A previously unknown flaw in Microsoft Corp.'s Windows operating system is leaving computer users vulnerable to spyware, viruses and other programs that could overtake their machines and has sent the company scrambling to come up with a fix.
Microsoft said in a statement yesterday that it is investigating the vulnerability and plans to issue a software patch to fix the problem. The company could not say how soon that patch would be available.
Mike Reavey, operations manager for Microsoft's Security Response Center, called the flaw "a very serious issue."
Security researchers revealed the flaw on Tuesday and posted instructions online that showed how would-be attackers could exploit the flaw. Within hours, computer virus and spyware authors were using the flaw to distribute malicious programs that could allow them to take over and remotely control afflicted computers.
Unlike with previously revealed vulnerabilities, computers can be infected simply by visiting one of the Web sites or viewing an infected image in an e-mail through the preview pane in older versions of Microsoft Outlook, even if users did not click on anything or open any files. Operating system versions ranging from the current Windows XP to Windows 98 are affected.
An estimated 90 percent of personal computers run on Microsoft Windows operating systems. Microsoft has found itself under attack on several instances and has been forced to issue a number of patches to keep computers running Windows safe. Mac and Linux computer users are not at risk with this attack, even if their computers run Microsoft programs such as Office or the Internet Explorer Web browser.
Reavey encouraged users to update their anti-virus software, ensure all Windows security patches are installed, avoid visiting unfamiliar Web sites, and refrain from clicking on links that arrive via e-mail or instant message.
"The problem with this attack is that it is so hard to defend against for the average user," said Johannes Ullrich, chief research officer for the SANS Internet Storm Center in Bethesda.
At first, the vulnerability was exploited by just a few dozen Web sites. Programming code embedded in these pages would install a program that warned victims their machines were infested with spyware, then prompted them to pay $40 to remove the supposed pests.
Since then, however, hundreds of sites have begun using the flaw to install a broad range of malicious software. SANS has received several reports of attackers blasting out spam e-mails containing links that lead to malicious sites exploiting the new flaw, Ullrich said.
Dean Turner, a senior manager at anti-virus firm Symantec Corp. of Cupertino, Calif., said the company has seen the vulnerability exploited to install software that intercepts personal and financial information when users of infected computers enter the data at certain banking or e-commerce sites.
Eric Sites, vice president of research and development for anti-spyware firm Sunbelt Software, said he has spotted spyware being downloaded to a user's machine by online banner advertisements.
"Pretty much all of the spyware guys who normally use other techniques for pushing this stuff down to your machine are now picking this exploit up," Sites said.
Because the vulnerability exists within a faulty Windows component, security experts warn that Windows users who eschew Internet Explorer in favor of alternative Web browsers, such as older versions of Firefox and Opera, can still get their PCs infected if they agree to download a file from a site taking advantage of the flaw.
Richard M. Smith, a Boston security and privacy consultant, said he was particularly worried that the vulnerability could soon be used to power a fast-spreading e-mail worm.
"We could see the mother of all worms here," Smith said. "My big fear is we're going to wake up in the next week or two and have people warning users not to read their e-mail because something is going around that's extremely virulent."
Written by: Brian Krebs is a washingtonpost.com reporter.
Friday, December 30, 2005
Web services thrive, but outages outrage users
LONDON (Reuters) - Web sites that share blogs, bookmarks and photos exploded in popularity in 2005, but in recent weeks a number of major outages left users stranded and frustrated.
The new breed of Web site includes blogging services such as TypePad, the photo site Flickr, the shared bookmark site del.icio.us and many others. They are sometimes known collectively as "Web 2.0": hosted online, relying heavily on users' submissions, and frequently updated and tweaked by their owners.
Their growth in the last year has been huge. Flickr and del.icio.us were high-profile acquisitions for Internet giant Yahoo, and there are now at least 20 million blogs in existence, according to some estimates, with tens of thousands being added every day.
But the surge in Web-based applications hasn't come without some serious hiccups as several notable services have crashed.
Six Apart, whose TypePad service is used by many high-profile bloggers, experienced nearly an entire day of downtime on December 16, when it suffered a hardware failure. Del.icio.us had a major power failure on December 14. Services including Bloglines, Feedster and WordPress have also experienced problems.
Nothing underlines the importance of these "social media" services as much as the outcry of users when the sites crash. While the services were usually back up and running within a few days at most, the outages prompted much consternation from users who were temporarily unable to share their blogs and bookmarks with the world.
Russell Buckley and Carlo Longino wrote on their blog MobHappy (http://mobhappy.typepad.com/) that waiting for TypePad to be fixed was like "waiting for a train to arrive, when you're sitting on a cold, damp platform. It's mildly irritating for the first 5 minutes, but then annoyance levels start to rise exponentially."
"TypePad has been growing so rapidly that it is finding the hard way that scale and scalability matter," Business 2.0 technology writer Om Malik wrote on his blog (http://gigaom.com/). "Are they the only ones? Not really -- over (the) past few days Bloglines, Feedster and Wordpress.com have been behaving like a temperamental 3-year-old."
The usefulness of Web 2.0 services -- which also include the collaborative Web pages known as Wikis and RSS feeds that deliver customized information to users -- is highlighted when they are abruptly taken away.
"You need those services to be 'on.' I have come to expect 99.9 percent uptime, and when a service crashes there is significant frustration," said David Boxer, director of instructional technology and research at the Windward School in Los Angeles, where he runs workshops on subjects like podcasting and photoblogging.
"When those services go down, then we are stuck in a ditch," he said.
Boxer's students have worked on projects aimed at making them "citizen journalists" via publishing their own blogs, podcasts, documentaries and photo essays. But when those services suffer outages, everything grinds to a halt.
When the Blogger Web site went down, Boxer's students lost some of their work. And when del.icio.us crashed recently, "it left me personally in a lurch," he said.
"I knew that eventually a machine or software application will crash, but I always expect a third-party provider like del.icio.us will build enough redundancy into the infrastructure that it will never go down," Boxer said.
It is still early days for Web 2.0, and some of the recent difficulties are likely just teething problems as companies adapt to their new popularity. However, the outages may make it harder to convince businesses and investors that blogging is ready for primetime.
Boxer, for one, is willing to ride out a few outages to take advantage of the new services.
"They allow for elements of personalization, content delivery and information pushing unlike any previous incarnation of the Net," he said.
WEB 2.0 LINKS
TypePad (http://www.typepad.com/): A paid-for service for publishing blogs and photo albums. Competitors include Wordpress (http://wordpress.org/) and Google's Blogger.com (http://www.blogger.com).
Flickr (http://www.flickr.com/): An online service for sharing and managing photos.
Del.icio.us (http://del.icio.us): A site for storing and sharing bookmarked Web pages.
Computer book publisher Tim O'Reilly's essay on Web 2.0 (http://www.oreillynet.com/pub/a/oreilly/tim/news/2005/09/30/wha t-is-web-20.html)
Written by: By Adam Pasick
The new breed of Web site includes blogging services such as TypePad, the photo site Flickr, the shared bookmark site del.icio.us and many others. They are sometimes known collectively as "Web 2.0": hosted online, relying heavily on users' submissions, and frequently updated and tweaked by their owners.
Their growth in the last year has been huge. Flickr and del.icio.us were high-profile acquisitions for Internet giant Yahoo, and there are now at least 20 million blogs in existence, according to some estimates, with tens of thousands being added every day.
But the surge in Web-based applications hasn't come without some serious hiccups as several notable services have crashed.
Six Apart, whose TypePad service is used by many high-profile bloggers, experienced nearly an entire day of downtime on December 16, when it suffered a hardware failure. Del.icio.us had a major power failure on December 14. Services including Bloglines, Feedster and WordPress have also experienced problems.
Nothing underlines the importance of these "social media" services as much as the outcry of users when the sites crash. While the services were usually back up and running within a few days at most, the outages prompted much consternation from users who were temporarily unable to share their blogs and bookmarks with the world.
Russell Buckley and Carlo Longino wrote on their blog MobHappy (http://mobhappy.typepad.com/) that waiting for TypePad to be fixed was like "waiting for a train to arrive, when you're sitting on a cold, damp platform. It's mildly irritating for the first 5 minutes, but then annoyance levels start to rise exponentially."
"TypePad has been growing so rapidly that it is finding the hard way that scale and scalability matter," Business 2.0 technology writer Om Malik wrote on his blog (http://gigaom.com/). "Are they the only ones? Not really -- over (the) past few days Bloglines, Feedster and Wordpress.com have been behaving like a temperamental 3-year-old."
The usefulness of Web 2.0 services -- which also include the collaborative Web pages known as Wikis and RSS feeds that deliver customized information to users -- is highlighted when they are abruptly taken away.
"You need those services to be 'on.' I have come to expect 99.9 percent uptime, and when a service crashes there is significant frustration," said David Boxer, director of instructional technology and research at the Windward School in Los Angeles, where he runs workshops on subjects like podcasting and photoblogging.
"When those services go down, then we are stuck in a ditch," he said.
Boxer's students have worked on projects aimed at making them "citizen journalists" via publishing their own blogs, podcasts, documentaries and photo essays. But when those services suffer outages, everything grinds to a halt.
When the Blogger Web site went down, Boxer's students lost some of their work. And when del.icio.us crashed recently, "it left me personally in a lurch," he said.
"I knew that eventually a machine or software application will crash, but I always expect a third-party provider like del.icio.us will build enough redundancy into the infrastructure that it will never go down," Boxer said.
It is still early days for Web 2.0, and some of the recent difficulties are likely just teething problems as companies adapt to their new popularity. However, the outages may make it harder to convince businesses and investors that blogging is ready for primetime.
Boxer, for one, is willing to ride out a few outages to take advantage of the new services.
"They allow for elements of personalization, content delivery and information pushing unlike any previous incarnation of the Net," he said.
WEB 2.0 LINKS
TypePad (http://www.typepad.com/): A paid-for service for publishing blogs and photo albums. Competitors include Wordpress (http://wordpress.org/) and Google's Blogger.com (http://www.blogger.com).
Flickr (http://www.flickr.com/): An online service for sharing and managing photos.
Del.icio.us (http://del.icio.us): A site for storing and sharing bookmarked Web pages.
