLUESTEIN, Associated Press Writer 17 minutes ago

ATLANTA - There's no alien world behind the virtual reality gear, just a modestly
But once the game "AR Facade" starts, you might wish there were space invaders. That's because it puts you in the middle of an excruciatingly uncomfortable argument between Trip and Grace, a bickering thirty-something married couple.

Do you play moderator and decide to help broker a truce? Do you instigate them by complimenting Grace on her decorating style or pretending to be impressed with your pal Trip's place? Or do you act as if everything's peachy while their arguing heats up?

Whatever path is taken, this participatory soap opera at a Georgia Tech research lab is at times funny, awkward and intriguing. And it's always intense and emotionally draining.

"AR Facade" is an "augmented reality" game, a genre that mixes a virtual world with physical reality. The technology is still emerging, though someday people may play such games with gear as simple as their cell phones.

So far, scientists seem to be having fun with the possibilities.

At the University of South Australia, researchers created a version of "Quake," the popular shoot 'em up game, where users with a wraparound visor and a backpack walk around streets and fight superimposed computer objects that only they can see. A human "Pac-Man" game, created at the University of Singapore, places virtual yellow dots along the city streets and allows players to become the game's hero or one of the Ghosts set on catching the little gobbler.

Some have a more practical use, too.

Mark Billinghurst's "Magic Book" is an animated children's book that turns into a 3-D pop-up, changing with each page when viewed through head-mounted goggles. The New Zealand scientist also is helping develop "AR Tennis," which lets gamers use their cell phones as rackets on a virtual court superimposed on a real table. The action is watched on the phones' screens.

"Within five years people will be able to easily experience Augmented Reality applications on their mobile phones, in their homes, schools, hospitals, workplace and cars," he said. "One of the most exciting things is that the current generation of mobile phones have the processing power, display resolution and camera quality necessary to provide compelling AR experiences."

Billy Pidgeon, a games analyst at the research company IDC, says the field shows promise, especially if its future is staked to the growing computing power of cell phones and other handheld devices.

"I don't know if it's a sustainable industry, but there's definitely money in it," he said. "There's many ways you can link gaming and interactive entertainment outside because portable devices are getting pretty powerful — and so is the network. I can see it growing."

At Georgia Tech, the Atlanta school where Trip and Grace's "AR Facade" was created, researchers are using the technology to create "interactive dramas."

The games are "somewhere between a movie and a video game," said Steven Dow, a Ph.D. student in Georgia Tech's human-centered computing program.

"You can kind of choose your own outcome, and you can define your own way to win," he said. "In a way, it's a theater and a stage where people can step in to become an actor in the experience."

Researchers there are creating a game called "Four Angry Men" — based on the play — where players debate the fate of a young man accused of killing his father.

"AR Facade" had a more traditional beginning. Created over a five-year period, it started as a free traditional PC game that asked players to type in comments to interact with the bickering couple. More than 300,000 copies have been downloaded, and it earned critical acclaim for its sophisticated artificial-intelligence system.

Dow and other researchers spent a year trying to bring the game into the real world. They built a living room with a couch, a bar, pictures on the wall, a phone and other household staples. In fact, everything is real except Trip and Grace — the two cartoonish characters can only be seen through a backpack-mounted laptop worn by the player and a screen mounted from the player. The virtual arguing comes through a pair of thankfully comfortable earphones.

The goal of the research is to gain a better understanding of how humans and computers interact. Dow has studied dozens of gamers, watching as some have antagonized the characters while others have grown emotional as the quarreling intensified. One gamer tried to physically stop the fight, only to remember she was trying to block a virtual character from walking away.

The equipment that gamers strap on to enter the Facade world seems imposing, but the processing power that runs the system is no more daunting than what's found in an
Xbox 360 console.

"This whole thing could run on your home game console," said Blair MacIntyre, an associate professor in Georgia Tech's College of Computing.

Professional voice actors recorded thousands of lines of dialogue to play the young couple's voices. As the player talks, a researcher types the words into a computer behind the set. They trigger certain reactions driven by several complex algorithm engines that control the drama, dialogue and even the facial expressions of Trip, a pushy blond, and Grace, an attractive and temperamental brunette.

There are hundreds of different story lines and seven different outcomes — and most of them end badly, with Trip, Grace or both kicking you out of the apartment. But there's one ending, extremely rare, that can almost be described as happy.

The disgruntled couple argues, as usual, over vacations, home decor, jobs and even wine selection. But then, after a shift in tactics by the gamer, they launch into an emotional, loud and occasionally profane fight. You can almost sense the moment they let their guard down.

That's when Grace admits to a lingering depression and concedes that she has allowed Trip to dominate their relationship. And Trip admits his materialism is rooted in his experience growing up on the edge — including living in a shelter for six months.

They finally come to terms, a hesitant truce, and agree to talk about their problems.

But this time, they talk alone.

Thankfully.

Printing books online: an author you can't refuse

2007-06-08T17:00:00.001-07:00

By Robert MacMillan 36 minutes ago

NEW YORK (Reuters) - Lawrence Durrell and Henry Miller are among the world's most respected authors, but for a while they had a hard time finding a publisher.

Rather than seek a mainstream outlet for racy novels such as "The Black Book" and "Tropic of Cancer," they used the Obelisk Press, a French publishing house started by Jack Kahane to print his own novel.

That was the 1930s. Now, a young Henry Miller could use new Internet companies like Blurb.com, i-Universe, Lulu.com or Xlibris to print his book -- and even sell it through their online stores.

Gwen Fuller used Blurb (www.blurb.com) to publish her book, "Do Mallet the Suitcase," a collection of spam e-mail arranged as haiku.

Among them: "Dude, get all U need/And dragonhead by reckon/She will love you more," and "Just what all men need/C'Mon Baby, Light My Fire/Chat and meet women."

Avoiding traditional publishing was a plus for Fuller, 48, a life coach in Menlo Park, California.

"There was a process that I was sort of unwilling to get engaged in when there was something that could so immediately deliver a quality book," she said.

Blurb requires customers to download its software, which then lets them lay out text and photos. Then they send the specifications to the company, which prints the books in either hardcover or soft.

Rates start at $18.95 for one small softcover. Bulk-order discounts start at 10 copies, company founder Eileen Gittins said.

"If you order 10 copies, you get a 10 percent discount, 100 copies you get a 15 percent discount," she said. "Over 200, we encourage you to give us a shout."

Blurb also allows authors to sell their works on its in-house bookstore, printing copies as new orders come in, and to charge a markup so they can make a profit. The company sends out a check every time an author earns $25 or more.

'PEOPLE WHO LOVE TO WRITE'

Many people use Blurb for personal projects as well. Michelle Flaherty and her husband Peter received a book made by their daughters with photos of Haunted Acre Woods, the large-scale Halloween display they mount each year at their home in East Falmouth, Massachusetts.

"It was the first Christmas gift in I don't know how many years that actually made me cry," she said. "It was so original, so different."

While a budding novelist could use Blurb, the company specializes in photo layouts with glossy paper and the look of a "coffee-table" book.

Some writers looking to print more literary works are visiting Lulu (www.lulu.com).

Lulu, founded by Bob Young, co-founder of software company Red Hat Inc., allows customers to publish school yearbooks, artwork, calendars and many other things -- but especially books. Lulu recoups expenses and takes a 20 percent cut of the profit on a book sale.

Mark Wilkerson's biography of Who guitarist and writer Pete Townshend has led him to the brink of a deal with a conventional publisher in Europe.

Wilkerson, 37, is an aircraft maintenance planner for UPS, and lives in Prospect, Kentucky -- about as far away from the mainstream publishing world as it gets.

Publishers that he pitched rejected him or asked him why he was qualified to write his book, the 618-page "Amazing Journey: The Life of Pete Townshend."

"Lulu has been fabulous for me, because what else would I have done?" he said. "I was completely ignorant of the many facets of the publishing industry."

Wilkerson sent his book to reviewers, and received positive notices in The Rocky Mountain News, the Chicago Sun-Times and influential music magazine MOJO. The book came to Townshend's attention, and the legendary musician tentatively committed to writing a foreword to the next edition, Wilkerson said.

Blurb and Lulu are not the only self-publishing options on the Internet. Xlibris (www.xlibris.com) is a self-publishing company that works in a partnership with Random House's investment unit, and iUniverse (www.iuniverse.com) offers similar services.

Both offer more services, with packages from about $300 all the way up to nearly $13,000.

Blurb and Lulu are better for enthusiasts, said Scott Flora, executive director of the Small Publishers Association of North America,

"If there are people who love to write and they want to see their book in print, this is a good option," he said.

Beware of fake Microsoft security alerts

2007-06-08T16:58:00.000-07:00

Robert McMillan 31 minutes ago

San Francisco (IDGNS) - With Microsoft's monthly patch release expected on Tuesday, scammers are sending out fake security bulletins that attempt to install malicious software on victim's computers.

The e-mail messages claim to describe a "Cumulative Security Update for Internet Explorer" that fixes a critical security flaw in the browser. It comes with a link entitled "Download this update."

When users click on this link, they are taken to a server that attempts to install malicious software known as Trojan-Downloader.Win32.Agent.avk.

This Trojan software then attempts to reach out to other computers on the Internet in order to install more programs on the victim's computer.

The SANS Internet Storm Center received its first and only report of the scam on Thursday night, but a second sample has also been posted to the Chinese Internet Security Response Team blog.

SANS volunteer Lenny Zeltser believes that the criminals behind this scam may be gearing up for more activity. The trojan looks for three different servers, and two of them have domains that haven't yet been registered. He suspects the authors of the scam may be planning to register those domains before embarking on a more widespread campaign.

The two e-mail samples contained obvious errors that would be caught by technically savvy users. For example, although the patch Zeltser examined claimed to have been issued in June 2007, it was entitled MS06-4 instead of the more-plausible MS07-004.

Still, these scams need to fool only a small percentage of victims in order to be successful, said Zeltser, information security practice leader at Gemini Systems in New York. "You wonder, does it really matter that there are these strange discrepancies in the way the fake security alert is written," he said. "People who would notice probably would be the kind of people who wouldn't click on the link."

Another tip-off: Microsoft does send out notification e-mail when it publishes security bulletins, but the links in these alerts take users to the bulletins themselves, not to executable downloads

Outsmarting Keyloggers

2007-05-11T11:33:00.000-07:00

By David A. Smith

As the financial officer for my organization in Tanzania, I sometimes travel without my laptop and need to access password-protected Web sites from Internet cafés or hotel business centers. I worry about whether these public computers have keyloggers installed.

By using the Windows On-Screen Keyboard accessibility utility, can I safely prevent keyloggers' recording my passwords?

If the On-Screen Keyboard simply creates key-press events that can still be intercepted by keyloggers, then can Copy/Paste be used to avoid the keylogger threat? Or do keyloggers also record the contents of the Windows clipboard? Do you have another suggestion for safely entering passwords at public computers?

The On-Screen Keyboard utility is designed to let mobility-impaired users enter small amounts of text, typically by using a specialized pointing device. For maximum compatibility, it works by sending simulated keystrokes to the active application. I tried it with a number of the commercial keyloggers that I use in antispyware testing, and it was no help at all: The simulated keystrokes were captured just as actual keystrokes would be.

You could conceivably launch the Character Map utility and build your password by double-clicking characters. Once you had built the whole password, you'd click the Copy button and paste it into the password-entry box. Unfortunately, keyloggers can do a lot more than merely log keystrokes. Most also record everything that gets copied to the clipboard, and many also snap screenshots of program activity. Character Map, then, is not a solution.

The one possibility that seems hopeful is this: Type your password with extra characters in it and then use the mouse to highlight and delete the extra characters. For example, you might type passFROGword and then highlight and delete the middle four dots. Or type p1a2s3s4w5o6r7d8 and delete every other dot. A keylogger would still record all of the keystrokes that make up your password, but they'll be mixed with other unrelated keystrokes.

If you need to use a public PC, your best option for entering passwords is to use a mobile password management/form filling application such as Siber Systems' Pass2Go ($39.95, www.roboform.com). Pass2Go runs off a USB memory key and protects your passwords behind a master password. Even if the master password is compromised, it's useless to the thief unless he has your USB key, too. It's not a foolproof solution, but it will evade hacking tools that rely on capturing keyboard events.

But really, you should do your best to avoid using nonsecure computers. Even if you keep a keylogger from snagging your password, it might still take screenshots of key financial info. Your best bet is to implement a high degree of security on your laptop and resign yourself to lugging the darn thing along.

Posts:

Re: Outsmarting Keyloggers
Reply Quote
The latest version of AIRoboform with the Mozilla Adapter actually includes a mouse-click button which then opens an on-screen clickable keyboard that avoids any keypresses at all. Smile [:)] Very nice - very slick!! (Way to go Siber Systems!) Be sure to get this latest version.

-Bob-

Re: Outsmarting Keyloggers
Reply Quote
You could also try carrying a Linux live boot CD. If the PC in the Internet cafe can be booted from CD you can run a complete GUI including Web browser and email program without involving the local hard disk or OS at all. You can even keep persistent data and settings on a USB memory key, although that's a bit harder. But if all you need is a Web browser that hasn't been corrupted by someone else's bad surfing habits, this is a way to go.

Check out Ubuntu and SUSE for good live boot CDs. Both will be easy to use for anyone familiar with Windows.

Re: Outsmarting Keyloggers
Reply Quote
I'm surprised you didn't mention rolling key systems such as secureID cards that generate new random password encryption keys every 60 seconds. The keys are in synch with a server who knows how to decrypt each new key.

You enter your password and the random key, and the server authenticates you. That combination is never good again.

Of course that only gets you in securely. You still have to watch what you type!

Re: Outsmarting Keyloggers
Reply Quote

rrawding wrote:
The latest version of AIRoboform with the Mozilla Adapter actually includes a mouse-click button which then opens an on-screen clickable keyboard that avoids any keypresses at all. Smile [:)] Very nice - very slick!! (Way to go Siber Systems!) Be sure to get this latest version.

-Bob-

I have the latest version - I just checked. But I'm not seeing this mouse-click button. Where, pray tell, will I find it??
Neil J. Rubenking
Lead Analyst, OS and Security, PC Magazine

Re: Outsmarting Keyloggers
Reply Quote

Hello Neil,

How do you rate PrivacyKeyboard TM from Anti-Keyloggers.com for the purpose of entering passwords ?

Thanks, Pierre

Re: Outsmarting Keyloggers
Reply Quote
Sorry, the most contact I've had with it is to announce the release of version 3.1. But Product Announcements are not evaluations; I haven't used it.
Neil J. Rubenking
Lead Analyst, OS and Security, PC Magazine

Re: Outsmarting Keyloggers
Reply Quote
Neil,

It comes into play when you secure RoboForm with a master password. Once you try to fill in any forms, the Master Password dialog box comes up with a smallish button on the right side of the dialog box. Left mouse-click that and the mouse keyboard pops up. My version is 6.7.3 Pro. Sorry I hadn't clarified the master password element. See http://www.roboform.com/ver6.html

-Bob-

Re: Outsmarting Keyloggers
Reply Quote
OK, I see it now. When I get a chance I'll check whether keyloggers can trap what it's sending.
Neil J. Rubenking
Lead Analyst, OS and Security, PC Magazine

Re: Outsmarting Keyloggers
Reply Quote
Neil,

According to the Roboform web site, I do not think that any input goes through the keyboard buffer, so the keylogger shouldn't work there....right?

Just a guess.

Bob

P.S. ...always enjoy your column

Re: Outsmarting Keyloggers
Reply Quote
A Live Boot CD, that was exactly my thought. That should bypass everything except a physical keylog device.

Is anyone here going to test that out? Does onyone at PCmag like Linux?

Re: Outsmarting Keyloggers
Reply Quote

To outsmart keyloggers (both software and hardware ones), I prefer to use programs that bypass keyboard altogether - e.g. Mouse Only Keyboard (MOK) with anti Clipboard logger - find at

http://www.myplanetsoft.com/free/antikeylog.php#mok

or even better - a terrific program that I recently discovered and which beats also mouse-loggers, called HashPass - check at

http://www.kagi.com/fantasy/

which not only bypasses keyboard by using Clipboard with anti Clipboard logger but can even bypass also the Clipboard allowing to use drag-and-drop. Fortunately, practically all web sites' password edit boxes are drag-and-drop enabled. I've been using HashPass since I discovered it and it uses a well conceived and implemented concept that I have not seen applied anywhere else so far. It's a small standalone app, doesn't have to be installed, doesn't require admin rights and can be run from any removable medium. At this moment it's my top of the line.

How about doing it like a ransom note
Reply Quote
What if you opened a page full of text in a separate window, selected one letter (or chunk) at a time, and dragged each one directly into the form. The content of each drag never gets put into the clipboard.

Re: How about doing it like a ransom note
Reply Quote

wolfpack3 wrote:
What if you opened a page full of text in a separate window, selected one letter (or chunk) at a time, and dragged each one directly into the form. The content of each drag never gets put into the clipboard.

Hey, I kinda like that. Even if the monitoring software is snapping screenshots, it wouldn't do so often enough to catch more than a fraction of your ransom-note letters.

But wow, TEDIOUS to do it!
Neil J. Rubenking
Lead Analyst, OS and Security, PC Magazine

Re: Outsmarting Keyloggers
Reply Quote

rrawding wrote:
Neil,
According to the Roboform web site, I do not think that any input goes through the keyboard buffer, so the keylogger shouldn't work there....right? Just a guess.
- Bob

//// NEIL, ////
Have you ever had a chance to test whether your sample key-loggers are outsmarted by RoboForm's method of filling in passwords as RoboForm claims?

Have you ever had a chance to test whether your sample key-loggers are outsmarted by RoboForm's clickable keyboard provided by the button to the right of the RoboForm Master Password prompt?

Thanks for all your great utilities over the years!

Thanks for your reply in advance,
- Hal Lane

Products:
*

Stealth Keylogger $24.95

Undetectable logger records e-mail, web pages, IM chats & passwords!

www.Gore-Research.com
*

Catch a Cheating Spouse

Yesterday, He Installed PC Pandora Today, She was Busted Online!

PCPandora.com
*

Keylogger Software

Monitor kids' Internet use easily. Simple to set up. Free download!

www.NetworkMagic.com
*

Keylogger Reviews & Guide

All keyloggers fully tested for you Unbiased reviews. Full comparisons.

WellResearchedReviews.com/Keylogger
*

AceSpy: Computer Spy

Record computer activity in total stealth including emails and chats.

www.retinaxstudios.com

Report: Supply of IT Pros Down, Though Demand Is Up

2007-05-10T09:48:00.000-07:00

By Deborah Perelman
May 10, 2007

The bad news is IT job growth is bad; the good news is because there aren't enough good workers to go around. Good news if you're in the workforce, that is.

IT employment posted a small increase in April, but has remained essentially flat for the last 11 months, finds the April 2007 IT employment report released on May 9 by the National Association of Computer Consultant Businesses, a trade association that represents IT staffing firms.

April saw an increase of 900 IT workers, leaving the total level of IT employment at 3.67 million, where it has rested since August 2006, found the report. Between May and July 2006, IT employment rested at 3.66 million.

"IT employment has remained essentially flat for the last 11 months because of limited supply of IT professionals, not lack of demand. To the contrary, demand for IT professionals remains very robust with unemployment below 1 percent in many IT skill sets," said Mark Roberts, CEO of NACCB.

The report stated that, while companies have always used IT staffing and solutions firms to address the flexible nature of their services, clients are increasingly turning to IT services firms because they are unable to fill their IT vacancies through internal channels.

Throughout the report, a shortage in supply of IT talent, and not a lack of demand for workers, was the reason given for the flat growth in IT employment.

"If you look at the unemployment data, so many computer professions have less than 1 percent unemployment. The H-1B allotment was gone in one day. The demand is there, but the supply is not," said Roberts.

Roberts argued that the supply issue is rooted in the loss of technology recruits after the 2001 economic downturn, and also in the lack of effort in luring students back now that the economy has improved.

"The problem starts way before the university level. Among a host of other problems, tech just ain't cool. Parents aren't encouraging their kids to go into technology. At one point, with all the IPOs and the options, tech had great appeal, but it's lost its allure since the bust," said Roberts.

H-1B temporary worker visas and offshore outsourcing were considered inevitable effects of a short supply of IT workers, and not something that further diminished IT's appeal.

"If we don't have the people, the work will get pushed offshore. One way or another, companies will get their projects done," said Roberts.

In January 2006, the NACCB's IT Index found that employment of IT professionals had essentially returned to the pre-downturn levels.

"You'll see variations in the demand. When the economy has a downturn, the companies will reign in their expenses. But the long term is that we're going to need more of these people to fill IT jobs," said Roberts.

Check out eWEEK.com's Careers Center for the latest news, analysis and commentary on careers for IT professionals.

Tech CEOs Predict Swelled Use of Offshore Talent

2007-05-01T09:53:00.000-07:00

By Deborah Perelman
May 1, 2007

Admitting that finding, hiring and retaining qualified employees is their biggest operational challenge, nearly half of fast-growth technology CEOs said they are tapping overseas markets for talent.

This is a trend they expect to only increase over the next five years, according to 2007 CEO Survey released by Deloitte, a Swiss Verein, May 1.

However, these CEOs also said that they were shying away from doing business outside North America.

"It's not unexpected that CEOs of fast-growth companies would look offshore for the talent they need to continue growing in a tight market," said Tony Kern, managing principal of Deloitte's Technology Fast 500 program.

"What is counter-intuitive is that CEOs' interest in selling to overseas markets is waning, with more than three-quarters of CEOs saying North America represents the best opportunity for significant growth over the next five years. Their interest in Asia Pacific dropped by half to 10 percent from last year—possibly due to intellectual property protection issues."

Sixty-seven percent of the technology CEOs surveyed, consistent with the 66 percent in the 2006 survey, said high-quality employees are the biggest contributors to company growth. Finding, hiring and retaining the best employees, however, is continually their biggest operation challenge, cited by nearly half (48 percent) of CEOs, and up from 41 percent in 2006.

This talent shortage has caused tech-company CEOs to increasingly pull out all of the stops to lure in new hires. Sixty-nine percent said they relied on equity compensation and stock options, though down from 71 percent in 2006; 51 percent offered flexible hours, up from 29 percent in the prior study; and 38 percent offered training programs and educational opportunities, up from 35 percent in 2006. Only 31 percent of CEOs said they offered workers a career path, up from a previous 28 percent.

"When it comes to talent, supply and demand are out of balance, making employees more like consumers," explains Jeff Alderton, a principal of Deloitte Consulting.

"And like consumers, if employees with those in-demand skill sets are not receiving the satisfaction they seek from their work place, they will find it elsewhere—with the competition. This will put an even greater strain on employers for available talent."

Technology CEOs said they are increasingly turning to overseas talent to compensate for this shortage of qualified workers, with nearly half (45 percent) stating they are currently offshoring. This percentage will only increase, as 55 percent of respondents said they are planning to offshore in the next five years, so much so that in five years, 30 percent of these tech-company CEOs planned to have one-tenth (10 percent) of their workers offshore. Twenty-seven percent planned to have up to one-fifth of their work force (20 percent), 19 percent expected to have almost one-third (30 percent) and 15 percent expected to have up to 40 percent of their work force situated in other countries.

Yet, even the technology CEOs who saw a partially offshore work force as the most promising expect that the vast majority of their companies will remain onshore in 2012.

The Deloitte survey also found that CEOs are fairly confident about the continued growth of their companies. Eighty-two percent of respondents said they were very or extremely confident about their business developments.

Virtually all (98 percent) said they will be hiring over the next 12 months. Thirty-seven percent said they will grow their work force 26 percent to 50 percent over the next 12 months, up from 30 percent last year. Half the CEOs said they planned to grow their head count by up to 25 percent, a percentage unchanged from 2006. Eleven percent of tech-company CEOs said they planned to grow their head count more than 50 percent, down from 17 percent from the previous year's survey.

The biggest gripe of technology CEOs was not access to capital, but government regulation and terrorism. Thirty-four percent felt their biggest threat to growth was excessive government regulation, followed by increased competition from emerging powers like China and India (19 percent) and terrorism (18 percent). Access to capital was chosen by only 9 percent of respondents as their biggest concern.

The Deloitte survey is the result of an annual poll administered to CEOs of companies ranked in Deloitte's Technology Fast 500, a ranking of the fastest-growing technology companies in North America.

Check out eWEEK.com's Careers Center for the latest news, analysis and commentary on careers for IT professionals.

Rootkits: The next big enterprise threat?

2007-04-30T16:50:00.000-07:00

Capable of cloaking malware, rootkits are fast infiltrating the enterprise to expose sensitive data without detection

By Steve Hultquist
April 30, 2007 Talkback E-mail Printer Friendly Reprints
Late at night, a system administrator performed a routine check of a crashed server, one of 48 systems comprising a major online infrastructure that generated about $4 million per month in revenue. He was a bit surprised that the system had gone down, as it had been humming for months without any indication of being prone to crashing. The check uncovered three encrypted files. The administrator called on MANDIANT to analyze them.

What MANDIANT found was that an unauthorized kernel modification had caused the system to become unstable, and that the modification had compromised the system's security as well. To determine the extent of the breach, each of the 48 servers needed to be taken offline, booted in a controlled environment, and analyzed for three to five hours each. About half had the crack installed, forcing the company to assume that all credit card information had been compromised. What had first seemed routine resulted in a financial nightmare -- one that many companies are leaving themselves exposed to, unaware of the increasing pervasiveness of rootkits.

Every organization is aware of the importance of securing core systems, networks, and end-user equipment in an increasingly mobile and malware-saturated world. But what most may not realize is the growing threat of malicious software intended to keep its presence hidden from administrators and traditional anti-virus software. Termed after early Unix packages designed to replace commands that would otherwise alert admins to the presence of intruders who had "root" or admin access to systems, rootkits are on the rise among those seeking to steal corporate and personal information for financial gain.

Rootkits alone, of course, are not inherently malicious. But when packaged with malware, they can facilitate deeply compromising security breaches undetected, especially as they become increasingly popular for attacks on non-Unix systems, specifically Windows. And with Forrester Research recently estimating that security breaches cost companies between $90 and $305 for each record lost, who can afford to turn a blind eye to what may invisibly be leaching sensitive data from their network?

The rise of rootkits
Rootkits date back to the earliest years of the Internet, when crackers created cloaked variants of Unix commands to ensure their deeds on compromised systems would go undetected. A concern mainly of system administrators for Net-connected Unix systems, rootkits remained relatively low-profile for many years, until Sony BMG Music Entertainment's Windows rootkit DRM (digital rights management) boondoggle of 2005.

In an attempt to enforce copyright protection, Sony BMG developed a rootkit that surreptitiously installed XCP (Extended Copy Protection) or MediaMax CD-3 software when music CDs were played on a PC. Poorly designed, the software opened holes in the Windows OS, facilitating infection by viruses and causing other system problems. Mark Russinovich, now a technical fellow at Microsoft, discovered the rootkit's behavior, which he then announced on his blog. The resulting furor and further illustrations of the fallout of the rootkit led Sony BMG to recall the CDs and issue a removal program. Unfortunately, the removal program was equally poorly designed, leading to additional privacy and security concerns, as documented by Russinovich.

This incident awoke two groups to the potency of Windows rootkits: crackers and professional criminals who break into computers on the one side, and the companies who create software to protect systems on the other. Already entrenched in a high-stakes battle over malware, the two camps now had a new, potentially more damaging front on which to contend. The Computer Economics 2005 Malware Report, the organization's latest, put the cost of malware in 2005 at $14.2 billion. The ability of malware authors to hide their scripts from anti-virus software's capability of automatically detecting, protecting, and eradicating most malware would only serve to escalate the stakes, especially as malware authors' motivation "continued to shift from a general desire to inflict damage to an intent to gain financially, through theft of personal information such as credit card data or by gaining access to financial accounts," according to the survey.

The greater emphasis on mobility in the enterprise has certainly contributed to the increasing likelihood of infection with cloaked malware. So too are the various unpatched security holes in Microsoft Windows and related products, which provide access for automated rootkit installation. The proliferation of rootkits -- which are used to cloak files on disks, system hooks, and processes running on systems -- is alarming, as spyware developers and malware authors are creating bot networks that use rootkits to evade detection, hiding not only the malware but also what information is being obtained. Some of the more sophisticated rootkits even modify and corrupt Windows APIs. (For more detailed information on rootkits, visit rootkit.com or read Greg Hoglund and Jamie Butler's Rootkits: Subverting the Windows Kernel.)

Part of what's fueling the proliferation of rootkits is the ease with which they can be implemented.

"It has definitely ramped up over the last year and a half to two years," says Butler, principal software engineer at MANDIANT. "It has gotten very easy for malware authors to cut and paste these technologies into their code set to maintain a presence on the machine."

For the time being, malware rootkit use remains crude. "Many of the attacks are unsophisticated," Butler says. "We're not seeing leading-edge rootkit technologies." But the dynamics of intrusion and response that are the hallmarks of the security industry are fast pushing the use of rootkits in innovative directions.

The front lines of rootkit defense
Rootkits employ a variety of methodologies to conceal themselves. Some overwrite kernel structures to replace the hooks normally used by Windows commands. Others create files within the file system that are effectively invisible. Still others capture hooks in Windows commands to corrupt their outputs. Many hook into addresses used for kernel services, changing the address of the table entry so the rootkit gets called before the real Windows system call is performed. Extensive details on current approaches to concealment are available at rootkit.com and other Internet sites. One recent methodology posted on rootkit.com involves loading a drive in place of the Windows null.sys dummy driver. The same post outlines three other methods for hiding drivers and offers the code for null.sys replacement.

In terms of defending against infection, Microsoft Windows Vista 64-bit resource protection and Software Restriction Policies in Windows XP provide some assurance, but developers of rogue software have proven their ability to find new ways to hide code on compromised machines. In fact, the rootkit front is fast transforming into an arms race, with each side innovating in response to developments the other camp pushes forward. Keeping on top of the latest modes of prevention is essential, especially if you are responsible for a fleet of computers running any variations of Microsoft Windows.

As for the big security players, a number are appropriating the traditional approach to viruses, using signature-based searches to track down known rootkits and applying related fixes. Two of the major vendors, Symantec and Trend Micro, however, are taking unique tacks in combating rootkits.

Symantec is leveraging mapping technology to discover rootkits on compromised systems. Oliver Friedrichs, director of emerging technologies for security response at Symantec, believes rootkit eradication requires a stable, reliable design that minimizes false positives and mitigates system instability during rootkit removal. To make good on this mission, Symantec has employed the expertise and technology brought on board during the Veritas acquisition. Using VxMS (Veritas Mapping Service), Symantec's Norton Internet Security 2007 maps data on the hard drive, compares it with the Windows file structure, and isolates any discovered mismatches in an effort to repair potential problems. In effect, VxMS enables Norton to compare file systems with the raw data on the disk. Differences are immediately suspect.

For example, say Windows Explorer shows five files in a directory, whereas VxMS shows 10. Clearly, the additional five files are cloaked. Norton sends the suspicious files to Symantec for analysis, eradication occurs during reboot, and the discovered rogue is removed from other systems worldwide as a result.