Computer book publisher Tim O'Reilly's essay on Web 2.0 (http://www.oreillynet.com/pub/a/oreilly/tim/news/2005/09/30/wha t-is-web-20.html)
Written by: By Adam Pasick
Tuesday, December 13, 2005
Microsoft Fixes Critical IE Problems
Microsoft this week fixed a widely reported flaw in its Internet Explorer (IE) browser that had been used by attackers over the past few weeks to take over the PCs of unsuspecting users. The flaw was one of four IE bugs fixed Tuesday in Microsoft's regularly scheduled software update. Although attacks based on the vulnerability have not been widespread, it is important that IE users now install the patch, said Neel Mehta, team lead of Internet Security Systems' X-Force group. "It's not of epic proportions," he said. "But isolated attackers here and there have used it to install malware."
Bug History
Security experts had known about the flaw since May, but on Nov. 21 hackers with a U.K. organization called Computer Terrorism posted sample code that showed it to be much more serious than originally thought. Within days that sample code was adapted and being used by attackers, prompting many security experts to erroneously predict that Microsoft would rush a patch ahead of its December update.
The bug concerns the way IE processes the "Window()" function in JavaScript, a popular scripting language used by Web developers to make their sites more dynamic. It affects IE users on Windows XP, Windows 2000, Windows 98' In order to exploit this problem, attackers must first trick users into visiting a maliciously encoded Web site, which has helped prevent the bug from being more widely used.
Critical Update
Microsoft fixed this problem, along with the other three IE bugs, in one of two security updates, released Tuesday. More details on the IE fixes can be found in the MS05-054 Security Bulletin here. This update is rated "critical" by Microsoft.
A second update, assigned Microsoft's less severe security rating of "important," fixes a problem in the Windows 2000 kernel. That update can be found here. This bug could help an attacker to circumvent Microsoft's user privileges mechanism and perform unauthorized tasks on a PC.
Typically, this flaw could not be exploited remotely, as it requires that the attacker gain access to the targeted computer's keyboard, said Steve Manzuik, security product manager with the company that discovered the bug, eEye Digital Security. Its advisory may be read here.
Written by: Robert McMillan, IDG News Service
Bug History
Security experts had known about the flaw since May, but on Nov. 21 hackers with a U.K. organization called Computer Terrorism posted sample code that showed it to be much more serious than originally thought. Within days that sample code was adapted and being used by attackers, prompting many security experts to erroneously predict that Microsoft would rush a patch ahead of its December update.
The bug concerns the way IE processes the "Window()" function in JavaScript, a popular scripting language used by Web developers to make their sites more dynamic. It affects IE users on Windows XP, Windows 2000, Windows 98' In order to exploit this problem, attackers must first trick users into visiting a maliciously encoded Web site, which has helped prevent the bug from being more widely used.
Critical Update
Microsoft fixed this problem, along with the other three IE bugs, in one of two security updates, released Tuesday. More details on the IE fixes can be found in the MS05-054 Security Bulletin here. This update is rated "critical" by Microsoft.
A second update, assigned Microsoft's less severe security rating of "important," fixes a problem in the Windows 2000 kernel. That update can be found here. This bug could help an attacker to circumvent Microsoft's user privileges mechanism and perform unauthorized tasks on a PC.
Typically, this flaw could not be exploited remotely, as it requires that the attacker gain access to the targeted computer's keyboard, said Steve Manzuik, security product manager with the company that discovered the bug, eEye Digital Security. Its advisory may be read here.
Written by: Robert McMillan, IDG News Service
Wednesday, November 09, 2005
Hello, there to everyone who looks for this BLOG for new Internet, PC, and Technology changes.
I have been posting articles from other websites to this blog to inform the public on what is going on with new stuff that comes out. I have been getting some wierd posts and comments from the public on why I don't post my own thoughts and comments.
Well, in reality I could write about bluetooth technology and the good and the bad and give my 2 cents on it. But why when there are so many good reporters and writers out there that have done the reseach and give public info.
The goal for this blog is get the good stuff out there and put on here so that you have one place where the news for techie stuff is....
I appreciate all the good comments that I have been receiving and the BAD SPAM that I have gotten and will be going to have to fix that as of today to prevent those bad comments from posting.
Thanks for viewing my blog and I will be updating it in the next coming weeks....
LOOK FOR:
I have been posting articles from other websites to this blog to inform the public on what is going on with new stuff that comes out. I have been getting some wierd posts and comments from the public on why I don't post my own thoughts and comments.
Well, in reality I could write about bluetooth technology and the good and the bad and give my 2 cents on it. But why when there are so many good reporters and writers out there that have done the reseach and give public info.
The goal for this blog is get the good stuff out there and put on here so that you have one place where the news for techie stuff is....
I appreciate all the good comments that I have been receiving and the BAD SPAM that I have gotten and will be going to have to fix that as of today to prevent those bad comments from posting.
Thanks for viewing my blog and I will be updating it in the next coming weeks....
LOOK FOR:
- NEW ANTI-VIRUS SOFTWARE
- NEW SPYWARE SOFTWARE
- NEW PC INFO
- NEW SOFTWARE INFO
- NEW CELL PHONE INFO
- NEW ISSUES ON SECURITY ON ROUTERS and WIFI
- NEW ISSUES on HACKING into PC's
I generally try to post every week and my goal is to post a new article every Friday....
HAVE A NICE WEEK AND TALK TO YOU SOON.....
Thursday, October 20, 2005
Dutch Say Suspects Hacked 1.5M Computers
AMSTERDAM, Netherlands - Three suspects in a Dutch crime ring hacked 1.5 million computers worldwide, setting up a "zombie network" that secretly stole credit card and other personal data, prosecutors said Thursday.
The three, who were arrested Oct. 6 and originally were estimated to have hacked 100,000 computers, have yet to enter a plea.
A court in the town of Breda extended the custody of the 19-year-old main suspect and a 22-year-old accomplice for a month Thursday, and ordered the release of the third, aged 27, pending trial, prosecution spokesman Wim de Bruin said. The suspects' names have not been released.
Prosecutors said, however, more arrests were likely as the investigation continues.
The two still being held are accused of blackmailing a U.S. company by threatening it with a "denial of service" attack, in which thousands of computers that have been infected are used to bombard a target with e-mail. De Bruin said the company did not want its identity known.
The software the hackers used, a variation of the worm known as "W32.Toxbot," was first detected this year. Antivirus software can remove it, but the hackers adjusted the program constantly to defeat protections.
The existence of the "zombie network" of infected computers was first detected by Dutch Internet provider XS4ALL. The company noticed unusual activity coming from a handful of its users' infected computers, said the company's chief technical officer, Simon Hania.
The company traced the network as far as it could, and then turned the matter over to prosecutors.
De Bruin said prosecutors worked with computer crime experts to trace the network to its source and then installed taps on the suspects' computers. The taps showed the suspects manipulating the zombie network to steal passwords and credit card data, De Bruin said.
They also are accused of stealing PayPal and EBay Inc. account information to order goods without paying for them, he said. Authorities have seized computers, a bank account, an undisclosed amount of cash and a sports car in the investigation.
About 30,000 of the infected computers were in the Netherlands. When investigators dismantled the global network, they found more than 15 times the number of infected computers they originally estimated.
XS4ALL's Hania said that although the zombie network may be the largest of its kind whose controllers were busted, it was only a "drop in the ocean."
"It destroys the Internet," he lamented.
By TOBY STERLING, Associated Press Writer
The three, who were arrested Oct. 6 and originally were estimated to have hacked 100,000 computers, have yet to enter a plea.
A court in the town of Breda extended the custody of the 19-year-old main suspect and a 22-year-old accomplice for a month Thursday, and ordered the release of the third, aged 27, pending trial, prosecution spokesman Wim de Bruin said. The suspects' names have not been released.
Prosecutors said, however, more arrests were likely as the investigation continues.
The two still being held are accused of blackmailing a U.S. company by threatening it with a "denial of service" attack, in which thousands of computers that have been infected are used to bombard a target with e-mail. De Bruin said the company did not want its identity known.
The software the hackers used, a variation of the worm known as "W32.Toxbot," was first detected this year. Antivirus software can remove it, but the hackers adjusted the program constantly to defeat protections.
The existence of the "zombie network" of infected computers was first detected by Dutch Internet provider XS4ALL. The company noticed unusual activity coming from a handful of its users' infected computers, said the company's chief technical officer, Simon Hania.
The company traced the network as far as it could, and then turned the matter over to prosecutors.
De Bruin said prosecutors worked with computer crime experts to trace the network to its source and then installed taps on the suspects' computers. The taps showed the suspects manipulating the zombie network to steal passwords and credit card data, De Bruin said.
They also are accused of stealing PayPal and EBay Inc. account information to order goods without paying for them, he said. Authorities have seized computers, a bank account, an undisclosed amount of cash and a sports car in the investigation.
About 30,000 of the infected computers were in the Netherlands. When investigators dismantled the global network, they found more than 15 times the number of infected computers they originally estimated.
XS4ALL's Hania said that although the zombie network may be the largest of its kind whose controllers were busted, it was only a "drop in the ocean."
"It destroys the Internet," he lamented.
By TOBY STERLING, Associated Press Writer
Tuesday, October 18, 2005
Consumer confusion abounds over spyware
According to exclusively provided results from the 2005 National Spyware Study, prepared by The Ponemon Institute, sponsored by Unisys Corporation and assisted by Chappell Associates, while most consumers believe that they have been victims of spyware and many of them are confused when it comes to issues relating to spyware, most prefer access to free downloadable software than laws designed to grapple with spyware problems.
An astounding 84% of respondents report that they have been spyware victims. From this group, an overwhelming 97% do not remember viewing end user licensing agreements (EULAs) before downloading spyware software on their computers.
Many respondents do not know how spyware is downloaded on their computers. Indeed, more than 42% report that they have "no idea" where the spyware comes from.
The primary reported negative consequence of spyware appears to be computer malfunctioning. This results in reported productivity losses for many people.
Approximately 15% of respondents report that they have suffered monetary damages from spyware on their computers. The average loss for this group is estimated at about $50 over the past 12 months. While this amount is not large on an individual basis, it is on a macro level.