Trend Micro takes a different approach. Using experience gained in its security labs, the company developed a complete library -- the RCM (Rootkit Common Module) -- to replace the Windows APIs, says Geoff Grindrod, solution product manager at Trend Micro. According to Grindrod, the library includes double encryption to avoid spoofing, and its proxy for API calls is constructed as a special kernel module. With the RCM, the system sees hidden processes, hidden registry keys, and hidden files. As the RCM has matured, it has been integrated into more and more Trend products and is now a core component of anti-spyware and other Trend Micro products, Grindrod says.

Discovering rootkits, however, is only half the battle, as excising them can result in its own set of problems.

"Rootkits are so imbedded in the operating system," Mandiant's Butler says. "Plus, we're seeing firmware attacks and survivable rootkits installing themselves in the BIOS. Removing rootkits can also make the system unstable while it's running."

Admins should be aware of the implications of rootkit removal before lunging headlong into the endeavor, says Ron O'Brien, senior security analyst at Sophos, one of the first security vendors to offer a rootkit removal tool.

"Rootkits are not 'bad,' but they have developed a reputation for being bad," O'Brien says. "They are really just a form of hidden files" that may have legitimate uses. Ripping rootkits out before establishing their purpose can prove detrimental to overall system health, he adds.

Coping with an evolving threat
Despite advances in prevention and removal, Steve Manzuik, senior manager of security engineering and research at Juniper, sees no end in sight to the rootkit threat. In fact, Manzuik believes that rootkit.com, Joanna Rutkowska's work on the Windows kernel, and Microsoft's resource protections for 64-bit Windows Vista are "making it more difficult for both attackers and vendors."

Manzuik sees that current approaches to rootkit discovery and removal are beginning to fail despite improvements in Windows security. Factor in the lag time before Vista protections are widely deployed, and you have a perfect breeding ground for rootkit innovation. For example, Manzuik points out that some rootkits can now bypass the security sandbox. They detect they are in the sandbox and lay low, effectively tricking the system into thinking they are legitimate apps.

MANDIANT's Butler, however, believes that Vista protections will have an impact. Not only will the protections make it more difficult for rootkit authors to break in, Butler says, but it will also require "another separate effort to conceal themselves and maintain their presence."

Manzuik and Butler do, however, agree on the importance of strict user access policies. Both view rootkits as further evidence against giving users admin-level access to systems -- especially at smaller organizations, where the practice is often promoted as a cost-cutting necessity.

"The culture in smaller companies is that they will only call the IT guys if they can't figure it out themselves, which leads to most users having admin rights on machines," Manzuik says. Any organization employing this policy -- regardless of its size -- will be compromised, Manzuik says.

Because of this, Manzuik believes policy should figure foremost as a means for protecting systems against rootkits: "Without buying special technology, [most organizations] can deal with the majority of the threats with proper security policy and management."

That said, recent attention paid to rootkits has resulted in a raft of discovery and removal tools, both free and host-based, including IceSword, RootkitRevealer, F-Secure's Blacklight, and Sophos Anti-Rootkit. Over time, these functions will be integrated into enterprise-grade anti-virus and host-based security solutions. In the meantime, however, most organizations remain unprepared -- all the more troubling, given that opportunism is pushing rootkit know-how deeper underground, out of the IT community spotlight.

In the past, innovations in the art of hiding rootkits was shared in newsgroups and posted to community Web sites. The financial upside of having rootkit knowledge, however, is changing that, MANDIANT's Butler says. Those who uncover new approaches may take their discovery to a security company as their calling card to obtain a job. More disturbing, however, is the amount of money malware authors are willing to pay for new techniques. And with both sides of the divide doling out cash for the latest innovations, rootkit development is clearly becoming a lucrative pursuit -- one that leaves most organizations in the lurch, unaware of what's coming.

To reduce the probability and impact of rootkit infection, organizations should take the following proactive steps:

1. Do not ignore the threat and do not rely entirely on deployed anti-virus or host security systems.
2. Develop and implement a plan to analyze the current state of all systems.
3. Establish proactive procedures for maintaining an expanding defense against rootkit installation attempts, including policies and end-user communication.
4. Create a plan to analyze any infections that occur.

Kevin Mandia, president and CEO of MANDIANT, notes two essential capabilities for discovering rootkits in the enterprise: "the ability -- tools and technology -- to detect the rootkit’s network traffic via network security monitoring; and the ability to perform a sophisticated host-based console review, [making sure you're] able to conclude that the host-based review did not identify the process that is generating the suspicious network traffic."

For organizations looking for added protection against rootkits, enlisting the assistance of security experts is a worthwhile idea. MANDIANT, for one, provides incident-response software and professional services, enabling organizations to tap experts when developing risk-mitigation strategies and when responding to incidents to determine what data was lost and how the attack entered and evolved.

Unfortunately, too many organizations will wait until they have lost data and have exposed themselves to great financial harm before taking steps. Don't be one of them.

Steve Hultquist is a contributing editor of the InfoWorld Test Center.

Florida Might Be Tech's Next Big Hub

2007-04-26T13:03:00.000-07:00

By Deborah Perelman
April 26, 2007

When most people think of big high-tech hubs, what comes to mind is Silicon Valley. In-the-know IT workers might also add Northern Virginia, Denver or Austin to that list. But rarely is much said about Florida, which, according to the AEA's "Cyberstates 2007" report, is the fourth-largest and second-fastest-growing technology hub.

Florida's high-tech industry added a net 10,900 jobs between 2004 and 2005, a growth in technology-related employment surpassed only by California, which added 14,400 high-tech jobs in the same period.

Florida's employment of a total of 276,400 high-tech workers in 2005, the most recent year for which data is available, made it the fourth largest high-tech employer out of the 52 areas (50 states plus Puerto Rico and the District of Columbia), surpassed only by California (919,300), Texas (445,800) and New York (299,900).

Florida's tech manufacturers added 2,100 net jobs in 2005 alone, driven largely by a 1,500 net job increase in the defense electronics sector. Among the tech services sectors, engineering services saw the largest increase (over 4,600 jobs), followed by computer systems design and related services (over 2,500 jobs), and Internet services (over 1,100 jobs).

"Florida's high-tech industry is riding the crest of a wave," said Amjad Shamim, CEO of AAJ Technologies, in Fort Lauderdale, Fla., and chair of the American Electronics Association's Florida Council.

"While other states are only now beginning to recover from the bursting of the tech bubble in 2001, we have seen two straight years of some of the fastest growth in tech industry jobs in the country. While other states continue to see their tech manufacturing base erode, Florida added manufacturing jobs. And this growth benefits the entire state economy. The average tech industry wage in Florida pays 70 percent more than the average wage of Florida's private sector," Shamim said.

Specifically, high-tech employees in Florida earned an average salary of $61,000, which ranked 29th in the nation for tech salaries.

Meanwhile, high-tech firms employed 41 out of every 1,000 private sector workers in 2005, a substantial number in a state where, according to the U.S. Census Bureau, nearly 17 percent of the population was above retirement age.

So, why is it that when people think of big tech hubs, Florida rarely comes to mind?

"From our vantage point, very few people realize that Florida is a high-tech state," said Todd Rader, CEO of Avancent Consulting and vice chair of AEA's Florida Council. "In fact, most Floridians would not see the Sunshine State as a high-tech giant, even though we are the fourth-largest and second-fastest-growing 'Cyberstate' in absolute number of jobs."

Some argue that this is because Florida lacks an identifiable technology epicenter, such as California's Silicon Valley or Northern Virginia's tech corridor.

"The state doesn't see itself in high-tech terms, largely because their tech jobs are spread all over the state, from Tallahassee to Miami, and that's an enormous area, but there isn't one pocket that dominates," William T. Archey, president and CEO of AEA, headquartered in Washington and in Santa Clara, Calif., told eWEEK.

Lacking a centralized tech region may not seem particularly harmful, but analysts and planners alike point to the power of a nerve center to attract the best employees and businesses.

"Clustering is a notable phenomenon in the high-tech industry. High-tech companies like to go where high-tech companies already are. In other words, geeks like to be with geeks," Archey said.

As Silicon Valley, still in the No. 1 slot, grows increasingly more expensive to live or start a business in, the question of where tech startups may cluster next is up for debate.

"To some extent, Silicon Valley has been a victim of its own success, causing the cost base of its companies to accelerate," said Paul Forster, CEO and co-founder of Indeed.com, a job search engine based in Stamford, Conn., told eWEEK.

And in an age of wireless communications and cross-country telecommuting, technology professionals may be looking to stay closer to home.

"Not everyone wants to live the California lifestyle. There are places with a higher quality of life and tech-challenging positions," said Brandon Courtney, vice president of the Professional Services division of Spherion, a staffing and recruitment firm based in Fort Lauderdale, Fla.

Check out eWEEK.com's Careers Center for the latest news, analysis and commentary on careers for IT professionals.

Myth crushed as hacker shows Mac break-in

2007-04-20T13:04:00.000-07:00

Dino Dai Zovi was able to remotely break into a Mac as part of a contest designed to illustrate security flaws in OS X

By Nancy Gohring, IDG News Service
April 20, 2007 Talkback E-mail Printer Friendly Reprints
A hacker managed to break into a Mac and win a $10,000 prize as part of a contest started at the CanSecWest security conference in Vancouver.

The conference organizers decided to offer the contest in part to draw attention to possible security shortcomings in Macs. "You see a lot of people running OS X saying it's so secure, and frankly, Microsoft is putting more work into security than Apple has," said Dragos Ruiu, the principal organizer of security conferences including CanSecWest

Initially, contestants were invited to try to access one of two Macs through a wireless access point while the Macs had no programs running. No attackers managed to do so, and so conference organizers allowed participants to try to get in through the browser by sending URLs via e-mail.

Dino Dai Zovi, who lives in New York, sent along a URL that exposed the hole. Because the contest was only open to attendees in Vancouver, he sent it to a friend who was at the conference and forwarded it on.

The URL opened a blank page but exposed a vulnerability in input handling in Safari, Comeau said. An attacker could use the vulnerability in a number of ways, but Dai Zovi used it to open a back door that gave him access to anything on the computer, Comeau said.

The vulnerability won't be published. 3Com's TippingPoint division, which put up the cash prize, will handle disclosing it to Apple.

The prize for the contest was originally one of the Macs. But on Thursday evening, TippingPoint put up the cash award, which may have spurred a wider interest in the contest.

One reason Macs haven't been much of a target for hackers is that there are fewer to attack, said Terri Forslof, manager of security response for TippingPoint. "It's an incentive issue. The Mac is not as widely deployed of a platform as, say, Windows," she said. In this case, the cash may have provided motivation.

The contest was a chance for hackers to demonstrate techniques they may have boasted about. "I hear a lot of people bragging about how easy it is to break into Macs," Ruiu said.

Some attendees didn't think it was a coincidence that on late Thursday Apple released a patch for 25 vulnerabilities in OS X.

Macs haven't been targets for hackers and malicious code writers nearly to the degree that Windows machines have historically. That's in part because there are fewer Macs in use, thus making the potential impact of malicious code smaller than on the more widely used PCs.

Also, Apple is "extremely litigious when people do find stuff," noted Theo de Raadt, OpenBSD project leader and an attendee at the conference. He suspects that will backfire on Apple, which could begin to "look evil" if hackers begin to publish potentially threatening letters from the company.