A substantial number of respondents, 76%, report that they have experienced time losses emanating from spyware on their computers. The average time loss is estimated at 1.6 hours over the past 12 months. Again, while this time loss is not huge for an individual, it represents a large time loss on a cumulative basis.
Most respondents report downloading free software on the Internet. The most common of such programs include games, screen savers, and music players. These types of software programs are known to download spyware and adware desktop applications.
The respondents generally do not have a clear understanding of differences between spyware and adware. Indeed, almost half of them failed a test question that properly seeks definitions of spyware and adware.
The majority of respondents appear not to understand Internet economic issues. For example, they do not know how "free" software programs earn profits for their suppliers.
Interestingly, when available, most respondents concede that they do not read EULAs. The main cited reason is that language contained in EULAs is too complex and confusing.
Roughly half of respondents believe that it never is acceptable or appropriate to be tracked by spyware or adware on the Internet.
Still, most respondents do not desire new anti-spyware laws to prevent them from obtaining free software.
Thus, while most respondents have been subject to spyware, do not want to be tracked by such programs, and have confusion about some spyware issues, they appear more interested in obtaining free software than thwarting spyware problems.
Written by: Eric Sinrod is a partner in the San Francisco office of Duane Morris
His Web site is www.sinrodlaw.com, and he can be reached at ejsinrod@duanemorris.com.
An astounding 84% of respondents report that they have been spyware victims. From this group, an overwhelming 97% do not remember viewing end user licensing agreements (EULAs) before downloading spyware software on their computers.
Many respondents do not know how spyware is downloaded on their computers. Indeed, more than 42% report that they have "no idea" where the spyware comes from.
The primary reported negative consequence of spyware appears to be computer malfunctioning. This results in reported productivity losses for many people.
Approximately 15% of respondents report that they have suffered monetary damages from spyware on their computers. The average loss for this group is estimated at about $50 over the past 12 months. While this amount is not large on an individual basis, it is on a macro level.
A substantial number of respondents, 76%, report that they have experienced time losses emanating from spyware on their computers. The average time loss is estimated at 1.6 hours over the past 12 months. Again, while this time loss is not huge for an individual, it represents a large time loss on a cumulative basis.
Most respondents report downloading free software on the Internet. The most common of such programs include games, screen savers, and music players. These types of software programs are known to download spyware and adware desktop applications.
The respondents generally do not have a clear understanding of differences between spyware and adware. Indeed, almost half of them failed a test question that properly seeks definitions of spyware and adware.
The majority of respondents appear not to understand Internet economic issues. For example, they do not know how "free" software programs earn profits for their suppliers.
Interestingly, when available, most respondents concede that they do not read EULAs. The main cited reason is that language contained in EULAs is too complex and confusing.
Roughly half of respondents believe that it never is acceptable or appropriate to be tracked by spyware or adware on the Internet.
Still, most respondents do not desire new anti-spyware laws to prevent them from obtaining free software.
Thus, while most respondents have been subject to spyware, do not want to be tracked by such programs, and have confusion about some spyware issues, they appear more interested in obtaining free software than thwarting spyware problems.
Written by: Eric Sinrod is a partner in the San Francisco office of Duane Morris
His Web site is www.sinrodlaw.com, and he can be reached at ejsinrod@duanemorris.com.
Regulators: Banks Must Beef Up Web Security
BOSTON (AP)--Federal regulators will require banks to strengthen security for Internet customers through authentication that goes beyond mere user names and passwords, which have become too easy for criminals to exploit.
Bank Web sites are expected to adopt some form of "two-factor" authentication by the end of 2006, regulators with the Federal Financial Institutions Examination Council said in a letter to banks last week.
In two-factor authentication, customers must confirm their identities not only through something they know, like a PIN or password, but also with something they physically have, like a hardware token with numeric access codes that change every minute.
Other types of two-factor authentication include costlier hardware involving biometrics or "smart" cards that would be inserted into designated readers on a user's computer.
Banks might also issue one-time passwords on scratch-off cards or require "secret questions" about a customer's account, such as the amount of the last deposit or mortgage payment.
The council also suggested that banks explore technology that can estimate a Web user's physical location and compare it to the address on file.
The most common way of stealing consumers' personal identity data and financial account credentials online, known as phishing, typically involves sending e-mails that direct unwitting users to phony Web sites. Data harvested at such sites is then used fraudulently.
The Anti-Phishing Working group, an industry association, reported 13,776 unique types of phishing attacks in August.
While some financial institutions have given their customers electronic password tokens, those have tended to be optional. Other banks have instituted password entry through mouse clicks instead of typing, a protection against keystroke-snooping programs.
But in general, the industry can do more to stop account fraud and identity theft, according to the financial institutions council--which includes the
Federal Reserve' name=c1> SEARCHNews News Photos Images Web' name=c3> Federal Reserve; the Federal Deposit Insurance Corp.; the U.S. Comptroller; the Office of Thrift Supervision, and the National Credit Union Administration.
"The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of information to other parties," the council wrote. "Account fraud and identity theft are frequently the result of single-factor ... authentication exploitation."
FDIC spokesman David Barr said the rules will serve as standards that will be checked when banks' practices are audited.
Although the requirements apply just to financial services companies, the policy could stimulate wider use of two-factor authentication by other merchants that are willing to "federate" their Web sites with banks, said Michael Aisenberg, director of government relations for Internet services provider VeriSign Inc.
VeriSign is a member of the Liberty Alliance, a group that is working to develop standards for federated authentication.
In a federated system, a two-factor login at one site would be recognized by another, so a travel agency associated with your bank would automatically grant you access if you came straight from the financial institution's Web site.
At the very least, Aisenberg said, "The securities industry is going to have to go along and other regulated sectors will no doubt follow along as well."
Written by: Brian Bergstein @ TechWeb.com
Bank Web sites are expected to adopt some form of "two-factor" authentication by the end of 2006, regulators with the Federal Financial Institutions Examination Council said in a letter to banks last week.
In two-factor authentication, customers must confirm their identities not only through something they know, like a PIN or password, but also with something they physically have, like a hardware token with numeric access codes that change every minute.
Other types of two-factor authentication include costlier hardware involving biometrics or "smart" cards that would be inserted into designated readers on a user's computer.
Banks might also issue one-time passwords on scratch-off cards or require "secret questions" about a customer's account, such as the amount of the last deposit or mortgage payment.
The council also suggested that banks explore technology that can estimate a Web user's physical location and compare it to the address on file.
The most common way of stealing consumers' personal identity data and financial account credentials online, known as phishing, typically involves sending e-mails that direct unwitting users to phony Web sites. Data harvested at such sites is then used fraudulently.
The Anti-Phishing Working group, an industry association, reported 13,776 unique types of phishing attacks in August.
While some financial institutions have given their customers electronic password tokens, those have tended to be optional. Other banks have instituted password entry through mouse clicks instead of typing, a protection against keystroke-snooping programs.
But in general, the industry can do more to stop account fraud and identity theft, according to the financial institutions council--which includes the
Federal Reserve' name=c1> SEARCHNews News Photos Images Web' name=c3> Federal Reserve; the Federal Deposit Insurance Corp.; the U.S. Comptroller; the Office of Thrift Supervision, and the National Credit Union Administration.
"The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of information to other parties," the council wrote. "Account fraud and identity theft are frequently the result of single-factor ... authentication exploitation."
FDIC spokesman David Barr said the rules will serve as standards that will be checked when banks' practices are audited.
Although the requirements apply just to financial services companies, the policy could stimulate wider use of two-factor authentication by other merchants that are willing to "federate" their Web sites with banks, said Michael Aisenberg, director of government relations for Internet services provider VeriSign Inc.
VeriSign is a member of the Liberty Alliance, a group that is working to develop standards for federated authentication.
In a federated system, a two-factor login at one site would be recognized by another, so a travel agency associated with your bank would automatically grant you access if you came straight from the financial institution's Web site.
At the very least, Aisenberg said, "The securities industry is going to have to go along and other regulated sectors will no doubt follow along as well."
Written by: Brian Bergstein @ TechWeb.com
Nigeria and Microsoft sign deal to fight e-mail fraud
ABUJA (AFP) - Nigeria and the US software giant Microsoft have formed an alliance to combat the Internet fraudsters who have damaged the country's international image, Nigeria's anti-graft agency said.
"Millions of people all over the world can only link the country and her nationals to the infamous scam letter," said Nuhu Ribadu, chairman of the Economic and Financial Crimes Commission (EFCC), in a statement released here.
"EFCC and Microsoft have teamed up to fish out Internet fraudsters in Nigeria and the west African sub region," he said.
Computer users across the world have become accustomed to being bombarded by e-mails from Nigerians seeking to trick them into handing over bank details or making advance payments on non-existent money-making schemes.
Experts say that the so-called 419 fraudsters -- named after the relevant section in Nigeria's criminal code -- steal hundreds of millions of dollars every year from unsuspecting marks.
In the biggest such case to date, a Brazilian bank collapsed after Nigerian confidence tricksters persuaded a corrupt employee to divert 242 million dollars (192 million euros) of his employer's capital into an imaginary deal to develop Abuja airport.
Microsoft markets the most popular computer programmes controlling access to the Internet, and Nigeria hopes that after signing a deal with the company in London at the weekend, the firm will help it track scammers, who now face stiffer laws at home.
The Nigerian parliament recently passed the stringent "Advance Fee Fraud Act 2005", which holds liable not only the fraudster but also cybercafe owners and office managers who allow their premises and facilities to be used for the crime.
President Olusegun Obasanjo has proposed an amendment to the act to make it a crime for scammers -- who are known in Nigeria as "Yahoo-Yahoo boys" after the popular free e-mail service -- to send unsolicited messages.
"Millions of people all over the world can only link the country and her nationals to the infamous scam letter," said Nuhu Ribadu, chairman of the Economic and Financial Crimes Commission (EFCC), in a statement released here.
"EFCC and Microsoft have teamed up to fish out Internet fraudsters in Nigeria and the west African sub region," he said.
Computer users across the world have become accustomed to being bombarded by e-mails from Nigerians seeking to trick them into handing over bank details or making advance payments on non-existent money-making schemes.