This story was updated on April 20, 2007

tenelenven 2007-04-20 18:13:06 flag as inappropriate
This is not a hack to the OS, it's just a hack to Safari and offers no breach of the OS once the blank page appears. Nice try, but another yawner.
riquiscott 2007-04-20 19:14:15 flag as inappropriate
From the article: "The URL opened a blank page but exposed a vulnerability in input handling in Safari, Comeau said. An attacker could use the vulnerability in a number of ways, but Di Zovie used it to open a back door that gave him access to anything on the computer, Comeau said." Sounds to me like the OS was in fact breached...
MattInChicago 2007-04-20 19:42:59 flag as inappropriate
Funny, to me it seems to prove the point of just ho secure "Mac OSX" really is! They couldn't crack it! Try as they might it was a non-starter. So rather than be embarrassed they changed the rules and opened a browser, the least secure app of any OS (made to read/write over internet) and they found a hole there! Ok fair enough! The headlines and stories should then be factual. This one should have read: "Myth proven as hackers are unable to perform Mac break-in Dino Di Zovie was only able to remotely break into a Mac when allowed access to a running browser, Safari, as part of a contest designed to illustrate security flaws in OS X, that had until then yielded no winners".
riquiscott 2007-04-20 20:32:19 flag as inappropriate
Di Zovie was still able to inappropriately gain root access through an application, something that a totally-secure OS would not allow.
MacKTHeRIPper 2007-04-20 20:40:28 flag as inappropriate
You may be right as long as the Mac was sitting there doing nothing it was not cracked. Once they started using it, things changed. It was cracked as though it was hit with a ton of bricks. Seems to me that it cost a lot not to use though??
tenelenven 2007-04-20 20:59:47 flag as inappropriate
InfoWorld might want to pull this story, since it has now been reported, they bent the rules to make this hack work: From CNET: "The successful attack on the second and final day of the contest required participants to surf to a malicious Web site using Safari--a type of attack familiar to Windows users. CanSecWest organizers relaxed the rules Friday after nobody at the event had breached either of the Macs on the previous day." So it wasn't a break-in as first believed... which is "priceless" since it shows OSX remains unhacked.
MattInChicago 2007-04-20 21:24:57 flag as inappropriate
First of all...I did NOT say OS X was "totally secure". All one has to do is check software updater today! What I am saying is that it's one thing to have some vulnerability and another to actually exploit it in the wild. So many OS X issues are local in nature or require a set-up that's "just right". This is why attacks, even if they were to happen, would even be more limited than the Mac's market share. Will some hole be found one day in OS X as it ships by default? Maybe, I wouldn't be surprised. But in the meantime the Windows fan boys need displays such as this, for what, I guess to post stuff like I've read here. It's really got to bother them that OS X itself wasn't hacked especially when a similar contest using Windows will never happen...I mean who wants to loose $10K on a sucker bet! ;-)
tenelenven 2007-04-21 07:44:19 flag as inappropriate
InfoWorld publishes FALSE report: "Opening an email URL that exposes a security flaw in Safari is both news to report and a problem for Apple to tackle, but reporting it as a remote exploit is inaccurate, irresponsible, and sloppy journalism, particularly for IDG's InfoWorld, which purports to be an authority on computing." More Here: http://snipurl.com/1hh5n oops!
TomH 2007-04-21 09:27:29 flag as inappropriate
First, they change the rules, then they forget to mention the OS X Leopard is axing input manager hacks. Don't tell us Microsoft is doing more. What a lame attempt at making Macs look less secure than Windows as the Leopard release approaches. complete reporting would have been, well, more complete. And lets just do away with this whole there aren't enough macs to make it worthwile. John Gruber took Larry Seltzer to task on this one a while back. http://daringfireball.net/2006/11/jackass_larry_seltzer
Dragon76 2007-04-21 09:30:26 flag as inappropriate
If you read what actually happened, instead of just this article, they were not able to achieve root, just user access to the system.
millenium 2007-04-21 09:48:19 flag as inappropriate
thous are very, very big lies - did you follow the contest???? - now i know that we can't trust no more to InfoWorld - or you just need to change your Reporters - Nancy Gohring you are unacurate and uneducated and you're a big lier - you write, but you don't follow ( what you're writing about )
DarekMeridian 2007-04-21 15:36:34 flag as inappropriate
So your mac is secure as long as you don't use any browsers. That's useful in this age.
tenelenven 2007-04-21 16:03:34 flag as inappropriate
For DarekMeridian: No. It only affects Safari, using Camino or FireFox or one of about 30 other Mac browsers you'll be fine. The Mac is still 100% secure, it's just a demo of a weakness in javascipt/safari if you have physical access over both sides of the equation. This hack can't do anything, so relax.
Info4 2007-04-21 19:04:22 flag as inappropriate
They couldn't do as they wished, crack OSX, so the changed the rules and made it simple. What they did was more like a home owner who puts a neon-sign on their roof that states: 'Valuables Inside; No one Home; Back-Door Unlocked; Come In and Help Yourself!" I'm not really impressed with people claiming that they did this or that, but then say that they won't publish the details to prove their point. When they show their exploit to Apple and they confirm it, then BIG DEAL... one exploit in six-years compared to the over 114,000 virus's, plus other Window exploits, the fact remains.... Macs are still, by far, more secure than Windows. I rest my case.
1macgeek 2007-04-22 05:27:07 flag as inappropriate
Hold on just a cotton-pickin' minute! Everyone please re-read this : "Di Zovie used it to open a back door that gave him access to anything on the computer, Comeau said." Having access and having ROOT are very far apart. I can put any Mac into firewire target disk mode and have "access" to everything on the drive, but I do not have root access. Should it be counted as a "hack" if I can access everything, do everything the "hack" can do if I can do it without writing one line of code? It should be simple to confirm if root was attained by submitting the Mac to a disinterested third-party and looking at the logs. Even then, there is another problem - this one being a problem of time. If you look at the CanSecWest web site, there is an (almost) three hour gap between the announcement of the rule change and the hack. Yet, in media reports thus far, Di Zovie claims it took nine hours to write the "hack". Why the time difference? On top of that, is it really a "hack"? Remember, the original terms said the "hackers" had to come in, but under the revised "rules" they used the target computer to visit the web site which compromised Safari. Would this not ultimately be a social engineering "hack" to get a user to visit the site? Somebody isn't being completely honest about the whole mess. I am not denying the flaw in Safari, but I think the debate is wide open if this is a "hack" in the true sense of the word. And remember - we do not have independent confirmation that root was attained. Smells like a set-up to me.
mack520 2007-04-22 06:28:50 flag as inappropriate
Don't you think its about time to modify this article so it is factual rather than the utter fantasy it now is? Or are you happier lying?
QueQueg72 2007-04-22 10:59:09 flag as inappropriate
Wow, the mac fanboys sure do come out of the wood-work.
mblort 2007-04-22 14:03:57 flag as inappropriate
Microsoft is a sponsor of CanSecWest
QuadraHex 2007-04-22 14:47:16 flag as inappropriate
Windows is suppose to have 90% of the market and Apple less than 10% of the market while Linux has a fraction of 1% of the market. Windows malware has 90+% of the breaches of their operating system while Linux malware has near 10% of the breaches. Apple has ZERO % of the breaches because there is no malware that can or does exploit any known vulnerability. OS-X was first exposed to hackers in March 1999 and is open source so they can hack away any time to their hearts content. OS-X is based on BSD known for decades as the MOST SECURE OS in existence. OS-X has held that title for six years since it's open release in March 2001. Tens of millions of Macs are in use daily for over half a decade and not a single one has been infected with any form of malware. During this time there have been hundreds of trillions of successful malware breaches of Windows. If this vulnerability was proportional, under the assumption that OS-X is as vulnerable as Windows, then Apple should have had tens of trillions of breaches during this time but they have had none. If the Apple share argument was valid then there would have been ZERO breaches of Linux just like the Mac but this is NOT the case. Since so many zealots have such trouble with proportions and reality let me ask a simple question to illustrate this proportional reality with an example where proportion may have some meaning: Which is a more desirable prise, $900,000,000,000,000.00 or $0.00. If you chose $0.00 your a hopeless moron and zealot and shouldn't be commenting here. If you chose the hundreds of trillions then you understand that lots of good stuff is desirable and by extrapolation lots of bad stuff is not desirable. I know Microsoft wants you to believe that trillions of breaches of your computer is good and no breaches like on the Mac is bad so perhaps you'll have enough insight to realize Microsoft is simply lying. Got it? To further elucidate this point if you use Windows for any time you will be PWN'd by some malware and it will take longer by at least ten times in Linux or your a tenth less likely, while history would show it is not going to happen in Mac OS-X, At least not until some malware exploit is in the wild and only until Apple closes the vulnerability. This situation does NOT currently exist and if it comes to pass Apple will foreclose it quickly. It will be impossible to miss this event since it will be part of every news program and article related to technology for months if not years after it happens. Nobody is now making any money from exploiting Macs and it is near to zero chance they will in the future since the Mac community would never allow the situation to develop where one is even one trillionth as vulnerable as Windows. Until then all Mac users can relax and all Windows drones can live in perpetual fear as always.
jill129 2007-04-22 18:11:38 flag as inappropriate
But what happened to the second Mac laptop? Was it hacked or was it given away?
malcolmross 2007-04-23 08:04:29 flag as inappropriate
Perhaps InfoWorld will set up an authoritative, unbiased and objective challenge, along the lines of a serious lab evaluation, and report accordingly? That would be much more useful than this kind of hyped up, biased "tabloid" reportage. I expect better from InfoWorld.
ExiMod 2007-04-23 09:28:22 flag as inappropriate
Computer security experts are hackers that are on the light side of the force. The line between the light side and the dark side gets blurred sometimes. It's interesting to see how these hackers have moved into social engineering and have hacked the news media (with the help of 3com, Microsoft, IDG, and Nancy Gohring).
newguy20070423 2007-04-23 09:41:03 flag as inappropriate
So I assume you mean I have to visit some stranger's link by my own choice? And if I went via another browser it would not hack the OS? Do I also have to allow Safari to execute code? (Perhaps JavaScript which I would probably normally allow). Sounds like a breach through Safari iff (if and only if) I choose to visit some stranger's URL. Why don't I just ask some stranger to execute my code I attach in an email and if he does, Mac OSX has been hacked?
markatosu 2007-04-23 11:12:37 flag as inappropriate
Amazing! There are actually people out there who think that it is possible to make an operating system which is unhackable. Sorry, humans make mistakes ... and operating systems. Last fall one of my Mac servers only used as a failover XSAN metadata controller was hacked. It was fully patched and not used for anything but that limited function (not email, web browsing, etc). However, i unfortunately failed to enable the firewall to deny outside access. i reported the problem to Apple and they did not seem surprised. The bottom line, don't kid yourself, everyone is vulnerable.

Microsoft's $3 Anti-Linux Weapon

2007-04-19T13:07:00.000-07:00

By Steven J. Vaughan-Nichols
April 19, 2007

Opinion: The company's Student Innovation Suite is an attempt to con the world into using Windows and avoiding Linux. (Linux-Watch)

In Beijing, Bill Gates announced this week that Microsoft's "Unlimited Potential" initiative will now include offering a software package, the Student Innovation Suite, to governments and students in emerging countries across the world at a price of just $3.

This suite, available in the second half of 2007, will include Windows XP Starter Edition, Microsoft Office Home and Student 2007, Microsoft Math 3.0, Learning Essentials 2.0 for Microsoft Office and Windows Live Mail desktop. However, Microsoft has no takers for its offering yet.

Officially, the goal is to help bring social and economic opportunity through new products and programs to as many as possible of the potential 5 billion people who do not yet use Microsoft products.

What a lot of bull feces. The goal is to kill open source off at its roots. Microsoft wants to make sure that young people in developing countries get brainwashed into the Microsoft way of computing.

Here's what's really happening. Microsoft is seeing that the OLPC (One Laptop Per Child) initiative is taking off. Soon, millions of kids will be using a computer for the first time, and their first computer is going to be running Sugar, an innovative software environment built on top of a Red Hat Fedora-based Linux

Bulgarian Woman Arrested for eBay Fraud Scheme

2007-03-28T15:21:00.000-07:00

March 28, 2007 3:21 PM

FBI has arrested a Bulgarian woman in connection with an international scheme that's responsible for defrauding eBay users of more than $350,000.

The agency announced on Monday that police in Budapest, Hungary had on March 22 arrested Mariyana Feliksova Lozanova, aka "Gentiane La France," aka "Naomi Elizabeth DeBont," with conspiracy to commit wire fraud and money laundering. Lozanova has waived extradition to the United States.

The indictment charges that Lozanova and others allegedly advertised expensive motor vehicles and boats on eBay. When U.S. buyers expressed interested, a purported seller contacted them directly by e-mail.

The modus operandi matches that described by eBay watchers who have tracked a sharp increase in fraud on the auction site over the past few months. So too does it match the boasts posted on eBay forums by hackers.

Namely, the crooks told their victims to wire payment through a non-eBay entity. In this case, the fraudsters called the entity "eBay Secure Traders," an outfit that has no actual affiliation to eBay but which served to trick buyers into thinking they were sending money into a secure escrow account pending delivery of their purchases.

In fact, the funds were allegedly wired straight into bank accounts in Hungary or Slovakia that were controlled by Lozanova or her co-conspirators.

The FBI alleges that Lozanova opened the accounts with a fraudulent Canadian passport that identified her as "Gentiane LaFrance" and a fraudulent U.K. passport that identified her as "Elizabeth Naomi DeBont."

The victimized buyers' cars and boats were never delivered., nor was their money ever returned. The indictment charges Lozanova with withdrawing the proceeds shortly after the funds had been wired into her account and distributing them to members of her gang in Budapest.

If convicted, Lozanova faces a maximum sentence of 20 years in prison for the wire fraud conspiracy and 10 years in prison for the money laundering conspiracy. She could also be looking at fines totaling more than $500,000, as well as forfeitures and restitution to victims.

eBay said that it just goes to show: "Crime doesn't pay," said Nichola Sharpe, a spokeswoman for eBay, in an interview with eWEEK. "It's so transparent. We have strong collaboration with the police. We do catch these people."

eBay doesn't release official figures for how many scammers the company and law enforcement are tracking. But as Sharpe pointed out, the online auction site has banned, for example, instant money transfer services, such as Western Union.

eBay has over 2,000 employees working in what the company calls its Trust and Safety division. Those employees' key role is to make the site a safe place to trade, Sharpe said, and that means they're practically everywhere that eBay is. "This is a global team," she said. "A lot of the different countries we're in, we have a different team. In Europe we have a team. These crimes are global, and we have a global team to reflect that."

Members of the team are often experienced law enforcement types, as well, she said, including one ex-Scotland Yard detective and a number of people with experience in law enforcement in the United States.

The FBI said in a statement that its investigation into the scam that allegedly involved Lozanova is ongoing.

* This entry was updated to include eBay's input.

Google seeks world of instant translations

2007-03-28T07:14:00.000-07:00

By Adam Tanner 43 minutes ago

MOUNTAIN VIEW, California (Reuters) - In Google Inc.'s (Nasdaq:GOOG - news) vision of the future, people will be able to translate documents instantly into the world's main languages, with machine logic, not expert linguists, leading the way.

Google's approach, called statistical machine translation, differs from past efforts in that it forgoes language experts who program grammatical rules and dictionaries into computers.

Instead, they feed documents humans have already translated into two languages and then rely on computers to discern patterns for future translations.

While the quality is not perfect, it is an improvement on previous efforts at machine translation, said Franz Och, 35, a German who heads Google's translation effort at its Mountain View headquarters south of San Francisco.

"Some people that are in machine translations for a long time and then see our Arabic-English output, then they say, that's amazing, that's a breakthrough," said Och.

"And then other people who have never seen what machine translation was ... they read through the sentence and they say, the first mistake here in line five -- it doesn't seem to work because there is a mistake there."

But for some tasks, a mostly correct translation may be good enough.

Speaking over lunch this week in a Google cafeteria famed for offering free, healthy food, Och showed a translation of an Arabic Web news site into easily digestible English.

Two Google workers speaking Russian at a nearby table said, however, that a translation of a news site from English into their native tongue was understandable but a bit awkward.

FEEDING THE MACHINE

Och, who speaks German, English and some Italian, feeds hundreds of millions of words from parallel texts such as Arabic and English into the computer, using
United Nations and
European Union documents as key sources.

Languages without considerable translated texts, such as some African languages, face greater obstacles.

"The more data we feed into the system, the better it gets," said Och, who moved to the United States from Germany in 2002.

The program applies statistical analysis, an approach he hopes will avoid diplomatic faux pas, such as when Russian leader
Vladimir Putin's translator miffed then German Chancellor
Gerhard Schroeder by calling him the German "Fuehrer." The word is verboten in that context because of its association with Adolf Hitler.

"I would hope that the language model would say, well, Fuehrer Gerhard Schroeder is ... very rare but Bundeskanzler Gerhard Schroeder is probably 100 times more frequent than Fuehrer and then it would make the right decision," Och said.

The center of Google's effort looks surprisingly modest. Och shares a spartan office with two others on his team, with little clutter other than a shelf of linguistic books above his desk. That's because the muscle work is performed by machines.

So far, Google is offering its own statistical machine translations of Arabic, Chinese and Russian to and from English at http://www.google.com/language_tools. Third-party software gives access on the site to German and other languages, Och said.

"So far, the focus is let's make it really, really good," Och said. "As part of a general Google philosophy, once it's really useful and it has impact, then there will be found ways how to make money out of it."

Miles Osborne, a professor at the University of Edinburgh, who spent a sabbatical last year working on the Google project, praises Google's effort but sees limitations.

"The best systems (e.g. Google) can be very good indeed for language pairs such as Arabic-English," he said.

But he added software will not overtake humans in expert translations as it has in playing chess; software should be used for understanding rather than polishing documents.

"It may also be useful when deciding whether to pay a human to do a good job: you could imagine looking at Japanese patent documents and seeing if they are relevant, for example," he said.

Google chairman Eric Schmidt also sees broad political consequences of a world with easy translations.

"What happens when we have 100 languages in simultaneous translation? Google and other companies are working on statistical machine translation so that we can on demand translate everything all the time," he told a conference earlier this year.

"Many, many societies have operated in language-defined communities where they really don't understand and are not particularly sympathetic to other peoples' views because of the barrier of language. We're about to have that breakthrough and it is a huge thing."

RFID Feared as Possible Terrorist Target

2007-03-27T12:36:00.000-07:00

By Lisa Vaas
March 27, 2007

As if RFID chips in driver's licenses and passports weren't scary enough already, London's Royal Academy of Engineering is suggesting that someday a terrorist will be able to read personal details from a distance and, given the right antennas and amplification, set a bomb to go off when a particular person gets within range.

It's already widely acknowledged that unencrypted data stored on an RFID chip in a passport can be read covertly by anybody with a pass-by reader.

As the ACLU pointed out at Black Hat earlier in March, you can buy parts on the Internet to make a reader for as little as $20.

With a reader, you can pick up whatever the RFID chip is sending out: passport number; name; where an individual was at, at what time; name; address; Social Security number, etc.

The ability of RFID to be subverted in far more dangerous ways was only one example of how advancing technology can be exploited in the future, according to the Royal Academy.

The Academy on March 26 released a report titled "Dilemmas of Privacy and Surveillance: Challenges of Technological Change," by Nigel Gilbert, chairman of the Academy's group on Privacy and Surveillance.

Here are some other technology shocks that have already occurred or that may come to pass, according to Gilbert:

Unencrypted data can be forged. The United Kingdom, for one, introduced biometric passports in March 2006.
The e-Passport, as it's called, uses facial recognition to link an individual with a paper passport, with iris and fingerprint data used as backup, and other countries have expressed interest in using biometrics as well.

Because the data will be read at places such as passport control to verify the identity of the holder, the data have to be quickly and reliably transmitted—hence, use of RFID chips have been proposed.

A forged passport could include a passport carrier's biometric information but with forged personal details, including name, date of birth and citizenship.

Of course, passports could be checked against a central database to ensure that the data on a given passport matches the master set. But then, it's unnecessary to store the data on a passport, since it can be retrieved from the central database.

"Encrypting the data on the e-Passports can help to avoid these problems," Gilbert writes, "but even then there is potential for failure. Firstly, if the encryption codes can be broken, then the two vulnerabilities reappear. Secondly, a problem with current plans for e-Passports in the U.K. is that the key for the data on the chip is stored on the passport itself—so the encryption does not in fact lock out eavesdroppers."

The only way to keep RFID passport information truly safe, Gilbert says, is to encrypt with extremely tough algorithms and to disable the access to encrypted data on the passport by using a key stored on the passport itself.

"Otherwise, efforts should be focused on an altogether different way of designing e-Passports," he said.

Plans for more dangerous data leaks than ever are in the works.
It's a pedophile's dream come true: children's data stored in a national database.

The U.K. is reportedly planning to take fingerprints as well as names and addresses from children as young as 11 and store it all in a government database.

The children's data, as a subset of the U.K.'s biometric passport scheme, will be transferred to the country's new national identity database when the children turn 16.

The consequences of data breaches or leaks on such a database could be "extremely serious," Gilbert says. "This information could be used by pedophiles to target those children for abuse," he writes.

Other serious data leaks that have happened or could still happen, Gilbert points out: leaks of credit-card data used to embarrass public figures; leaks of the addresses of staff who work at sensitive sites, such as abortion clinics or research centers that practice animal experimentation; leaks of health records that could doom the employment prospects of patients or even expose them to risk of violence, including HIV status or a record showing that a woman had had a pregnancy terminated (if this was unknown to her partner or parent), or data (such as DNA or blood group) showing that the paternity of a child could not be the presumed father.

The report details other worst-case scenarios, including identity fraud assisted by the Semantic Web and its extensive publicly accessible personal details of individuals as well as the use of fingerprint images to fool a pay-by-touch system.

The future of technology misuse may look dire, but Gilbert offers ways to secure even the scariest technology.

For example, A biometric pay-by-touch system that requires two forms of identification—a PIN and a fingerprint—would be "much more successful" in preventing fraud than one that relies only on a fingerprint, he said.

To read more about privacy and security concerns surrounding RFID.
http://www.eweek.com/article2/0,1895,2073670,00.asp

Regarding RFID-enabled passports and the possibility that they could be linked to bombs or other, less dramatic abuses, one workaround is to forgo RFID chips for a technology such as that now being developed by Ingenia Technology called "Laser Surface Authentication."

LSA technology takes into account the unique surface qualities of a given document. Paper documents and credit card plastics have unique microscopic surface qualities attributable to how paper fibers are arranged or how the plastic has been set.

"These qualities cannot be controlled and cannot be copied, and they are unique in every case—rather like human fingerprints," Gilbert writes.

"Ingenia have devised a way of scanning documents to reveal these surface properties, which they refer to as the 'LSA fingerprint.' The system they have created is 'read-only', the document is passive, it is simply scanned and a record of its surface features is recorded."

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog.
http://securitywatch.eweek.com/

Trojan Spreading Via Skype

2007-03-23T15:53:00.000-07:00

March 23, 2007 3:53 PM

A Trojan is using the free Skype VOIP service to spread to users' friends, family and colleagues, Websense Security Labs reported on March 22.

The Trojan, a copy of the Trojan named Warezov or Stration, is not propagating itself. However, when it runs, its sends a URL to all users within the victim's Contacts list, according to Websense.

An earlier version of the same attack hit Skype in late February, as reported by F-Secure. This latest rendition differs in that it's carrying new URL information and a new version of the malicious code.

Websense reports that Skype users are receiving a message that says "Check up this," with a URL containing a hyperlink. Websense's advisory contains a sanitized screenshot at the bottom.

Users who click on the link are redirected to a site hosting a file named file_01.exe. Users are then prompted to run the file. If the user does so, the Trojan downloads and runs several other files. Websense notes that there is no Skype vulnerability at play in this attack.

Below are the files the Trojan loads from different domains, according to Websense. The domains were up and running at the time of Websense's Thursday alert:

1e61617b7498c5cad41c4d26b8e4ca8c file_01.exe
7c2b181ab4fbe858e22bbbdc725e4f53 gdi32.exe
7306bed6c39560ed78fe67cfc5e643c8 ndis.exe
5262a217d2ca7f28be6fc398d8f8aee3 sk.exe

The victim's contacts also receive the URL within Skype. After the Trojan hitches itself to a system, it tries to connect to a Yahoo mail server to send an SMTP message. However, that server appears inoperative, and the communication fails. Websense conjectures that the inoperability is "probably an attempt to notify the attacker that a certain machine has been infected."

The other files downloaded by the Trojan are alternate versions of the Warezov/Stration malicious code. The code opens backdoors to victims' systems and also downloads new code.

We're Number One! ... For Malicious Internet Activity

2007-03-19T07:37:00.000-07:00

By Lisa Vaas
March 19, 2007

Romanian hackers, eat your hearts out: The United States has far and away the most malicious code, spam, phishing, attack and botnetwork activity on the planet, according to Symantec's most recent semi-annual Internet Security Threat Report.

In this, its 11th edition of the report, Symantec has for the first time ranked countries as far as their Internet malfeasance is concerned. Tapping into its global intelligence network, Symantec found that the United States spawned 31 percent of the worldwide total for malicious activity. China came in second with 10 percent, and Germany came in third with 7 percent.

But bear in mind that not all of the bad U.S. apples necessarily originate within the United States, said Dave Cole, a director in Symantec's Security Response division. "Inside U.S. borders can be a playground for international hackers," he said in an interview with eWEEK. "How much is U.S.-based and how much is driven from outside is anyone's guess."

Because Symantec was aware that industrialized countries' higher rate of Internet users skews test results, the company also broke the numbers down according to the percentage of a country's Internet users that are up to no good. "The more [Internet users] you have, the more likely more will be bad apples and that more people will be targeted," Cole said. "Though [owners of zombie PCs] are innocent except for maybe not cleaning their machines when they're hacked."

Taking the amount of a country's malicious activity and dividing by the number of that country's Internet users, Symantec found that Israel has the most per capita malicious Internet users, at 9 percent. Taiwan came in second, with 8 percent, and the United States came in third, with 6 percent.

Between July 1 and Dec. 31, 2006, Symantec also found that 51 percent of all underground economy servers known to the company were located in the United States—the highest total of any country. In that underground economy, your credit card, with a card verification number, will fetch between $1 and $6. Your identity is more pricey, going for $14-$18 including your U.S. bank account, credit card, date of birth and government-issued identification number.

Symantec also notes that your credit card and identity is more attractive to e-thieves nowadays, as opposed to the allure of financial services in previous periods. "The attackers here are just playing the numbers," Cole said. "The biggest attack for many, many years has always been financial services. They'd go where the money's at, sneak in the back door, get in and steal the customer database and quickly get in and out before anybody notices."

Unfortunately for online thieves, banks got smart and beefed up their security. Security at banks being so much harder, hackers have decided to pick customers' pockets instead of sticking up the bank itself, Cole said. "Why do 'Oceans Eleven' [a film featuring painstakingly elaborate thievery] when you can just hold up 7-11?" Cole asked.

Cole emphasized that these observations pertain to loosely organized online criminals, not organized crime. Of non-organized criminals, 93 percent are targeting home users, Symantec estimates.

Preferred methods of online scams differ region to region. According to Symantec's research, banking Trojans are popular in South America. In China and Asia, where online gaming is popular and a market for virtual possessions is thriving, gaming Trojans are common, Cole said. "We're seeing threats getting more regionalized, and the threat depends on what region you're interested in," he said.

Malicious activity on the Internet has obviously changed considerably since the Slammer worm, Cole said. "[Slammer] pretty much crashed through the Internet and knocked things over," he said. "Guys were pounding their chests and slapping their buddies' hands when they wrecked havoc. Nowadays, they'd rather drive across town in a Ferrari with their pals and their ill-gotten goods."

Malicious code sniffing out confidential information such as credit card numbers increased from 48 percent of Symantec's Top 50 malicious code reports in the first half of 2006 to 66 percent in the second half. Threats that log keystrokes and export sensitive user and system data increased, with keystroke loggers now making up 79 percent of threats to confidential information.

This report is the first in which Symantec assessed data breaches that exposed information that could result in identity theft. The company found that during this time period, the government sector accounted for most of the data breaches that could lead to identity theft, with 25 percent of the total.

The preferred way for companies to lose our data was theft or loss of a computer or other data storage/transmittal medium, such as a USB key or a backup disk. Fifty-four of all identity theft-related data breaches in the second half of 2006 were made up of such losses. The second most common cause of data breaches that could lead to identity theft was insecure policy, which accounted for 28 percent of incidents.

Zombies thrived in this time period, as well. Symantec detected 11 percent more active bot-infected computers than the period before, with an average of 63,912 spotted daily. The worldwide total of distinct bot-infected systems rose to about 6,049,594—a 29 percent increase. The number of command-and-control servers decreased by 25 percent to 4,746. Symantec theorizes that this is due to network owners consolidating and expanding their networks. Zero-day vulnerabilities also rose during this period. Trojans taking advantage of zero-day vulnerabilities numbered 12—a significant increase over the first half of the year and the second half of 2005, when only one zero-day vulnerability was documented for each reporting period. Most of the zero-days in late 2006 were client-side vulnerabilities affecting Office applications, Internet Explorer and ActiveX controls. Symantec noted that attackers are "increasingly using zero-day vulnerabilities as the first step in establishing coordinated networks of malicious activity," the company said in a release.

Trojans increased significantly in late 2006 as well. They made up 45 percent of the volume of malicious code reports, compared with 23 percent in early 2006. While Trojans made up 45 percent of malicious code reports, they made up 60 percent of attempted infections.

"Symantec has observed high levels of coordinated activity between threats, including spam and phishing," Symantec said in its release. "Often, Trojans are used to install spam zombies or phishing Web sites on compromised computers in order to facilitiate fraud or other criminal activities."

In late 2006, spam made up 59 percent of all monitored e-mail traffic, Symantec found—an increase over early 2006, when 54 percent of e-mail was classified as spam.

Symantec found that the rise in spam was primarily due to pump and dump stock scams. The company found that top detected spam category, at 30 percent, was related to financial products and services. Unique phishing messages in late 2006 increased, with 166,248 unique messages, or an average of 904 unique phishing messages per day. Phishing attacks primarily used financial services as bait, with that topic accounting for 84 percent of unique brands used in phishing attacks. Financial services also made up 64 percent of phishing Web sites. Forty-six of all known phishing sites were found in the U.S.

Here's what Symantec forecasts for future threats:

More Vista threats will appear, with vulnerabilities, malicious code and attacks focused against Vista's Teredo platform Vista's Teredo platform, which is a bridge protocol between IPv4 and IPv6.

Attackers will focus on third-party applications that run on Vista.

New phishing economies will develop in which phishers expand their targets to include new industry sectors, such as massively multiplayer online games.

Phishers will develop new techniques, such as ready-made phishing kits, to evade antiphishing solutions such as block lists.

Spam and phishing will increasingly target SMS and MMS on mobile platforms.

New attacks will be developed to hit virtual environments as a way of compromising host systems.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog

http://securitywatch.eweek.com/

Al-Qaeda Plan to Bomb British Internet Foiled

2007-03-13T11:40:00.000-07:00

March 13, 2007 11:40 AM

Scotland Yard has foiled a planned attack on the British Internet by al-Qaeda, according to The Sunday Times.

According to reports, authorities carried out a series of raids that netted computer files revealing that terrorist suspects had targeted a high-security Internet hub in London. Scotland Yard also arrested suspects who had allegedly targeted the headquarters of Telehouse Europe, a facility that contains dozens of servers and which The Sunday Times refers to as Europe's "biggest Web hotel."

Investigators reportedly found evidence on a seized hard drive that the suspects plotted to infiltrate the hub and possibly blow it up from the inside, thus causing havoc in the London Stock Exchange and to British businesses.

Allysa Myers of McAfee's Avert Labs posted an analysis of the situation and came up with three takeaways for any business:

1. A significant number of security problems are due to employees and contractors, not outside parties.
2. It's equally important to have physical security considerations as well as those for "cybersecurity."
3. Don't allow a single point of failure.

Romanian Hacker Broadcasts eBay Customer Accounts

2007-03-12T10:36:00.000-07:00

03.12.07 Total posts: 1

By Lisa Vaas
eBay has confirmed that, early on the morning of March 8 EST, an alleged Romanian hacker calling himself "Born_To_Scam_American_Guys" posted records for 15 eBay users on an eBay forum for between 40-60 minutes before the company removed them.

The posts were put up on the Trust & Safety board. According to other forum members who claimed to have taken part in the discussion and begged eBay to take down the information, the hacker signed in under a hijacked account and began taunting others, with the final result being the posting of the 15 accounts.

According to Firemeg.com, a site dedicated to eBay watching, the post that kicked it all off appeared at 1:52 EST on the forum. The initial post, according to Firemeg.com, reads:

"read many opinions here.... All I saw it's just [misspelled obscenity]....Alot of things about scamms..stupid things I think. Romanian guys are the best boys !!!! We are in each country...each city...and every day alot of money from your pocket intro in pur bank accounts....You know why ?? I will tell you my opinion...because you are so stupid ..... anyone can scam you very easy....not only with fake escrow and shipping websites....

"For us nothing is not imposibile....Paypal...bank accounts...credit cards...spam....wire transfers... alot of things boys !!! WHy ??? Because we are the best !!!!

Trojan Targeting eBay Motor Buyers

2007-03-09T11:38:00.000-08:00

March 9, 2007 11:38 AM

E-mails with legitimate slide shows of cars for sale on eBay are quietly dropping a Trojan that redirects a victim when he or she clicks on a link to a legitimate auction. If the victim bids, his or her money winds up going to the criminal with no car going anywhere.

Symantec says if the infected recipient decides to check on the seller's ratings page, the Trojan.Bayrob file also presents a fake feedback page that raves about the seller.

Symantec calls this man-in-the-middle attack "very unusual" and also "difficult to code correctly." The security company first blogged about the attack on March 5 but has since uncovered more details of how it works.

Symantec says that the e-mail probably contains two crucial components: a link to a real eBay auction and an executable. The executable drops two files into a temp folder: a legitimate slide show of the car being auctioned and the Trojan.Bayrob file.

In a typical attack, a victim receives an e-mail about a car for sale, opens it and runs the attachment. As he or she is viewing the photos, the Trojan has already been installed. The victim decides he or she is interested in the car and clicks on the link to the real eBay auction.

In the background, Trojan.Bayrob is directing Web traffic bound for eBay through a local proxy server, which listens on local host port 80. To accomplish that, Symantec found, the Trojan changes files on the infected PC to force traffic bound for these sites through the local proxy server:

My.ebay.com Cgi.ebay.com Offer.ebay.com Feedback.ebay.com Motors.search.ebay.com Search.ebay.com
Next, the Trojan connects to these servers and downloads configuration data and an updated list of the control servers if possible:

Superdigitalprices.com Wai-k-mart.com Wal-stop-mart.com Onemoreshoot.com Jdo24nrojseklehfn.com
These sites have all been taken offline since Symantec first starting tracking the Trojan. Symantec says that the servers were clones of each other, each containing these scripts:

Var.php Cfp.php Hst.php Var-user.php Ping.php Isup.php Ban.php Setvar.php Getip.php Hostname.php Hst-user.php Exe.php Contact.php
The var.php script downloads variables including tokenized versions of legitimate eBay pages.

Meanwhile, the victim, if having checked the feedback page, is reading a fake page that claims that the seller is genuine and trustworthy.

"At this point, the attack is almost complete," Symantec's blog says. "All the attacker has to do now is wait for the victim to complete the purchase and for the money to arrive."

Although the controlling servers have been taken offline, Symantec says the attackers are sure to set up new ones.

How to avoid being victimized? As always, never click on e-mail attachments from sources you don't trust.

eBay hadn't responded to a request for feedback by the time this was posted, but the online auction giant reportedly knows about the issue and is working with Symantec to stop the spread of infection.

eBay is a favorite target for criminals. It's been enjoying the attentions of Romanian criminals in particular, with one by the name of Vladuz giving the company headaches for months now. Check out this slideshow to see Vladuz's handiwork.

http://www.eweek.com/slideshow/0,1206,pg=0&s=25954&a=202474,00.asp

What's Bugging eBay?