Experts say that the so-called 419 fraudsters -- named after the relevant section in Nigeria's criminal code -- steal hundreds of millions of dollars every year from unsuspecting marks.
In the biggest such case to date, a Brazilian bank collapsed after Nigerian confidence tricksters persuaded a corrupt employee to divert 242 million dollars (192 million euros) of his employer's capital into an imaginary deal to develop Abuja airport.
Microsoft markets the most popular computer programmes controlling access to the Internet, and Nigeria hopes that after signing a deal with the company in London at the weekend, the firm will help it track scammers, who now face stiffer laws at home.
The Nigerian parliament recently passed the stringent "Advance Fee Fraud Act 2005", which holds liable not only the fraudster but also cybercafe owners and office managers who allow their premises and facilities to be used for the crime.
President Olusegun Obasanjo has proposed an amendment to the act to make it a crime for scammers -- who are known in Nigeria as "Yahoo-Yahoo boys" after the popular free e-mail service -- to send unsolicited messages.
Monday, October 17, 2005
Feds Want Banks to Strengthen Web Log-Ons
BOSTON - Federal regulators will require banks to strengthen security for Internet customers through authentication that goes beyond mere user names and passwords, which have become too easy for criminals to exploit.
Bank Web sites are expected to adopt some form of "two-factor" authentication by the end of 2006, regulators with the Federal Financial Institutions Examination Council said in a letter to banks last week.
In two-factor authentication, customers must confirm their identities not only through something they know, like a PIN or password, but also with something they physically have, like a hardware token with numeric access codes that change every minute.
Other types of two-factor authentication include costlier hardware involving biometrics or "smart" cards that would be inserted into designated readers on a user's computer.
Banks might also issue one-time passwords on scratch-off cards or require "secret questions" about a customer's account, such as the amount of the last deposit or mortgage payment.
The council also suggested that banks explore technology that can estimate a Web user's physical location and compare it to the address on file.
The most common way of stealing consumers' personal identity data and financial account credentials online, known as phishing, typically involves sending e-mails that direct unwitting users to phony Web sites. Data harvested at such sites is then used fraudulently.
The Anti-Phishing Working group, an industry association, reported 13,776 unique types of phishing attacks in August.
While some financial institutions have given their customers electronic password tokens, those have tended to be optional. Other banks have instituted password entry through mouse clicks instead of typing, a protection against keystroke-snooping programs.
But in general, the industry can do more to stop account fraud and identity theft, according to the financial institutions council — which includes the
Federal Reserve' name=c1> SEARCHNews News Photos Images Web' name=c3> Federal Reserve; the Federal Deposit Insurance Corp.; the U.S. Comptroller; the Office of Thrift Supervision and the National Credit Union Administration.
"The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of information to other parties," the council wrote. "Account fraud and identity theft are frequently the result of single-factor ... authentication exploitation."
FDIC spokesman David Barr said the rules will serve as standards that will be checked when banks' practices are audited.
Although the requirements apply just to financial services companies, the policy could stimulate wider use of two-factor authentication by other merchants that are willing to "federate" their Web sites with banks, said Michael Aisenberg, director of government relations for Internet services provider VeriSign Inc.
VeriSign is a member of the Liberty Alliance, a group that is working to develop standards for federated authentication.
In a federated system, a two-factor login at one site would be recognized by another, so a travel agency associated with your bank would automatically grant you access if you came straight from the financial institution's Web site.
At the very least, Aisenberg said, "The securities industry is going to have to go along and other regulated sectors will no doubt follow along as well."
By BRIAN BERGSTEIN, AP Technology Writer
Bank Web sites are expected to adopt some form of "two-factor" authentication by the end of 2006, regulators with the Federal Financial Institutions Examination Council said in a letter to banks last week.
In two-factor authentication, customers must confirm their identities not only through something they know, like a PIN or password, but also with something they physically have, like a hardware token with numeric access codes that change every minute.
Other types of two-factor authentication include costlier hardware involving biometrics or "smart" cards that would be inserted into designated readers on a user's computer.
Banks might also issue one-time passwords on scratch-off cards or require "secret questions" about a customer's account, such as the amount of the last deposit or mortgage payment.
The council also suggested that banks explore technology that can estimate a Web user's physical location and compare it to the address on file.
The most common way of stealing consumers' personal identity data and financial account credentials online, known as phishing, typically involves sending e-mails that direct unwitting users to phony Web sites. Data harvested at such sites is then used fraudulently.
The Anti-Phishing Working group, an industry association, reported 13,776 unique types of phishing attacks in August.
While some financial institutions have given their customers electronic password tokens, those have tended to be optional. Other banks have instituted password entry through mouse clicks instead of typing, a protection against keystroke-snooping programs.
But in general, the industry can do more to stop account fraud and identity theft, according to the financial institutions council — which includes the
Federal Reserve' name=c1> SEARCHNews News Photos Images Web' name=c3> Federal Reserve; the Federal Deposit Insurance Corp.; the U.S. Comptroller; the Office of Thrift Supervision and the National Credit Union Administration.
"The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of information to other parties," the council wrote. "Account fraud and identity theft are frequently the result of single-factor ... authentication exploitation."
FDIC spokesman David Barr said the rules will serve as standards that will be checked when banks' practices are audited.
Although the requirements apply just to financial services companies, the policy could stimulate wider use of two-factor authentication by other merchants that are willing to "federate" their Web sites with banks, said Michael Aisenberg, director of government relations for Internet services provider VeriSign Inc.
VeriSign is a member of the Liberty Alliance, a group that is working to develop standards for federated authentication.
In a federated system, a two-factor login at one site would be recognized by another, so a travel agency associated with your bank would automatically grant you access if you came straight from the financial institution's Web site.
At the very least, Aisenberg said, "The securities industry is going to have to go along and other regulated sectors will no doubt follow along as well."
By BRIAN BERGSTEIN, AP Technology Writer
Cisco adds security to switches, wireless devices
NEW YORK (Reuters) - Cisco Systems Inc. (Nasdaq:CSCO - news) is adding security features to its network switches and wireless products, in the networking gear maker's latest push to sell software to help corporations combat spyware, worms and viruses.
Cisco already sells security software for its routers, which allows businesses to add a layer of security to their Web-based networks, which are often used by far-flung workforces. On Monday, Cisco said it is now selling the software for its switches, which companies often use in simpler local area networks within their own buildings.
The expansion of the security features to business' internal networks also includes wireless access points, which corporations are increasingly installing on their campuses.
The software is designed to protect corporations from computers and mobile devices which may have been infected through use outside of the office, as well as from outside attacks against the network itself.
The software, which Cisco sells under the brand name Network Admission Control, has proven to be a popular add-on for Cisco's corporate clients, who are wrestling with a wide range of security threats. The technology has also allowed Cisco to expand into the lucrative area of security software.
The market for network security software and appliances will reach $4.3 billion by the end of 2005 and could grow to $6.3 billion by 2009, according to the Synergy Research Group in Scottsdale, Ariz. Overall security spending will compose 7.9 percent of the U.S. IT budget in 2005, or $59.6 billion, according to Forrester Research Inc. (Nasdaq:FORR - news) in Cambridge, Mass.
This growth is being spurred by the constant assault on corporate and home networks by worms, viruses and other harmful programs.
"I've seen a big increase over the year in terms of attention paid to it by security managers and CIOs to this problem," said Gregg Moskowitz, an analyst at Susquehanna Financial Group.
Cisco's software is designed to be compatible with devices that do not contain Cisco's own verification system, known as the Cisco Trust Agent. This is important for companies that open up their networks to deal with outside business partners, such as suppliers or contractors, who might be running security software from other vendors, said Bob Gleichauf, chief technology officer in Cisco's Security and Technologies Group.
Cisco's focus on network security pits it against traditional rival Juniper Networks Inc, as well as Check Point Software Technologies Ltd, Microsoft Corp (Nasdaq:MSFT - news), Internet Security Systems Inc (Nasdaq:ISSX - news). and McAfee Inc (NYSE:MFE - news).
Cisco officials declined to say how much revenue and profit it expects from its network security business.
Cisco shares were down 7 cents, or 0.41 percent, in after-hours INET trading.
Cisco already sells security software for its routers, which allows businesses to add a layer of security to their Web-based networks, which are often used by far-flung workforces. On Monday, Cisco said it is now selling the software for its switches, which companies often use in simpler local area networks within their own buildings.
The expansion of the security features to business' internal networks also includes wireless access points, which corporations are increasingly installing on their campuses.
The software is designed to protect corporations from computers and mobile devices which may have been infected through use outside of the office, as well as from outside attacks against the network itself.
The software, which Cisco sells under the brand name Network Admission Control, has proven to be a popular add-on for Cisco's corporate clients, who are wrestling with a wide range of security threats. The technology has also allowed Cisco to expand into the lucrative area of security software.
The market for network security software and appliances will reach $4.3 billion by the end of 2005 and could grow to $6.3 billion by 2009, according to the Synergy Research Group in Scottsdale, Ariz. Overall security spending will compose 7.9 percent of the U.S. IT budget in 2005, or $59.6 billion, according to Forrester Research Inc. (Nasdaq:FORR - news) in Cambridge, Mass.
This growth is being spurred by the constant assault on corporate and home networks by worms, viruses and other harmful programs.
"I've seen a big increase over the year in terms of attention paid to it by security managers and CIOs to this problem," said Gregg Moskowitz, an analyst at Susquehanna Financial Group.
Cisco's software is designed to be compatible with devices that do not contain Cisco's own verification system, known as the Cisco Trust Agent. This is important for companies that open up their networks to deal with outside business partners, such as suppliers or contractors, who might be running security software from other vendors, said Bob Gleichauf, chief technology officer in Cisco's Security and Technologies Group.
Cisco's focus on network security pits it against traditional rival Juniper Networks Inc, as well as Check Point Software Technologies Ltd, Microsoft Corp (Nasdaq:MSFT - news), Internet Security Systems Inc (Nasdaq:ISSX - news). and McAfee Inc (NYSE:MFE - news).
Cisco officials declined to say how much revenue and profit it expects from its network security business.
Cisco shares were down 7 cents, or 0.41 percent, in after-hours INET trading.