2007-03-06T07:55:00.000-08:00

By Lisa Vaas
March 6, 2007

Updated: The auction behemoth is being skewered by Vladuz, the Romanian impaler, and the e-villagers are whispering that he's sucking customer and service rep account lifeblood directly from eBay's internal databases. Is he that spookily talented, or is he just another, albeit talented and lucky, phisher who also stumbled on an e-mail with internal accounts?

The eBay villagers are whispering that he can creep through eBay's internal databases and suck the lifeblood of customer accounts—log-ins and passwords—right out of their pulsing, 222 million-plus customer heart. He's putting up bogus listings as fast as eBay can take them down, and that proves he's walked through a security hole as big as a barn door.

No, eBay insists, this hacker, this Romanian wiseguy who goes by the handle Vladuz, is "nothing new." He's just another phisher, says eBay spokeswoman Catherine England, one of hundreds the huge auction site has to deal with constantly.

He may be getting loads of publicity from posting onto eBay forums as a service rep and taunting eBay—"Durzy is full OF sh*t," he wrote about eBay spokesperson Hani Durzy in a February posting after Durzy said that Vladuz had not accessed internal systems. But that just means he got lucky once and hit upon an internal e-mail that had a screenshot containing customer service reps' e-mail account information, eBay maintains.

Some eBay watchers attribute eBay's recent crackdown on cross-border sales to the recent spike in hijacked accounts. The spike in traffic might not be wholly attributable to Vladuz's work, but he or she is being credited for most of it. The multitalented hacker is leaving a calling card behind with his or her name, spelled backwards, attached to malicious code injected in live auctions. He's taunting eBay by posting to its forums as a customer service rep. His name is associated with a company name that is in turn associated with eBay hacking tools being found for sale online.

Hijacked accounts occur after phishers weasel log-in names and passwords out of legitimate eBay account holders and then use them to run auctions that look like they're taking place in a country with a reputation for legitimate sales, such as the United States or Canada.

This is nothing new, but eBay watchers say the number of hijacked accounts and their changed behavior makes it begin to look as if somebody had set up tools to automatically skim customer accounts from eBay's internal accounts—and such are Vladuz's reputation and braggadocio, at this point, that experts believe he or she could be responsible.

eBay watchers say the trigger for the spike was eBay's recent crackdown on counterfeit goods being sold from countries notorious for it, such as China. Like rats leaving a sinking ship, the thinking goes, crooks such as Vladuz are turning to hijacked accounts because the counterfeit e-business has gone belly-up.

eBay retools its technology platform to scale for rapid growth.

"In the last few months, eBay has really taken a look at the trust and safety of our marketplace and our Web site," England told eWEEK. "We've been incorporating a lot of new measures. My understanding is it's been a little frustrating for this fellow. He's spent some quality time poking around our site and trying to find a way in. He did find access to a small amount of customer service rep e-mail accounts. He used those to go on discussion forums, as a pink—when an employee posts, it's highlighted in pink. He did that in an attempt basically to say, 'Ha ha, look what I did.'"

Lies, lies, lies, says online auction activist Rosalinda Baldwin, who runs an auction watchdog group called The Auction Guild (TAG).

"There's always been phishing [attempts to get account information and second-chance offers made to bidders who didn't win] and other fraud going on," she said. "It became huge mid-December [when eBay began to prevent Chinese sellers from selling to eBay U.S., eBay Canada, etc.]. It seems to have been the trigger: [The collection of phishing attempts and hijacked accounts] went from one without pattern to one" that definitely showed a pattern, she said.

"I know eBay pretty well," Baldwin said. "They can use all the excuses and lies they want, but they have yet to explain how what is happening on this site could be happening if what I'm saying is not true: that somebody has access to the back end."

Quantifying the hijacking of accounts is another eBay watcher, Genie Livingstone. Livingstone is a PHP programmer and runs the Internet host and domain name registration site Dotyou.Com.

Here's an example (check out the five links at the bottom) of the Web monitors, based on RSS eBay tools, that Dotyou.com is using to track eBay scam auctions in real time. Livingstone is also tracking eBay listing totals on MedVed.net.

What she's found for the past few weeks is that the daily count of eBay listings has been "a series of sharp spikes of 1 [million] to 3 million items, instead of the usual gradual curve that reflects items being listed and sold," she said.

The seesawing appears, she said, "as if someone is flooding the site with hacked listings that eBay is pulling down, only to have them immediately relisted, only to have them pulled down, etc., etc."

eBay adds 10 terabytes of new storage every week. Click here to find out how it manages all that storage.

This is MedVed's graph for eBay listings in February 2007, compared with February 2006. Notice the seesawing that begins on Feb. 22, 2007, with sharp increases and decreases that are of equal value, as if the same number of listings are being posted, delisted and posted again, in multiple daily cycles.

eBay's England said that she looked into site activity over the past six months and found "absolutely no significant movement in number of account takeovers." However, she has not yet looked into the flux of listings numbers, she said.

Still, she insists, there's nothing new to see here, even if Livingstone credits eBay with having perfected automated tools to remove the bogus listings, which recently have been coming down after only 30 seconds.

"We've had a variety of automated tools in place for a long time," said England, in San Jose, Calif. "This is nothing new. I wish I could say it's some big, exciting thing. It's your standard, typical phishing scam that's been happening a long, long time. I think this person, because [he or she] went on discussion boards and posed as an employee, it got more attention. The reality is these scams have been around years and years. As [we] shut these guys down, they adapt. They're obviously intelligent people. But as they evolve, so do we."

Vladuz first came to Dotyou.com's attention a few weeks ago—Valentine's Day, as a matter of fact.

Dotyou had written some RSS tools to track scam auctions. First, they manually identified the improper English typically used by non-native English-speaking scam artists. The listings with bad English had another consistent feature: They tried to lure buyers into contacting them outside of eBay, through an e-mail address at Yahoo or Hotmail, for example, and then asked that the buyers pay them through Western Union.

Using the bad-English phrases in one RSS stream and cross-referencing the non-eBay e-mail addresses in another RSS feed keeps the list of bogus sites current, Livingstone said. Using this list, they kept track of hijacked seller accounts and were tracking some 30 to 70 accounts per day. Each account, however, would typically post from 70 to 200 expensive items, to make as much use of the hijacked account as possible before eBay would shut it down.

But in 2007, Dotyou noticed that the hijacked accounts were only running one auction per hijacked seller; the frugality had disappeared. "It appeared as though something [had] changed," Livingstone said in an e-mail exchange. "As if there is [a] larger and larger pool of available phished eBay IDs so the scammers do not need to be frugal with them any longer."

The trend culminated with Vladuz temporarily unveiling his auctions to the public, she said. Instead of putting up fake auctions, he began to inject legitimate auctions created by real sellers, updating the auction with big "EMAIL ME" statements. The typical hijacked auction on Feb. 14 looked like this listing, with a "Buy It Now" message luring buyers to a Gmail address.

Phishers cast bait for bigger catch.

What's alarming about the new trend, Livingstone said, was that it went beyond fake listings—a "regular Romanian modus operandi"—that were the result of successfully phished legitimate accounts and, through a security hole or a tool, entered a new level of sophistication, picking up on real auctions and modifying them.

As of Feb. 5, Dotyou.com was in the process of updating an archive of what Livingstone said are live Vladuz auctions, identifiable by his signature toward the bottom: his handle spelled backward, as zudalv.

TAG's Baldwin said that Vladuz first came to her attention through his sale of eBay hacking tools. She saw that somebody on a chat board posted a tale of having been offered the chance to buy a tool called Second Chance Offer. The modus operandi of the tool was to contact an auction bidder who came in second and therefore hadn't won whatever he had bid on. Second Chance offers to sell the bidder a similar item, but in this case, Vladuz appeared to have created a tool that allowed the user to look as though the e-mail was coming from eBay's e-mail system. Actually, the tool creates fake offers, a way to coax a buyer into making a payment and receiving nothing in return.

Baldwin searched for any reference of the Second Chance Offer tool and came up with a company called SGI Enterprises—a name to which the handle vladuz was connected. She started tracking postings of vladuz back to 2002, finding postings on Chinese hacker sites.

Then Vladuz e-mailed her, offering a look at his or her new tool. It was posted as a Firefox plug-in, Baldwin said, that would automatically decipher and type in the text encoded in a garbled image file.

eBay denies that Vladuz has anything but old screenshots of the back ends of tools eBay created and used. "He didn't have access—he pulled screenshots," England said.

At this point, Vladuz is shrouded in an aura of invincibility. eBay watchers, almost superstitiously, point to his ability to "cherrypick accounts" according to a certain pattern—usually those with a medium amount of feedback that are fairly inactive. News accounts have referenced his ability to offer up hijacked accounts in sequential order as proof that he has access to eBay's internal databases.

That's taking it a bit far, said Dave Jevans, chairman of the Anti Phishing Working Group.

"There are of course automated phishing kits, and they are becoming both more sophisticated and widely available," he said. "However, they typically mine eBay auctions and find user names, and then send e-mails or Second Chance rebid opportunities to those people. That's the only way I can see that automated harvesting would work."

The sequential order of hijacked accounts is typical, he said, when phishers batch-process information and offer it for sale.

Still, given the range of brazen hacks to which the name is attached, Vladuz is scary, and eBay is hot on the Romanian spammer/phisher/hacker's trail.

England said that eBay has spent the past few months tracking the crook, working with Romanian law enforcement. But although Vladuz is known as a "career criminal" in Romania, she said, there's no guarantee he or she will be found and prosecuted soon. That's due to differences in laws surrounding IP tracking, for example, but also due to a lack of resources in a country such as Romania.

In an impoverished country such as Romania, money talks, Livingstone said. On that point, England agrees. Back in 2002 when eBay was dealing with a separate hacker issue in Romania, the police knew where the criminal was, she said. Unfortunately, he was some 30 to 40 miles away from the station, and they couldn't afford the gas to go get him.

eBay was more than happy to lend a helping hand.

Editor's Note: This story was updated to include more information on Vladuz's reported activities.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog.

http://securitywatch.eweek.com/

Twelve-step programme for e-mail addicts

2007-02-20T23:29:00.000-08:00

By Jon Hurdle Tue Feb 20, 11:35 AM ET

PHILADELPHIA (Reuters) - Alcoholics have one, and so do drug abusers. Now people addicted to e-mail also have a 12-step programme designed to tackle their obsession.

An executive coach in Pennsylvania has devised a plan to teach people how to manage the electronic tool, which some users say can be as much an intrusive waste of time as it is fast-paced and efficient.

Developed for cases such as a golfer who checked his BlackBerry after every shot, and lost a potential client who wanted nothing to do with his obsession, Marsha Egan's plan taps into deepening concern that e-mail misuse can cost businesses millions of dollars in lost productivity.

"There is a crisis in corporate America, but a lot of CEOs don't know it," Egan said. "They haven't figured out how expensive it is."

One of Egan's clients cannot walk by a computer -- her own or anyone else's -- without checking for messages. Other people will not vacation anywhere they cannot connect to their e-mail systems. Some wait for e-mails and send themselves a message if one hasn't shown up in several minutes, Egan said.

The first of Egan's 12 steps is "admit that e-mail is managing you. Let go of your need to check e-mail every 10 minutes."

Other steps include "commit to keeping your inbox empty," "establish regular times to review your e-mail" and "deal immediately with any e-mail that can be handled in two minutes or less but create a file for mails that will take longer."

Egan says she hosts no 12-step meetings but is planning a monthly teleconference for "e-mailers anonymous."

'HAD ME BY THE THROAT'

Michelle Grace, an insurance agent in Lehighton, Pennsylvania, said she receives up to 60 e-mails a day and uses Egan's program to make it less time-consuming and less stressful.

"E-mail had me by the throat," she said. "When you can't find what you need, then it becomes a problem."

Now that her e-mails are transferred -- some manually and some automatically -- into files, Grace said she spends less time hunting for them.

On average, workers who receive an e-mail take four minutes to read it and recover from the interruption before they can resume working productively, Egan said.

She also recommends checking e-mails not more than three or four times a day.

Some employees resist the lure of e-mail during the regular workday, only to find themselves putting in extra hours at home to clear the backlog, she said. One of Egan's clients said he had 3,600 e-mails in his inbox.

Part of the problem is senders who copy messages too widely and are too vague in their subject lines, so recipients don't know what they need to open right away, Egan said.

For Grace, relief from her e-mail addiction means she is not checking her computer every five minutes.

She said she has let her colleagues know that if they need to reach her immediately, e-mail is not the way to do it.

"I told them, 'If you need me urgently, pick up the phone,'" she said.

Africa's Inexpensive Laptops

2007-02-20T23:26:00.000-08:00

Michael Malakata, IDG News Service 2 hours, 38 minutes ago, 02/20/2007

African countries are bracing themselves for this month's rollout of US$150,
Linux-based laptops for school children under the One Laptop Per Child (OLPC) initiative.

The OLPC is the brainchild of Massachusetts Institute of Technology (MIT) Media Lab co-founder Nicholas Negroponte.

Rwandan President Paul Kagame, for example, said last week that the government intends to provide the laptops to primary schools.

The Rwandan government, through the Ministry of Infrastructure, Ministry of Education and the Ministry of Science, Technology and Research will collaborate with the OLPC in rolling out the machines in schools.

"Rwanda wants to transform into a knowledge-based economy hence the need to provide schools throughout the country with computers," Kagame said in a statement.

Libya, Nigeria, Egypt and Ethiopia, among other countries, are also expected to receive the machines this month.

Libya has agreed to work with the OLPC project to deploy the laptops for every school-age child in the country. The commitment for the PCs however, differ from country to country depending on the number of primary school going children, according to Jackie Lustig, a spokesperson for OLPC.

"Nigeria, Rwanda and Libya have showed commitment to the OLPC. We are also in discussion with several other countries that have approached us and showed varying levels of interests," Lustig said in an e-mail exchange.

Lustig said that Libya has committed to provide 1.2 million children with the laptops within one year while Rwanda will provide 2 million children with the laptops in five years.

Libya has said, however, that it will buy more laptops than the number of children in the country and will contribute the excess machines to poorer African nations.

The Nigerian Communication Commission (NCC) has said Nigeria has committed to buy one million OLPC machines.

The rollout has already started in some countries in Africa but the full-scale roll out is scheduled to begin in the second quarter of this year, Lustig said.

African countries are signing up for OLPC laptops because of the huge need in Africa for low-cost PCs. There are different projects under way to meet the need. In Kenya, the government has managed to assemble low-cost computers with the help of several vendors.

Lenovo Group Ltd., Sahara Computers Ltd. and Mecer PC have been appointed by the Communication Commission of Kenya (CCK) to assemble the first computers in the Madaraka line this month. These computers are priced at $450.

Lustig said the OLPC machines will be priced at cost-- meaning that the price will change over time. While the prices of the laptops are currently $150, Lustig said the plan is to hit $100 in the 2008-2009 timeframe and $50 in 2010-211. The laptops will only be sold to governments and issued to schools.

The companies that are participating in the OLPC project include Google Inc., eBay Inc., Nortel Networks Corp., Advanced Micro Device Inc. and News Corp. with Quanta Computer Inc. of Taiwan as the original design manufacturer for the laptops.

Future of Net phone firm Vonage hangs in balance

2007-02-20T03:57:00.000-08:00

By Leslie Cauley, USA TODAY
Tue Feb 20, 6:57 AM ET

NEW YORK - Verizon and Vonage on Wednesday will present opening statements in a patent-infringement case that could have a big impact on consumers and the nascent Internet telephone industry.

Most immediately at risk is the future of Vonage (VG).

Vonage, one of the best-known brands in the Internet phone world, acknowledged last week that it doesn't have a plan for getting around use of technology that Verizon (VZ) claims violates patents it owns.