Friday, October 14, 2005
Expect Bigger Attacks After Microsoft, Yahoo Connect IM Networks
IM attacks are already exploding, up a whopping 2,000% since last year. The bigger, combined Microsoft-Yahoo network will let attacks spread even further and faster.
The deal struck Wednesday by Yahoo and Microsoft to make their instant messaging (IM) networks work together in 2006 may sound great at first glance, but security experts say that the merger will make IM an even bigger target for hackers and hucksters.
"Ninety-eight percent of the stories about Yahoo and Microsoft will be about the benefits of interoperability, how the deal will eliminate the traditional hurdles in IM," said Jon Sakoda, the chief technology officer for IMlogic, an Internet security firm that specializes in defending against IM and file-sharing threats.
Instead of those silver linings, Sakoda sees some possible gray clouds on the horizon. "IM worms have generally targeted individual networks, say, only Yahoo or MSN. That's why you haven't seen a global worm that propagates to millions," he said.
"There hasn't any interoperability, but this deal changes that."
Christopher Dean, the senior vice president of business development at rival FaceTime, agreed. "As you increase the size of network, there's a greater chance that [malicious] things can spread. It's a bigger network effect."
Although the speed with which IM attacks spread -- very very fast, compared to e-mailed attacks -- the size of the attacks will, said Dean. "The malware writers discovered IM networks for the first time this year, and once they discovered it, they're focusing on it. And yes, [the Yahoo-Microsoft announcement] will increase the spread of IM worms."
Security vendors such as IMlogic have reported a massive surge in IM threats during 2005. Year-to-date, IMlogic said in a recently published third quarter threat report, IM threats are up a whopping 2,083 percent over 2004.
"Attackers are comfortable in using e-mail and the Web," said IMlogic's Sakoda. "And they've now added IM."
The larger attack surface of an interoperable Yahoo-MSN IM network -- estimated at 49.2 million users, only slightly fewer than AOL's 51.5 million -- means that Yahoo and MSN users should expect more attacks.
"We really haven't seen [IM worms] propagate because networks have been closed and non-interoperable," said Sakoda. "Historically, AIM and MSN have received the lion's share of attacks, because malware writers know where the users are, just like bank robbers know where the money is."
Attacks across IM networks -- whether delivering worms, spim, or adware/spyware -- are notorious for arriving like a whirlwind, and disappearing just as fast. That's due, said FaceTime's Dean, to IM users' habit of clicking on links within messages, the fact that all messages seem to come from trusted sources (i.e., IM buddies), and because IM is, unlike e-mail, a real-time communication mode. That trio, he said, conspire to make IM attacks fast acting.
So fast, said Sakoda, that defenses have a hard time keeping up.
"The speed with which attacks hit is measured in minutes, and their worms spread faster than either the IM or security industry can respond. That's why they're becoming such a popular method of attack."
Even so, argued Dean, the benefit of Wednesday's cooperation is a good thing. "Having interoperability makes a great deal of sense," he said, "and I think it far outweighs any possible increase in attacks."
Sakoda's not so sure. "SMTP and open e-mail standards created a lot of benefits, but they opened a lot of security holes, too," he cautioned. "I see similar types of trends in the IM world."
Written by Gregg Keizer TechWeb News
The deal struck Wednesday by Yahoo and Microsoft to make their instant messaging (IM) networks work together in 2006 may sound great at first glance, but security experts say that the merger will make IM an even bigger target for hackers and hucksters.
"Ninety-eight percent of the stories about Yahoo and Microsoft will be about the benefits of interoperability, how the deal will eliminate the traditional hurdles in IM," said Jon Sakoda, the chief technology officer for IMlogic, an Internet security firm that specializes in defending against IM and file-sharing threats.
Instead of those silver linings, Sakoda sees some possible gray clouds on the horizon. "IM worms have generally targeted individual networks, say, only Yahoo or MSN. That's why you haven't seen a global worm that propagates to millions," he said.
"There hasn't any interoperability, but this deal changes that."
Christopher Dean, the senior vice president of business development at rival FaceTime, agreed. "As you increase the size of network, there's a greater chance that [malicious] things can spread. It's a bigger network effect."
Although the speed with which IM attacks spread -- very very fast, compared to e-mailed attacks -- the size of the attacks will, said Dean. "The malware writers discovered IM networks for the first time this year, and once they discovered it, they're focusing on it. And yes, [the Yahoo-Microsoft announcement] will increase the spread of IM worms."
Security vendors such as IMlogic have reported a massive surge in IM threats during 2005. Year-to-date, IMlogic said in a recently published third quarter threat report, IM threats are up a whopping 2,083 percent over 2004.
"Attackers are comfortable in using e-mail and the Web," said IMlogic's Sakoda. "And they've now added IM."
The larger attack surface of an interoperable Yahoo-MSN IM network -- estimated at 49.2 million users, only slightly fewer than AOL's 51.5 million -- means that Yahoo and MSN users should expect more attacks.
"We really haven't seen [IM worms] propagate because networks have been closed and non-interoperable," said Sakoda. "Historically, AIM and MSN have received the lion's share of attacks, because malware writers know where the users are, just like bank robbers know where the money is."
Attacks across IM networks -- whether delivering worms, spim, or adware/spyware -- are notorious for arriving like a whirlwind, and disappearing just as fast. That's due, said FaceTime's Dean, to IM users' habit of clicking on links within messages, the fact that all messages seem to come from trusted sources (i.e., IM buddies), and because IM is, unlike e-mail, a real-time communication mode. That trio, he said, conspire to make IM attacks fast acting.
So fast, said Sakoda, that defenses have a hard time keeping up.
"The speed with which attacks hit is measured in minutes, and their worms spread faster than either the IM or security industry can respond. That's why they're becoming such a popular method of attack."
Even so, argued Dean, the benefit of Wednesday's cooperation is a good thing. "Having interoperability makes a great deal of sense," he said, "and I think it far outweighs any possible increase in attacks."
Sakoda's not so sure. "SMTP and open e-mail standards created a lot of benefits, but they opened a lot of security holes, too," he cautioned. "I see similar types of trends in the IM world."
Written by Gregg Keizer TechWeb News
Microsoft, Nigeria fight email scammers
LONDON (Reuters) - Microsoft has announced an anti-fraud partnership with Nigeria, the country of origin for some of the Internet's most notorious email scams.
Microsoft, which has been working to improve security and reliability amid an onslaught of malicious software targeting weakness in Windows and other Microsoft software, signed a memorandum of understanding with the Nigerian Economic and Financial Crimes Commission (EFCC) on Friday.
The agreement is designed to foster cooperation to combat issues such as spam, phishing, spyware, viruses and counterfeiting.
The email scam, known as a 419 scheme after the relevant section of the Nigerian Criminal Code, is a computer age version of a con game that goes back hundreds of years and is sometimes called "The Spanish Prisoner."
Victims are contacted by a stranger who claims to have access to large sums of money. They are told that the money can only be accessed if they disclose the details of their bank account or put up an advance fee, but the promised funds never materialize.
The EFCC said its Advance Fee Fraud Section "is currently investigating hundreds of suspects and prosecuting over 50 cases, involving close to 100 accused persons, in courts throughout Nigeria."
Under terms of the pact, "Microsoft and the EFCC will work together to combat the problem of internet crime through information sharing and training on Microsoft's technical expertise in this area," the parties said.
Article found in Reuters.
Microsoft, which has been working to improve security and reliability amid an onslaught of malicious software targeting weakness in Windows and other Microsoft software, signed a memorandum of understanding with the Nigerian Economic and Financial Crimes Commission (EFCC) on Friday.
The agreement is designed to foster cooperation to combat issues such as spam, phishing, spyware, viruses and counterfeiting.
The email scam, known as a 419 scheme after the relevant section of the Nigerian Criminal Code, is a computer age version of a con game that goes back hundreds of years and is sometimes called "The Spanish Prisoner."
Victims are contacted by a stranger who claims to have access to large sums of money. They are told that the money can only be accessed if they disclose the details of their bank account or put up an advance fee, but the promised funds never materialize.
The EFCC said its Advance Fee Fraud Section "is currently investigating hundreds of suspects and prosecuting over 50 cases, involving close to 100 accused persons, in courts throughout Nigeria."
Under terms of the pact, "Microsoft and the EFCC will work together to combat the problem of internet crime through information sharing and training on Microsoft's technical expertise in this area," the parties said.
Article found in Reuters.
Windows Media Center Edition Gets Big Update
Microsoft is expected to issue a major update Friday to its
Windows XP Media Center Edition operating system. The update, called Windows XP Media Center Edition Rollup Update Version 2, will add support for sending high-definition video over a home network to Microsoft's upcoming Xbox 360 game console and will include more than 500 bug fixes.
Tom Laemmel, product manager of the Windows Client Division, says the fixes don't address anything really major, "just lots of little things." He adds that the update will provide greater stability, but you won't see any performance difference over Rollup Version 1 (which came out last December).
Version 2 will also allow a Media Center PC to run two ATSC television cards (versus one for the previous version). Each card can carry two tuners, so theoretically you could play and/or record up to four TV programs (two high-definition and two standard-definition) at once. You can stream HD or SD programming from the PC to a Media Center Extender or to the Xbox 360, which is supposed to go on sale in November. The old version of the OS would stream only standard-definition content.
However, you'll still be limited to accessing only over-the-air high-definition programming: While Media Center PCs usually come with infrared blasters for use with cable-television set-top boxes, they will allow access only to standard-definition broadcasts. Furthermore, even if you can access over-the-air HD programs, if you try to burn one to a DVD, Media Center Edition will downcode it to standard resolution.
No CableCard Support
Laemmel says Media Center Edition does not support the CableCard standard, but that "there's a lot work going on by Microsoft and others in this area." A CableCard is a PC Card-like device that you insert into a slot in a compatible television to decrypt digital television broadcasts; the main advantage is that you don't have to use a cable set-top box. If you could insert such a card into a PC, you could then bring in HD cable broadcasts, not just over-the-air ones.
Media Center Edition Rollup Version 2 will also add support for PCs with Away Mode, a new power-management feature that cuts off the speakers and display, and perhaps lowers CPU power, but still allows the computer to perform unattended tasks (such as streaming video to an Extender). Laemmel cites having a babysitter over as an example of the mode's usefulness: You don't have to show how to start up or shut down the PC; just pressing the off button on the remote control will put the PC into Away Mode.