The upshot: If Verizon prevails in court, Vonage could be forced to shut down, at least temporarily, while it redesigns its service. That could cause a lot of heartburn for Vonage's 2 million customers.

Brooke Schulz, a Vonage spokeswoman, said Monday that Verizon's claims are baseless. "This is about Verizon trying to stifle competition," she said. "We have not infringed on their patents, period."

As for the prospect of Vonage shutting down, Schulz says, customers shouldn't worry. "We're working on a redesign plan."

Internet telephony, also known as VoIP, for Voice over Internet Protocol, is a Web-based phone service that closely mimics traditional phone service but sends calls over the Internet. VoIP costs only about $20 a month - though it requires an existing high-speed Internet connection - compared with $40 to $60 a month for regular phone service.

By the end of 2006, there were 8.6 million VoIP users in the USA, estimates JupiterResearch. By 2010, the number is expected to reach 22.5 million. Many of those customers are coming from traditional local phone providers such as Verizon and AT&T.

Verizon sued Vonage in June, claiming broad patent violation. An amended complaint in January alleged that Vonage "has appropriated the results of years of research conducted by Verizon and its predecessors.

"Vonage does not currently own any issued U.S. patents," the complaint continues. "Instead, Vonage relies on the intellectual property developed by Verizon in delivering its infringing product and services."

Verizon wants unspecified monetary damages and for Vonage to stop using what it says is Verizon's technology.

That may not be easy for Vonage. The patents Verizon claims have been violated cover, among other things, the "gateway interfaces" - critical for providing VoIP phone services that mimic traditional phone service - fraud detection, billing and features such as call-forwarding. In short, the patents are a road map for providing Bell-quality VoIP.

In total, Verizon has 48 different "terms," or patent claims in dispute. In pretrial rulings, Verizon has succeeded in getting broad interpretations of its claims.

William Bosch, a Vonage lawyer, conceded last week that it's been a tough slog. "Frankly, we didn't anticipate that all 48 terms would be construed to Verizon's favor," Bosch told the judge.

As a result of the court's rulings, Bosch said, Verizon's "patents are now so broad, it may be that nobody can design around them."

That begs a larger question: If the court orders Vonage to stop using Verizon's patented technology, can Vonage work around that?

Asked this very question by the judge, Bosch didn't mince words: "Given the claim construction that we have now, my understanding is we cannot do that because (the patent claims) are so broad."

He said other VoIP players could also be at risk. "It may be that the entire VoIP universe now infringes the patents given how broadly they have been defined."

Bosch also offered a prediction: "We think there is an extremely good likelihood this jury is going to find that (the Verizon patents) are invalid, that they never should have been granted in the first place."

Jeffrey Citron, Vonage's chairman and chief strategist, has been subpoenaed to appear as a witness - for Verizon. That has put him, potentially, in the awkward position of testifying against his own company. Vonage is fighting the subpoena, Schulz said.

The case is being heard in federal court in Alexandria, Va.

Fring aims to cut cellphone costs with VOIP

2007-02-16T08:20:00.000-08:00

ohn Blau 21 minutes ago, 02/16/2007

San Francisco (IDGNS) - Avi Shechter, co-founder and CEO of Fringland (Fring), could be on to something big with the launch of a cheap Internet-based phone service that runs over mobile networks. But the Israeli entrepreneur could also be in for the fight of his life with mobile phone network operators determined to protect their cash-cow voice business from virtual service providers.

"I believe Fring brings value for users," Shechter said in an interview on the sidelines of the 3GSM World Congress in Barcelona, adding that the low-cost service will have an impact on the voice business of mobile phone network operators.

Fring didn't have a booth at the show but if you ran into Shechter, he was more than happy to demonstrate the service.

The former co-general manager of instant messaging company ICQ and his team of 30 have launched a peer-to-peer VOIP (voice over Internet Protocol) service that carries calls over cellphone networks in much the same way PC-based Internet telephony services transport conversations over Wi-Fi or fixed-line broadband connections.

You can download the 200KB Fring application to your handset for free. You'll need a
Nokia Series 60 3rd Edition phone but Fring hopes to widen the choice of handsets by enabling the application to run on other operating systems as well, including Microsoft's Window Mobile.

Fring not only looks and feels a lot like other PC-based applications such as Skype, Google Talk, and MSN Messenger that offer integrated VOIP, instant messaging and real-time presence services; the application also connects with them. It uses Skype's API (application programming interface) but is not endorsed or certified by Skype, according to Fring's Web site.

You can fill your contacts list with other Fring users, or friends on the other services, see when they're online and communicate directly with them.

When in idle mode, the Fring application drains the battery a little faster than a cell phone normally would in standby mode -- but with the advantage that you are able to see when your friends are available, and signal your availability.

The cost of using Fring depends on your data plan -- the application sends around 4.5MB per hour spent talking. While the costs of local or in-country calls are comparable with standard calls, the real savings appear to be made on international calls.

You can make calls to users on public telephone networks, using Skype Out, but these carry an additional fee on top of the data charges. Also, if you make a "roaming" call from outside your home network, you will be charged a data roaming fee as you would for any other data service.

For all its features, Fring still has some kinks. If you try to make calls over GSM (Global System for Mobile Communications) or GPRS (General Packet Radio Service) networks, you'll notice a crackly voice quality similar to early PC-based VOIP service, according to Shechter. "Our service is designed for 3G networks but we're working on improving the quality in the other networks," he said.

Because you have to connect to the Internet to use the service, you'll need a data package of sufficient size, and although most mobile Internet data packages are volume-based, make sure there's no time limit. That would severely restrict your ability to use Fring or any other mobile VOIP application for that matter.

Some operators, such as T-Mobile International, have banned the use of VOIP applications on their networks.

Other operators may also introduce measures to block access to virtual mobile VOIP service providers like Fring that use their mobile data networks without commercial agreements. To offset any lost voice revenue from the switch to IP, such operators could charge a specific VOIP subscription fee, or offer a more expensive data package service fee for using VOIP or even bundle additional services for a higher fee.

Particularly in Europe, operators have invested far too much money in licenses, equipment and customer acquisition to give anything away. Like fixed-line operators that first fought and then adopted VOIP services, mobile operators must now deal with a disruptive technology that could radically change their business models.

Enterprises are uncertain about mobile security

2007-02-16T06:10:00.000-08:00

Nancy Gohring 17 minutes ago, 02/16/2007

San Francisco (IDGNS) - Uncertainty about how to secure mobile phones in the face of increasing threats is slowing enterprise adoption of mobile applications, experts exhibiting at the 3GSM World Congress in Barcelona this week said.

Over two-thirds of mobile operators in Europe that took part in a survey said that they detected more than 100 incidents involving mobile viruses or mobile spyware in 2006, according to a study by conducted by Informa for security software developer McAfee. The number of European operators reporting more than 1,000 such incidents more than doubled in 2006 compared to the previous year, the report said.

IT administrators, uncertain how to protect their users from such attacks, are unwilling to enable mobile access to applications for workers.

"Enterprise security professionals haven't really worked this out yet," said Lorcan Burke, CEO of AdaptiveMobile. Companies such as banks, with strict security requirements, simply block access to any service, including Internet access, that could open doors to security issues, he said.

At the recent RSA Conference in San Francisco, some of the most crowded events were those tackling mobile security issues, said Simeon Coney, vice president of marketing for AdaptiveMobile. That was an indication that IT administrators are trying to find out how serious mobile security problems are and how to address them, he said.

Mobile services can be secured in the application, the network or in hardware or software on the device. Among operators responding to the McAfee study, most found that virus protection was most important at application and device levels, although more of them had deployed network-level security systems than the other options. Over 200 respondents from the operator community took part in the study.

AdaptiveMobile makes network-level security products for operators, including a system for filtering viruses in e-mail, SMS (Short Message Service), MMS (Multimedia Messaging Service) and WAP (Wireless Application Protocol) traffic. Beyond viruses, AdaptiveMobile can also control content, so it can stop phishing and other fraudulent attacks, or limit the types of content end users can access.

If an operator has deployed AdaptiveMobile's platform, an IT administrator in a company can set and manage such controls down to the level of individual users.

For the mass market, AdaptiveMobile's product allows operators to notify a user by text message if their phone becomes infected with a virus and offer a download, either for free or for a fee, to disinfect the device. Without such software, operators will replace a user's device or ask them to send it off for disinfection, both costly propositions.

A network-based security mechanism offers some advantages over anti-virus software that sits on the handset, Burke said. Handset software doesn't prevent phishing and other nonviral scams. In addition, anti-virus software isn't compatible with all phones, making it logistically difficult for the software developers to tweak their products for each version of every phone and make sure to sell the proper software to end users.

He calls anti-virus software on the handset "the minimum acceptable response. It's a tick in the box to make people feel comfortable."

Some developers also sell security mechanisms that sit in the phone's hardware. Such solutions are ideal for organizations with very strict security requirements, such as government users, Burke said. One downside to the hardware-based solutions is that they take about two years to make it into a handset, he noted.

New Credit Cards May Leak Personal Information

2007-02-16T01:00:00.000-08:00

Erik Larkin, PC World Fri Feb 16, 4:00 AM ET

You may be carrying a new type of credit card that can transmit your personal information to anyone who gets close to you with a scanner.

The new cards--millions of which have been issued over the past year--use RFID, or Radio Frequency Identification, technology. RFID allows scanners to use radio signals at varying distances to read information stored on a computer chip.

According to a study from academic and business researchers at the University of Massachusetts, RSA, and Innealta, many of the cards will transmit your name, credit card number, and expiration date (but not the three-digit security code) in the clear to anyone nearby with a scanner. One of the researchers, Kevin Fu of the University of Massachusetts, provided an electronic copy of the report's just-finished final version to PC World. The draft version is available online.
Millions of Cards in Use

RFID is widely used to track shipments and store inventory--and now it's in credit cards, allowing customers to swipe the cards past readers in McDonald's restaurants, CVS pharmacies, and elsewhere, making for quick and easy transactions. Visa says more than 6 million "contactless" cards exist worldwide, and their number is growing rapidly.

In an e-mail, Fu wrote that "in our collection of approximately 20 cards, the vast majority revealed CC name, CC number, and expiration" when the researchers scanned with a commercial RFID reader that they modified to work with the credit cards. According to the FAQ on the study, the sample cards "spanned all three major U.S. payment associations and several major issuing banks."

According to a Visa spokesperson, the company's contactless card network uses an encrypted security code to verify a transaction. That should protect against certain types of fraud--but again, it doesn't protect against someone pulling the name and number.

However, second-generation Visa Contactless cards no longer send the name, says Brian Tripplett, the company's senior vice president of emerging product development. The new cards still send their numbers, but those would be difficult to use without the card holder's name. With the first generation of cards, Visa suggested that banks not issue cards that transmit the name; with new cards, that's required.

Tripplett also says that Visa's technology has a shorter read range and communicates differently than does the standard RFID used for inventory management, for example. Mastercard didn't respond in time for this story.
Is Your Card RFID-Equipped?

How do you tell if your card has one of these chips? Some cards have visible microchips, according to the study's FAQ, but others don't. Tripplett says that Visa Contactless cards have a symbol: four vertical wave-like bands on the front or the back.

But to know for sure, and to know whether you have a first- or second-generation Visa card, you need to call your bank and ask. You should be able to request a card without the technology, or at least one that doesn't transmit your name.

Also, you can block RFID signals with a "Faraday cage," which uses a metal mesh or casing. A quick online search turned up some wallets and wallet inserts that incorporate the cages.
Other Risk Reductions

Even for the first-generation cards that do send the name, some other mitigating factors exist. First, while the researchers used a commercially available RFID reader, they made modifications to it that take "technical skills and know-how," Fu wrote. Also, the reader must be close: The card specs say only a couple of inches, but Fu says some research papers put the max range at about 6 inches.

And most important, phishing, keyloggers, and other kinds of online ID theft are far too successful right now for criminals to put in the effort required for this type of fraud. So the risk probably isn't significant--for now.

Major risk or not, however, there's no way I'd want my credit card to transmit its information without any encryption. Adding yet another opportunity for ID theft where there doesn't need to be any, whether the threat is large or small, simply makes no sense.

Mobile VOIP is on the march

2007-02-09T07:50:00.000-08:00

ohn Blau 24 minutes ago,02/09/2007

San Francisco (IDGNS) - Nearly one year after Skype stole the headlines at the 3GSM World Congress with its plans to offer a mobile version of its Internet phone, a couple of nimble startups -- and not the Net telephony pioneer itself -- appear to have found a way to make this type of service work, both technically and commercially.

Earlier this week, Jajah announced a new mobile VOIP service that allows smart-phone users to make low-cost and, in some cases, free international calls. Customers simply enter Jajah's mobile Web portal through their handset's browser, enter their user name and password and then make a either a free or low-cost call.

The launch of Jajah Mobile Web comes on the heals of a mobile VOIP (voice over IP) offering by Fring, which, unlike Jajah, requires users to download software and install it in their Internet-enabled handsets. The Fring service gives mobile users access to P-to-P (peer-to-peer) VOIP offerings such as Skype and Google Talk.

Microsoft appears to have its finger on the pulse of mobile VOIP, too. Next week in Barcelona, the U.S. software giant will unwrap a new version of its Windows Mobile OS that will supposedly enable carriers and device maker to add VOIP functionality to Windows Mobile devices.

All these announcements -- and the many more expected at this year's 3GSM World Congress -- come as Skype, which essentially stunned the mobile phone industry last year with its VOIP plans, acknowledges technical and commercial hurdles.

In a recent interview in Finnish newspaper, Skype co-founder and CEO Niklas Zennström spoke of "technical obstacles" and conceded that efforts to make Skype work had been taking "much longer than expected."

At the Consumer Electronics Show in Las Vegas last month, Eric Lagier, Skype director of business development for hardware and mobile, called the lack of attractive flat-rate fees for most mobile phone services a key commercial hurdle to mobile VOIP usage. He said the company didn't want to be in a position of claiming that its service is free, but facing users who at the end of the month are docked with a huge broadband usage fee.

At last year's 3GSM World Congress, Skype and the Hutchison 3 Group (Hutchison 3G) announced a partnership to provide what they had hoped to become the world's first commercial VOIP service for mobile phones.

Hutchison 3G, which operates IP-based mobile broadband networks in several European markets, was one of the first mobile phone operators to embrace VOIP, a technology many in the industry view as a major threat to their cash-cow voice business.

But industry experts admit that challenges remain. One hurdle in providing quality VOIP service over mobile handsets is the uplink, which is currently too slow to support quality voice calls, John Giere, chief marketing officer at Alcatel-Lucent, said in an earlier interview.

To increase uplink speeds, operators of GSM (Global System for Mobile Communications) networks, which dominate Europe and many parts of Asia and Latin America, will need to upgrade their networks with HSUPA (High Speed Uplink Packet Access) technology, which will give operators "the bidirectional capability they need to run real VOIP," he said.

The high-speed technology is not expected to become commercially available in volume until the latter part of 2007 or early 2008. Operators are presently busy rolling out the downlink counterpart HSDPA (High Speed Downlink Packet Access).

Study: Weak Passwords Really Do Help Hackers

2007-02-07T13:00:00.000-08:00

Todd R. Weiss, Computerworld Wed Feb 7, 4:00 PM ET

Left online for 24 days to see how hackers would attack them, four
Linux computers with weak passwords were hit by some 270,000 intrusion attempts-- about one attempt every 39 seconds, according to a study conducted by a researcher at the University of Maryland.

Among the key findings: Weak passwords really do make hackers' jobs much easier. The study also found that improved selection of usernames and associated passwords can make a big difference in whether attackers get into someone's computer.

The study was led by Michel Cukier, an assistant professor of mechanical engineering and an affiliate of the university's Clark School Center for Risk and Reliability and Institute for Systems Research. His goal was to look at how hackers behave when they attack computer systems-- and what they do once they gain access.