A big complaint about the Media Center OS is that it hasn't been as reliable as the consumer electronics devices it's supposed to compete with, mainly because it is, after all, a Windows OS. Laemmel admits that, with any version of Windows, periodically "it's best just to restart the darn thing." To this end, a new setting prompts the PC to restart Media Center-specific services. The default is for it to perform that task at 4 a.m.; but you can change the time, and the PC will skip the restart if it's busy.
Windows Vista Takes the Stage
Laemmel reveals that the majority of the Windows development team has moved to work on Microsoft's Vista operating system, expected out next year, and its media-specific features, so some Media Center elements--for example, music playback--were deliberately left alone. Vista will have all of the new features in Rollup 2, yet Media Center Edition will live on after Vista appears.
Microsoft recently introduced the Remote Keyboard for Windows Media Center Edition, which will sell for about $90. The wireless keyboard will have a built-in scrolling device (not quite a trackpad, because it has only up/down/left/right, with an OK button in the middle), plus dedicated buttons for Media Center functions. Your Media Center PC will need at least Rollup Update Version 1 for it to work.
Windows XP Media Center Edition Rollup Update Version 2 will be available via Windows Update or Microsoft Update; the download is about 30MB.
Written by: PCWORLD
Windows XP Media Center Edition operating system. The update, called Windows XP Media Center Edition Rollup Update Version 2, will add support for sending high-definition video over a home network to Microsoft's upcoming Xbox 360 game console and will include more than 500 bug fixes.
Tom Laemmel, product manager of the Windows Client Division, says the fixes don't address anything really major, "just lots of little things." He adds that the update will provide greater stability, but you won't see any performance difference over Rollup Version 1 (which came out last December).
Version 2 will also allow a Media Center PC to run two ATSC television cards (versus one for the previous version). Each card can carry two tuners, so theoretically you could play and/or record up to four TV programs (two high-definition and two standard-definition) at once. You can stream HD or SD programming from the PC to a Media Center Extender or to the Xbox 360, which is supposed to go on sale in November. The old version of the OS would stream only standard-definition content.
However, you'll still be limited to accessing only over-the-air high-definition programming: While Media Center PCs usually come with infrared blasters for use with cable-television set-top boxes, they will allow access only to standard-definition broadcasts. Furthermore, even if you can access over-the-air HD programs, if you try to burn one to a DVD, Media Center Edition will downcode it to standard resolution.
No CableCard Support
Laemmel says Media Center Edition does not support the CableCard standard, but that "there's a lot work going on by Microsoft and others in this area." A CableCard is a PC Card-like device that you insert into a slot in a compatible television to decrypt digital television broadcasts; the main advantage is that you don't have to use a cable set-top box. If you could insert such a card into a PC, you could then bring in HD cable broadcasts, not just over-the-air ones.
Media Center Edition Rollup Version 2 will also add support for PCs with Away Mode, a new power-management feature that cuts off the speakers and display, and perhaps lowers CPU power, but still allows the computer to perform unattended tasks (such as streaming video to an Extender). Laemmel cites having a babysitter over as an example of the mode's usefulness: You don't have to show how to start up or shut down the PC; just pressing the off button on the remote control will put the PC into Away Mode.
A big complaint about the Media Center OS is that it hasn't been as reliable as the consumer electronics devices it's supposed to compete with, mainly because it is, after all, a Windows OS. Laemmel admits that, with any version of Windows, periodically "it's best just to restart the darn thing." To this end, a new setting prompts the PC to restart Media Center-specific services. The default is for it to perform that task at 4 a.m.; but you can change the time, and the PC will skip the restart if it's busy.
Windows Vista Takes the Stage
Laemmel reveals that the majority of the Windows development team has moved to work on Microsoft's Vista operating system, expected out next year, and its media-specific features, so some Media Center elements--for example, music playback--were deliberately left alone. Vista will have all of the new features in Rollup 2, yet Media Center Edition will live on after Vista appears.
Microsoft recently introduced the Remote Keyboard for Windows Media Center Edition, which will sell for about $90. The wireless keyboard will have a built-in scrolling device (not quite a trackpad, because it has only up/down/left/right, with an OK button in the middle), plus dedicated buttons for Media Center functions. Your Media Center PC will need at least Rollup Update Version 1 for it to work.
Windows XP Media Center Edition Rollup Update Version 2 will be available via Windows Update or Microsoft Update; the download is about 30MB.
Written by: PCWORLD
HP Recalls 135,000 Laptop Battery Packs
Hewlett Packard is recalling about 135,000 battery packs for some HP and Compaq laptop computers because of reports they overheated and melted, the Palo Alto, Calif., company announced Friday.
The lithium ion rechargeable battery packs are used with HP Pavilion, Compaq Presario, HP Compaq and Compaq Evo laptop computers.
The company has received 16 reports of the batteries' overheating; four cases occurred in the United States.
The recalled packs bear a barcode label starting with GC, IA, L0 or L1.
The battery packs were sold internationally from March 2004 through May 20005 by national and regional electronics stores and on Internet sites such as http://www.hp.com and http://www.hpshopping.com
Consumers should stop using the products and contact the company for a free replacement. For more information, call Hewlett-Packard at 888-404-7398 or visit http://www.hp.com/support/ or http://www.cpsc.gov.
By The Associated Press Fri Oct 14, 6:59 AM ET
The lithium ion rechargeable battery packs are used with HP Pavilion, Compaq Presario, HP Compaq and Compaq Evo laptop computers.
The company has received 16 reports of the batteries' overheating; four cases occurred in the United States.
The recalled packs bear a barcode label starting with GC, IA, L0 or L1.
The battery packs were sold internationally from March 2004 through May 20005 by national and regional electronics stores and on Internet sites such as http://www.hp.com and http://www.hpshopping.com
Consumers should stop using the products and contact the company for a free replacement. For more information, call Hewlett-Packard at 888-404-7398 or visit http://www.hp.com/support/ or http://www.cpsc.gov.
By The Associated Press Fri Oct 14, 6:59 AM ET
Thursday, October 13, 2005
Adobe Acquisition of Macromedia Gets OK
SAN FRANCISCO - Adobe Systems Inc. said Thursday the Justice Department has approved its $3.4 billion acquisition of Macromedia Inc.
Adobe and Macromedia, two of the largest providers of graphic design software, must wait for several European jurisdictions to sanction the deal before it can close.
Adobe's Illustrator and Macromedia's Freehand are two of the leading products for vector graphics illustration, a term for drawings that are stored as collections of points and objects instead of pixels.
A combined company would also own a huge chunk of the market for Web site-building tools: Macromedia makes Dreamweaver while Adobe sells GoLive.
Analysts have said that teaming Adobe with Macromedia would also create a formidable competitor for Microsoft Corp., which announced last month that it will launch Web and graphic designer tools next year.
Last April, Adobe announced an agreement to acquire Macromedia in an all-stock transaction. Adobe said in a statement that it continues to expect the transaction will close sometime this fall.
Article found in the Associate Press.
Adobe and Macromedia, two of the largest providers of graphic design software, must wait for several European jurisdictions to sanction the deal before it can close.
Adobe's Illustrator and Macromedia's Freehand are two of the leading products for vector graphics illustration, a term for drawings that are stored as collections of points and objects instead of pixels.
A combined company would also own a huge chunk of the market for Web site-building tools: Macromedia makes Dreamweaver while Adobe sells GoLive.
Analysts have said that teaming Adobe with Macromedia would also create a formidable competitor for Microsoft Corp., which announced last month that it will launch Web and graphic designer tools next year.
Last April, Adobe announced an agreement to acquire Macromedia in an all-stock transaction. Adobe said in a statement that it continues to expect the transaction will close sometime this fall.
Article found in the Associate Press.
Comcast, Google May Acquire Part of AOL
PHILADELPHIA - Comcast Corp., the country's largest cable TV company, is teaming up with Internet search leader Google Inc. in talks about taking a stake in Time Warner Inc.'s AOL Web portal, a person familiar with the discussions said.
Comcast, Google and Time Warner are discussing a possible deal under which the three companies would form a new entity through which they would jointly own the Web portal, according to the person, who asked not to be identified because release of the information was not authorized.
The potential deal could derail separate talks that have been reported between AOL and Microsoft Corp., which is believed to be interested in an alliance between AOL and Microsoft's MSN, another major Internet portal.
Any deal between AOL and MSN could threaten Google, since AOL is major contributor to Google's thriving Internet ad business, accounting for 11 percent of Google's $2.6 billion in revenue during the first half of this year.
AOL was long considered a drag on Time Warner due to the rapid exodus of its core dial-up Internet users, but recently AOL has been revamping its business model, opening up its content to all Internet users in order to tap into the booming market for Internet advertising.
AOL's original online content now makes it an attractive target for companies like Google and Comcast, which are eager to build up their audiences of Internet users.
The three companies plan to leverage their content and consumer reach to create a Web portal powerhouse, the person said. Google, which is based in Mountain View, Calif., is the nation's most popular search engine, while Comcast and Time Warner are the top two cable operators. Time Warner also owns many media properties including Warner Bros., CNN and HBO.
Google contacted Comcast last week to gauge the cable giant's interest in such a deal, the person said. Philadelphia-based Comcast had been on the prowl for content to avoid the commoditization of its cable lines.
Reports of the talks among Google, Time Warner and Comcast sent Time Warner's stock up 10 cents to close at $17.59 Thursday on the
New York Stock Exchange' name=c1> SEARCHNews News Photos Images Web' name=c3> New York Stock Exchange.
Time Warner's CEO Dick Parsons said recently that revving up AOL's turnaround is a top priority for the company and the greatest opportunity for creating value. Activist investor Carl Icahn, meanwhile, has been pressuring the company to boost its share buyback program and spin off its cable TV unit.
No price for any deal has yet been discussed, as the talks remain at an early stage, the person said. Reports Thursday in The Wall Street Journal and The New York Times said the deal would focus on AOL's Web portal business, not on its still-profitable but declining dial-up Internet access business.
Google has been seeking a closer relationship with cable operators because of their close ties with content programmers.
Asked about the talks, a Google spokesman said: "Google and AOL have a healthy global partnership, and AOL remains a valued partner. Your inquiry is about rumored conversations and we're not able to respond to questions of this type."
An AOL spokeswoman declined to comment. AOL was the fifth most-popular Web brand in September, according to Nielsen/NetRatings, while Google came in fourth.
___
Business Writer Michael Liedtke in San Francisco contributed to this report
news link: http://news.yahoo.com/s/ap/20051013/ap_on_hi_te/aol_comcast_google;_ylt=AkR36b6bH0LDXRxRgbd5b2f6VbIF;_ylu=X3oDMTBjMHVqMTQ4BHNlYwN5bnN1YmNhdA--
Comcast, Google and Time Warner are discussing a possible deal under which the three companies would form a new entity through which they would jointly own the Web portal, according to the person, who asked not to be identified because release of the information was not authorized.
The potential deal could derail separate talks that have been reported between AOL and Microsoft Corp., which is believed to be interested in an alliance between AOL and Microsoft's MSN, another major Internet portal.
Any deal between AOL and MSN could threaten Google, since AOL is major contributor to Google's thriving Internet ad business, accounting for 11 percent of Google's $2.6 billion in revenue during the first half of this year.
AOL was long considered a drag on Time Warner due to the rapid exodus of its core dial-up Internet users, but recently AOL has been revamping its business model, opening up its content to all Internet users in order to tap into the booming market for Internet advertising.
AOL's original online content now makes it an attractive target for companies like Google and Comcast, which are eager to build up their audiences of Internet users.
The three companies plan to leverage their content and consumer reach to create a Web portal powerhouse, the person said. Google, which is based in Mountain View, Calif., is the nation's most popular search engine, while Comcast and Time Warner are the top two cable operators. Time Warner also owns many media properties including Warner Bros., CNN and HBO.
Google contacted Comcast last week to gauge the cable giant's interest in such a deal, the person said. Philadelphia-based Comcast had been on the prowl for content to avoid the commoditization of its cable lines.
Reports of the talks among Google, Time Warner and Comcast sent Time Warner's stock up 10 cents to close at $17.59 Thursday on the
New York Stock Exchange' name=c1> SEARCHNews News Photos Images Web' name=c3> New York Stock Exchange.
Time Warner's CEO Dick Parsons said recently that revving up AOL's turnaround is a top priority for the company and the greatest opportunity for creating value. Activist investor Carl Icahn, meanwhile, has been pressuring the company to boost its share buyback program and spin off its cable TV unit.
No price for any deal has yet been discussed, as the talks remain at an early stage, the person said. Reports Thursday in The Wall Street Journal and The New York Times said the deal would focus on AOL's Web portal business, not on its still-profitable but declining dial-up Internet access business.
Google has been seeking a closer relationship with cable operators because of their close ties with content programmers.
Asked about the talks, a Google spokesman said: "Google and AOL have a healthy global partnership, and AOL remains a valued partner. Your inquiry is about rumored conversations and we're not able to respond to questions of this type."
An AOL spokeswoman declined to comment. AOL was the fifth most-popular Web brand in September, according to Nielsen/NetRatings, while Google came in fourth.
___
Business Writer Michael Liedtke in San Francisco contributed to this report
news link: http://news.yahoo.com/s/ap/20051013/ap_on_hi_te/aol_comcast_google;_ylt=AkR36b6bH0LDXRxRgbd5b2f6VbIF;_ylu=X3oDMTBjMHVqMTQ4BHNlYwN5bnN1YmNhdA--
OpenOffice.org 2.0 Release Delayed
OpenOffice.org had hoped to celebrate its fifth birthday today by launching the next generation of its office software suite, but a glitch has delayed release of the product for one week.
According to a blog posting by OpenSource.org community member Stefan Taxhet, "a serious showstopper" apparently related to graphics was detected at the last moment, and developers agreed to postpone the release until the problem has been fixed.
The delay also allows developers to apply patches for other problems with OpenOffice.org 2.0 related to the printing of text and two issues related to Mac OS X.
OpenDocument Support Is Key
The OpenOffice.org suite, backed by a group of developers organized by Sun Microsystems includes word processing and spreadsheet applications. It offers default support for the new XML-based OpenDocument format, approved by the Organization for the Advancement of Structured Information Standards (OASIS).
That format got a boost recently when Massachusetts' I.T. department announced that OpenDocument would be the preferred program for state documents starting in January 2007. Also, Sun and Google have agreed to collaborate on several initiatives, including promotion of the OpenOffice.org software suite.
OpenOffice.org community development manager Louis Suarez-Potts said that the group has recorded some 47 million downloads since the inception of OpenOffice.org. With the release of version 2.0, that number is expected to reach 100 million in short order, he said.
Suarez-Potts suggested that, in light of the Google partnership with Sun, the profiles of OpenOffice.org and the Open Document Format (ODF) have been raised to a new level.
No Cause for Concern
Because the earlier iteration of OpenOffice.org is still functional, the delay should pose no problems for the organization, said IDC analyst Dan Kusnetzky. While use of OpenOffice.org software on Windows-based hardware remains limited, he said, it is making headway among
Linux and Unix users.
Yankee Group analyst Laura DiDio noted that launch delays are common in the software industry, and that as long as the delay is relatively short it is not cause for concern. "It's better to fix the glitches before the release than after," she said.
As for the popularity of OpenOffice.org, DiDio said Microsoft's (Nasdaq: MSFT - news) Office suite dominates the market by a large margin. She did point out, though, that Sun's StarOffice open-source offering has attained a 19 percent market share among small to midsize businesses.
Written by: Jay Wrolstad, newsfactor.com
According to a blog posting by OpenSource.org community member Stefan Taxhet, "a serious showstopper" apparently related to graphics was detected at the last moment, and developers agreed to postpone the release until the problem has been fixed.
The delay also allows developers to apply patches for other problems with OpenOffice.org 2.0 related to the printing of text and two issues related to Mac OS X.
OpenDocument Support Is Key
The OpenOffice.org suite, backed by a group of developers organized by Sun Microsystems includes word processing and spreadsheet applications. It offers default support for the new XML-based OpenDocument format, approved by the Organization for the Advancement of Structured Information Standards (OASIS).
That format got a boost recently when Massachusetts' I.T. department announced that OpenDocument would be the preferred program for state documents starting in January 2007. Also, Sun and Google have agreed to collaborate on several initiatives, including promotion of the OpenOffice.org software suite.
OpenOffice.org community development manager Louis Suarez-Potts said that the group has recorded some 47 million downloads since the inception of OpenOffice.org. With the release of version 2.0, that number is expected to reach 100 million in short order, he said.
Suarez-Potts suggested that, in light of the Google partnership with Sun, the profiles of OpenOffice.org and the Open Document Format (ODF) have been raised to a new level.
No Cause for Concern
Because the earlier iteration of OpenOffice.org is still functional, the delay should pose no problems for the organization, said IDC analyst Dan Kusnetzky. While use of OpenOffice.org software on Windows-based hardware remains limited, he said, it is making headway among
Linux and Unix users.
Yankee Group analyst Laura DiDio noted that launch delays are common in the software industry, and that as long as the delay is relatively short it is not cause for concern. "It's better to fix the glitches before the release than after," she said.
As for the popularity of OpenOffice.org, DiDio said Microsoft's (Nasdaq: MSFT - news) Office suite dominates the market by a large margin. She did point out, though, that Sun's StarOffice open-source offering has attained a 19 percent market share among small to midsize businesses.
Written by: Jay Wrolstad, newsfactor.com
Wednesday, October 12, 2005
QuickTime 7.0.3 updated for iPod video creation
Apple on Wednesday released QuickTime 7.0.3, an update to their core multimedia software. The 34MB update can be downloaded from Apple’s Web site and is also available from the Software Update system preference panel.
The new update “delivers several important bug fixes, primarily in the areas of streaming and H.264 video,” according to Apple, which recommends it highly for all QuickTime 7 users.
What’s more, users who have installed QuickTime 7 Pro — the US$29 upgrade to QuickTime that adds authoring capabilities — will gain the ability to create video and audio files that can be played back on compatible iPods. Apple on Wednesday introduced new color iPods that can play MPEG-4 and H.264 video.
An important caveat, if you have not yet updated to QuickTime 7 — the update disables QuickTime Pro functionality in versions prior to QuickTime 7. You need to purchase a new QuickTime 7 Pro key in order to restore that capability.
Click here for all of today's news at MacCentral.
The new update “delivers several important bug fixes, primarily in the areas of streaming and H.264 video,” according to Apple, which recommends it highly for all QuickTime 7 users.
What’s more, users who have installed QuickTime 7 Pro — the US$29 upgrade to QuickTime that adds authoring capabilities — will gain the ability to create video and audio files that can be played back on compatible iPods. Apple on Wednesday introduced new color iPods that can play MPEG-4 and H.264 video.
An important caveat, if you have not yet updated to QuickTime 7 — the update disables QuickTime Pro functionality in versions prior to QuickTime 7. You need to purchase a new QuickTime 7 Pro key in order to restore that capability.
Click here for all of today's news at MacCentral.
Tuesday, October 11, 2005
Vendors Rally for Fast New Wi-Fi
More than two dozen leading manufacturers of wireless LAN equipment have formed an industry coalition aimed at breaking a deadlock in efforts to establish a new, faster Wi-Fi standard.
The Enhanced Wireless Consortium (EWC), announced Monday, hopes to speed ratification of an IEEE 802.11n standard by introducing its own specification with widespread industry support. The industry coalition consists of 27 companies, including Atheros Communications, Broadcom, Cisco Systems, and Intel.
"These members represent a good cross-section of the two groups that were unable to agree to an 802.11n standard as part of the IEEE standardization process," said Gwen Carlson, a spokesperson at Conexant Systems, which is an EWC member.
Warring Sides
For the past several months, the two camps had argued bitterly over a standard, failing to achieve the majority support required by IEEE.
In the one camp was the World-Side Spectrum Efficiency (WWiSE) group, and in the other was TGnSync.
The members will continue to work within the IEEE Task Group "N" in an effort to agree on an 802.11n standard, according to Carlson.