Using software tools that help hackers guess usernames and passwords, the study logged the most common words hackers tried to use to log into the systems. Cukier and two graduate students found that most attacks were conducted by hackers using dictionary scripts, which run through lists of common usernames and passwords in attempts to break into a computer.

Some 825 of the attacks were ultimately successful and the hackers were able to log into the systems. The study was conducted between Nov. 14 and Dec. 8 at the school.

Cukier was not surprised by what he found. "Root" was the top guess by dictionary scripts in about 12.34% of the attempts, while "admin" was tried 1.63% of the time. The word "test" was tried as a username 1.12% of the time, while "guest" was tried 0.84% of the time, according to the experiment's logs.

The dictionary script software tried 43% of the time to use the same username word as a password to try to gain entrance into the affected systems, Cukier said. The reason, he said, is that hackers try for the simplest combinations because they just might work.

Once inside the systems, hackers conducted several typical inquiries, he said, including checking software configurations, changing passwords, checking the hardware and/or software configuration again, downloading a file, installing the downloaded program and then running it.

For IT security workers, the study reinforced the obvious. "Weak passwords are a real issue," Cukier said.

At the University of Maryland, users are told that passwords should include at least eight characters, with at least one uppercase letter and one lowercase. The school also recommends that at least one character be a number or punctuation symbol, Cukier said. All passwords should be changed every 180 days, according to the university's recommendations.

"That's really reasonable," Cukier said of the guidelines. "It's not helpful if the password is so complicated that people don't remember it and [therefore] write it down on a sticky note next to their computer."

Users can use the title of a favorite book for a password or even the first letters from a memorable sentence, he said. "They'll be easy for you to remember because you'll be able to remember the sentence... without having to write it down," Cukier said.

Hackers attack key Net traffic computers

2007-02-06T17:44:00.000-08:00

By TED BRIDIS, Associated Press Writer
7 minutes ago, 02/06/2007

WASHINGTON - Hackers briefly overwhelmed at least three of the 13 computers that help manage global computer traffic Tuesday in one of the most significant attacks against the Internet since 2002.

Experts said the unusually powerful attacks lasted as long as 12 hours but passed largely unnoticed by most computer users, a testament to the resiliency of the Internet. Behind the scenes, computer scientists worldwide raced to cope with enormous volumes of data that threatened to saturate some of the Internet's most vital pipelines.

The Homeland Security Department confirmed it was monitoring what it called "anomalous" Internet traffic.

"There is no credible intelligence to suggest an imminent threat to the homeland or our computing systems at this time," the department said in a statement.

The motive for the attacks was unclear, said Duane Wessels, a researcher at the Cooperative Association for Internet Data Analysis at the San Diego Supercomputing Center. "Maybe to show off or just be disruptive; it doesn't seem to be extortion or anything like that," Wessels said.

Other experts said the hackers appeared to disguise their origin, but vast amounts of rogue data in the attacks were traced to South Korea.

The attacks appeared to target UltraDNS, the company that operates servers managing traffic for Web sites ending in "org" and some other suffixes, experts said. Officials with NeuStar Inc., which owns UltraDNS, confirmed only that it had observed an unusual increase in traffic.

Among the targeted "root" servers that manage global Internet traffic were ones operated by the Defense Department and the Internet's primary oversight body.

"There was what appears to be some form of attack during the night hours here in California and into the morning," said John Crain, chief technical officer for the Internet Corporation for Assigned Names and Numbers. He said the attack was continuing and so was the hunt for its origin.

"I don't think anybody has the full picture," Crain said. "We're looking at the data."

Crain said Tuesday's attack was less serious than attacks against the same 13 "root" servers in October 2002 because technology innovations in recent years have increasingly distributed their workloads to other computers around the globe.

___

AP Internet Writer Anick Jesdanun contributed to this report from New York.

Bill Gates calls for more powerful computer security

2007-02-06T11:04:00.000-08:00

Tue Feb 6, 2:04 PM ET

SAN FRANCISCO (AFP) - Microsoft co-founder Bill Gates addressed thousands of computer security specialists gathered at a San Francisco conference, calling for

"People want more flexibility and anywhere access with multiple devices," Gates told a standing-room-only crowd of RSA Conference 2007 attendees.

"We need a far more powerful paradigm to handle this."

Gates and Microsoft "security guru" Craig Mundie backed a common standard for computer security technology and agreed that the traditional practice of "building walls and moats" to fortify networks needed to be evolve.

This was the 16th annual conference and it boasted an attendance of approximately 16,000 people, the largest turnout in its history.

Tracking your car by cell and e-mail

2007-02-01T12:01:00.000-08:00

By BRIAN BERGSTEIN, AP Technology Writer
32 minutes ago, 02/01/2007

PALM DESERT, Calif. - Here's something that might appeal to your fretful or data-loving side: a service that alerts you if your car is stolen — or being driven too fast by the teenager who borrowed the keys.

Among the nearly 70 emerging technologies on display this week at the DEMO conference is a system from Chandler, Ariz.-based Inilex Inc., which uses global-positioning satellites to track the location of customers' cars and deliver a bevy of other information.

The Inilex "Kepler Advantage" device, sold through car dealers for $600 to $1,100 plus a monthly subscription, looks like a walkie-talkie and gets stowed covertly under the dashboard.

Then car owners or corporate fleet managers can go on an Inilex Web site to track their vehicles' locations — and set up alerts that would be delivered by e-mail or a cell-phone text message.

With this service, you can be notified within minutes that your parked car has been moved, presumably by a thief, and shown where it is in real time — fruitful information to pass on to police.

Or you can set up a "virtual fence" on a map and be told if the car ranges outside it (attention, suspicious spouses). Paranoid parents could halt their kids' late-night joyriding by letting Inilex warn them when the car exceeds a certain speed.

In May, Inilex is upgrading its service to grab data from many cars' onboard computers so customers can monitor their vehicles' fluid levels and other vital signs on the Web. The connection to the auto's computer also lets Inilex drivers use cell phones to remotely start, lock or unlock their cars.

Some of these features are already available through such services as OnStar for General Motors Corp. cars and LoJack Corp.'s stolen-car trackdown product. But LoJack isn't available nationwide; it uses an older radio-frequency technology rather than GPS and gets activated when owners call police.

Inilex has only 5,000 customers so far, so time will tell whether its extra features can swipe serious business from the $695 LoJack service, which boasts 5.8 million customers in 28 countries. One big test, in particular, will be whether it can beat LoJack's stolen-car recovery rate, which spokesman Paul McMahon said is more than 90 percent.

Users go professional with online video

2007-01-26T13:08:00.000-08:00

By Yinka Adegoke 9 minutes ago, 01/26/2007

NEW YORK (Reuters) - Martial arts expert Joe Eigo never imagined he'd win millions of fans and earn $25,000 when he posted a clip of himself performing a series of gravity defying acrobatics to a video sharing site.

In uploading his "Matrix - For Real" video to Metacafe.com, Eigo joined the growing number of aspiring filmmakers who are benefiting from the new economics of online video sharing, a phenomenon made popular by YouTube.

YouTube, owned by Google Inc., took online video mainstream last year with a completely open format and easy-to-upload site, as well as a focus on short, low-resolution clips that are streamed for free.

Now, however, a growing number of users, particularly amateur filmmakers and wannabe stars, are seeking out other online video outlets. The promise is that not only might they find the fame they seek, but they could get paid for their work in the meantime.

A prime example of the movement is the Diet Coke/Mentos candy clip that ran last year on Revver.com. The clip, which shows how bottled Diet Coke erupts when you drop in Mentos, was popular enough to generate tens of thousands of dollars in advertising revenue to be shared with the original creators.

But money isn't everything in the online video world, or so it seems. Several sites are now offering users the ability to upload longer-form, high-quality, professionally edited videos that will likely be more attractive to advertisers and may even encourage some users to pay to watch the clips.

When Jordan Livingston, a 24-year-old filmmaker from the San Francisco area, posted two of his short films to the Internet last year he chose Dovetail.tv, another fledgling site focused on quality videos.

Founded in 2006 by Jason Holloway, Chris Neumann and Brett Levine, Dovetail targets up-and-coming filmmakers.

"These guys have a longer-term goal -- they want to be the next Martin Scorcese. And, you don't get that by being up alongside cell phone quality shots of the type seen on YouTube," says Holloway.

Because the cost structure of Internet technology had become more affordable, Holloway said, he and his partners realized they could run high-quality, high-definition videos online.

Livingston says that more and more independent filmmakers will use sites like Dovetail to make a name for themselves and earn money while they're at it. But it's the quality of the video that's most important to him.

Dovetail, which already has nearly a thousand short films though still in prelaunch mode, hopes to pay producers like Livingston by sharing in advertising and subscription revenues. It is initially looking at paying around 10 cents every time a user's film is downloaded.

The idea of paying producers for their videos is beginning to take hold online in much the same way popular personal blogs began to take advertising and become more professional a few years ago. And users are taking to it.

Joe Eigo's "Matrix - For Real" has been the top video in Metacafe's Producer Rewards scheme with 5 million views, making him over $25,000 in just a few months. Previously, he had spent thousands of dollars over the last four years just to keep it running on his own Web site.

Metacafe's scheme pays producers $5 for every thousand views a video gets on the site. It starts to pay out after it reaches 20,000 views, implying a minimum payment of $100.

Metacafe founder Arik Czerniak says that online video sites like his are changing the way so-called user-generated content is perceived by consumers as well as broadcasters and advertisers.

"We're being much more selective about the videos than other sites because we think this is about entertainment," said Czerniak.

And for Eigo the success of his Matrix video is a dream come true.

"I was really surprised," said Eigo, who occasionally lands stunt man roles in movie and theater productions. "I've bought some books to learn how to manage the money."

NEC technology fights IP phone spam

2007-01-26T10:58:00.000-08:00

Nancy Gohring 1 hour, 3 minutes ago, 01/26/2007

San Francisco (IDGNS) - NEC has developed technology that can help prevent spam phone calls to VOIP (voice over Internet Protocol) users.
ADVERTISEMENT
Real people. Real success stories. Yahoo! Personals. See Stephanie and Mike's story.

The company plans to demonstrate the technology next month at the 3GSM World Congress in Barcelona but still has more work to do before it can sell a commercial product.

The technology discovers whether a caller is a human or a machine by testing the machine's capability to perform human-like conversation. Once the technology determines that a machine has made the call, it blocks the connection, preventing the user's phone from ringing.

NEC has developed the technology so that new modules can quickly be added to the system to respond to new and different kinds of VOIP spam.

In addition, the product will be customizable to work with different types of hardware, such as SIP (Session Initiation Protocol) servers, home network equipment and session border controls.

NEC tested the technology during a simulated VOIP spam attack, using well-known botnets to create the attack. The technology detected nearly all of the VOIP spam in the test, NEC Said. A botnet is a collection of computers that have been infected by malicious code and can be remotely commanded to execute malicious activities.

Existing botnets can easily be modified to produce spam telephone calls, NEC said. The company warned that a high level of VOIP spam could discourage the growth of VOIP.

NEC did not say when a commercial product might become available.

In Silicon Valley, polite nude jogger shocks hikers, bikers

2007-01-25T20:18:00.000-08:00

Thu Jan 25, 11:18 PM ET

SARATOGA, Calif. - Who was that undressed man? That's the question startled hikers, bikers and horseback riders are asking about a jogger seen streaking through an open space preserve wearing nothing but sneakers, glasses and a black tam hat.

"He passed me and said `Good evening,'" said equestrian Sue Bowdoin, who spotted the naked man, middle-aged and sporting a pale paunch, while riding her horse, Randy, on a trail in Fremont Older Open Space Preserve last summer. "I thought: Ugh!"

Although numerous park users have reported seeing the exhibitionist over the last year-and-a-half, rangers have been unable to identify and arrest him for exposing himself, said Gordon Baillie of the Midpeninsula Regional Open Space District.

By most accounts, the man is polite and does nothing other than run in the buff.

A woman who saw him said he looked scared and backed away after she cornered him with her horse and told him he was offending people.

People who use the park regularly have not reported recent sightings in the cold weather, but they theorize he may be incognito because he is clothed. With dark hair, sweaty red skin and lack of body hair, he is easily recognizable, Bowdoin said.

"He's frumpy. Plain. Not in good physical shape," Bowdoin said. "It's not a pretty sight.'

Upgrade Your Laptop

2007-01-16T11:35:00.000-08:00

PC Magazine

10.11.06

By John Delaney

Upgrade Your Laptop
Rummaging through my office closet (the designated burial ground for non-working PCs and other assorted aging electronic gadgets), I happened upon a dusty old Gateway laptop in a darkened corner. The notebook, a Solo 9550 "desktop replacement," is only five years old, but its Pentium III processor, CD-RW/DVD combo drive, and 128MB of memory are ancient technology compared with today's mobile offerings. The system contained a painfully slow (4,200-rpm) 30GB hard drive, which was filled to capacity, but it still fired up once I found the correct AC adapter. Then I discovered why this seemingly capable laptop earned a spot in my version of an oversized junk drawer: The screen worked for 2 minutes before the image faded to black.

I had found the perfect upgrade candidate.

Let me say right up front that upgrading a laptop can be a costly endeavor, depending on how many components need replacing. At some point you have to decide if it makes more sense (financially) to scrap the older system for a shiny new model. For example, a new screen, hard drive, memory, optical drive, and PCMCIA TV tuner card set me back more than $700, which would go a long way toward purchasing a brand-new notebook.

I also didn't tackle the most complex part of a PC upgrade: the processor. Though it's possible to upgrade the processor in some notebooks, it's a complicated job that may require soldering skills, depending on the model. There are online parts suppliers that provide chips for various systems, but you must be certain that your power supply can handle the extra power draw and that the cooling fans will prevent overheating; otherwise, you run the risk of frying the motherboard and power supply (at which point you might as well go out and buy yourself a new notebook). Besides, the CPU on this Gateway was soldered in place. I located a replacement motherboard assembly for it for around $450, but it contained the same 1.13-GHz Pentium III Mobile CPU that I already had.

Chances are your laptop makeover won't be as extensive as mine. But if you want to breathe new life into an old road warrior, the job may be easier than you think. One more tip before you get started: Find a spacious, well-lit work area with a flat, level surface to perform the upgrades. I used my pool table—sorry, Minnesota Fats. You'll need a set of jeweler's screwdrivers to remove most of the components, as laptops use extremely small screws. While you're at it, have a few bowls or small containers on hand to collect all those screws; you'll need them to install the new parts.

Install a High-Gloss Display

Replacing your laptop's screen may seem like a job for the pros, but it's a fairly easy procedure that you can complete in less than an hour. A set of jeweler's screwdrivers is essential for removing the panel, however. I picked up a new 15.4-inch 1,280-by-1,024 replacement panel from ScreenTek, which has a huge list of screens for a variety of models. The panel sells for $249 on the company's Web site, www.screentekinc.com, and I paid an extra $50 to have ScreenTek apply the high-gloss PixelBright coating. Like Dell's TruLife coating, PixelBright provides better viewing-angle performance and sharper image quality than traditional antiglare treatments. Although the panel did not come with written installation instructions, the site offers an excellent step-by-step instructional guide and a downloadable video to help you out. Live chat and telephone support are also available for the technically challenged, and if you absolutely feel that you'll botch the job, ScreenTek will perform the installation free of charge—but you'll have to ship your laptop to it. If your screen is in perfect working order and you just want a high-gloss finish, send your laptop in, and for $100 it will put a PixelBright coating on it.

Installation is basically the reverse of the removal process, and is just as easy. The toughest part is lining up the hinges with the panel frame; it took me three tries to get it right. The whole procedure took just 45 minutes from start to finish—including the search for a latch spring that popped out when I removed the broken screen.