The EWC specification will benefit users by, among other things, ensuring interoperability of next-generation wireless producers across a range of brands and platforms, such as PCs, handheld devices and networking systems, Carlson said.
Faster Wi-Fi
Written by: John Blau, IDG News Service
The planned 802.11n standard will significantly boost throughput on Wi-Fi systems. The EWC specification aims to support speeds of up to 600 megabits per second. That compares to today's 802.11a and 802.11g throughput of 20mbps to 24mbps.
The EWC specification includes a number of other technical elements, including mixed-mode interoperability with 802.11a, b and g networks; use of 2.4GHz and/or 5GHz unlicensed bands (thus matching the frequency plan of existing 802.11 devices); 20MHz and/or 40MHz channel support; and spatial multiplexing modes for simultaneous transmission using one to four antennas.
The specification will also support 4 x 4 MIMO (multiple-input/multiple-output) technology, according to Carlson.
The Enhanced Wireless Consortium (EWC), announced Monday, hopes to speed ratification of an IEEE 802.11n standard by introducing its own specification with widespread industry support. The industry coalition consists of 27 companies, including Atheros Communications, Broadcom, Cisco Systems, and Intel.
"These members represent a good cross-section of the two groups that were unable to agree to an 802.11n standard as part of the IEEE standardization process," said Gwen Carlson, a spokesperson at Conexant Systems, which is an EWC member.
Warring Sides
For the past several months, the two camps had argued bitterly over a standard, failing to achieve the majority support required by IEEE.
In the one camp was the World-Side Spectrum Efficiency (WWiSE) group, and in the other was TGnSync.
The members will continue to work within the IEEE Task Group "N" in an effort to agree on an 802.11n standard, according to Carlson.
The EWC specification will benefit users by, among other things, ensuring interoperability of next-generation wireless producers across a range of brands and platforms, such as PCs, handheld devices and networking systems, Carlson said.
Faster Wi-Fi
Written by: John Blau, IDG News Service
The planned 802.11n standard will significantly boost throughput on Wi-Fi systems. The EWC specification aims to support speeds of up to 600 megabits per second. That compares to today's 802.11a and 802.11g throughput of 20mbps to 24mbps.
The EWC specification includes a number of other technical elements, including mixed-mode interoperability with 802.11a, b and g networks; use of 2.4GHz and/or 5GHz unlicensed bands (thus matching the frequency plan of existing 802.11 devices); 20MHz and/or 40MHz channel support; and spatial multiplexing modes for simultaneous transmission using one to four antennas.
The specification will also support 4 x 4 MIMO (multiple-input/multiple-output) technology, according to Carlson.
Wednesday, September 07, 2005
SUREWEST PROBLEMS in Roseville, CA
Many customers had trouble accessing Internet and e-mail.
Thousands of SureWest Communications' Internet subscribers were hit with a double-whammy over the weekend as a digital "attack" caused some customers to lose Web access, while unrelated software upgrades made accessing e-mail more difficult, company officials said Tuesday. The problems started Sunday morning with a "denial of service attack" in which SureWest's servers were bombarded by a coordinated barrage of repetitive messages designed to tie up the computers.
About 15 percent of SureWest's 40,000 Internet customers had difficulty going online because of the attack, said Scott Barber, SureWest's vice president of network operations. Most of those affected had DSL accounts, he said.
The attacks lasted from Sunday morning through Monday afternoon. Barber said the company didn't know the source of attacks but had contacted law enforcement officials.
Also beginning Sunday, many SureWest e-mail customers were unable to log on to their e-mail accounts because of software upgrades designed to help with spam filtering and other issues, Barber said.
The upgrades required a new sign-in procedure, which apparently confused many customers.
"A lot of people were struggling with the new log-in screen and calling in and having to get their passwords from us," Barber said.
The company's tech-support lines were jammed with callers trying to work through their e-mail problems, he said. SureWest hosts about 65,000 separate e-mail addresses.
Barber said the company had sent several e-mail notices plus a registered letter to its e-mail customers advising them of the new sign-in procedure.
But apparently that wasn't sufficient. SureWest customer Michael Heenan said he wasn't aware of a change until he called in and, after waiting 55 minutes on hold, talked to a customer relations representative.
"They are maddeningly primitive in their customer communications, but when you get somebody on the phone they are invariably super-nice," said Heenan, who has a public relations business.
He also said even after using the new sign-in procedures, e-mails were only "trickling in" to his account. "If I didn't have so much tied up in stationery and letterhead (including a SureWest e-mail address) I would have fled them on principle alone a long time ago," he said.
Despite bringing on more customer support staff, Barber said he expected phone lines to remain busy, though wait times are shortening. The company said its phone message for customers on hold has instructions for working through e-mail problems, and also directs callers to a Web site - www.surewest.com/email/ -for more instructions.
Barber advised customers with continuing problems to send SureWest an e-mail - via other accounts such as Yahoo or their work e-mail - to: support@surewest.net.
By Clint Swett -- Bee Staff WriterPublished 2:15 am PDT Wednesday, September 7, 2005Story appeared in Business section, Page D1
Thousands of SureWest Communications' Internet subscribers were hit with a double-whammy over the weekend as a digital "attack" caused some customers to lose Web access, while unrelated software upgrades made accessing e-mail more difficult, company officials said Tuesday. The problems started Sunday morning with a "denial of service attack" in which SureWest's servers were bombarded by a coordinated barrage of repetitive messages designed to tie up the computers.
About 15 percent of SureWest's 40,000 Internet customers had difficulty going online because of the attack, said Scott Barber, SureWest's vice president of network operations. Most of those affected had DSL accounts, he said.
The attacks lasted from Sunday morning through Monday afternoon. Barber said the company didn't know the source of attacks but had contacted law enforcement officials.
Also beginning Sunday, many SureWest e-mail customers were unable to log on to their e-mail accounts because of software upgrades designed to help with spam filtering and other issues, Barber said.
The upgrades required a new sign-in procedure, which apparently confused many customers.
"A lot of people were struggling with the new log-in screen and calling in and having to get their passwords from us," Barber said.
The company's tech-support lines were jammed with callers trying to work through their e-mail problems, he said. SureWest hosts about 65,000 separate e-mail addresses.
Barber said the company had sent several e-mail notices plus a registered letter to its e-mail customers advising them of the new sign-in procedure.
But apparently that wasn't sufficient. SureWest customer Michael Heenan said he wasn't aware of a change until he called in and, after waiting 55 minutes on hold, talked to a customer relations representative.
"They are maddeningly primitive in their customer communications, but when you get somebody on the phone they are invariably super-nice," said Heenan, who has a public relations business.
He also said even after using the new sign-in procedures, e-mails were only "trickling in" to his account. "If I didn't have so much tied up in stationery and letterhead (including a SureWest e-mail address) I would have fled them on principle alone a long time ago," he said.
Despite bringing on more customer support staff, Barber said he expected phone lines to remain busy, though wait times are shortening. The company said its phone message for customers on hold has instructions for working through e-mail problems, and also directs callers to a Web site - www.surewest.com/email/ -for more instructions.
Barber advised customers with continuing problems to send SureWest an e-mail - via other accounts such as Yahoo or their work e-mail - to: support@surewest.net.
By Clint Swett -- Bee Staff WriterPublished 2:15 am PDT Wednesday, September 7, 2005Story appeared in Business section, Page D1
Wednesday, August 24, 2005
Google to Launch Messaging, Voice Service
MOUNTAIN VIEW, Calif. - Further expanding beyond its roots in Internet search, Google Inc. plans to launch a long-rumored program Wednesday that provides both text instant messaging and computer-to-computer voice chat.
The new program, Google Talk, will compete against similar free services offered for several years by America Online Inc., Microsoft Corp. and Yahoo Inc. All are vying to increase their presence on PCs to boost online ad revenue and name recognition.
The launch was due to come two days after Google unveiled another free program that aggregates information on a computer desktop. It also comes less than a week after the company announced plans to raise $4 billion in a secondary stock offering — which some analysts speculated could be used to fund far-flung projects such as Internet telephony.
As a newcomer to messaging, Google could face an uphill battle.
AOL's messaging program has about 41.6 million U.S. users, followed by Yahoo Messenger with 19.1 million and MSN Messenger with 14.1 million, according to ComScore Media Metrix's July report.
Users of those services are unlikely to switch unless the friends and colleagues on their "buddy lists" do the same. The top instant messaging services still do not communicate with each other, though promises of such "interoperability" have been made for years.
Google based its software on open standards, so it will work with smaller networks that are based on the same technology. Text messages can be exchanged with users of Apple Computer Inc.'s iChat, Cerulean Studios' Trillian and the open-source Gaim program.
Google also is inviting programmers to build its technology into their software.
"It means other people and developers will be able to add value to our network by being able to add this to computer games, productivity applications and anywhere else they want," said Georges Harik, director of product management at Google.
The new Google program features a basic user interface with few graphics, much like the main Google search site. It does not spawn pop-up windows or display ads like America Online's Instant Messenger.
"We'll have an uncluttered interface that allows you to search over your contacts pretty easily," Harik said. "It just stays out of your way unless you want to connect to someone."
Google Talk, which is being released in a beta test version, works only on PCs running
Windows 2000 and Windows XP. Eventually, the company plans to release a version for Apple's Mac OS X. Google Talk also requires users to have an account with the company's free Gmail e-mail system. Gmail previously was available only to those invited by a current account holder, but now Google is opening up registration to anyone in the United States.
Voice chat requires that both the caller and recipient have speakers and a microphone hooked up to their computers. It does not currently offer an adapter to which regular phones can be connected. And unlike Internet phone services such as Vonage and Skype, Google's voice service does not support calls to the regular telephone system.
Harik also made clear that Google has no intention of trying to become a popular bridge to the other major instant-messaging providers. "We're not going to do anything like force other networks to interoperate with us," he said. "We're not going to arbitrarily break into their protocols."
However, since Google Talk runs on open standards, outside developers who incorporate the service into their programs could try to enable such interoperability.
Because of Google's large and loyal user base, the company's foray into instant messaging could threaten the other players, said Sara Radicati, head of The Radicati Group Inc., a technology research firm. As evidence, Radicati cited Google's entry into e-mail, when it became chic to have a Gmail account.
"We've seen people show off their Google address," she said. "It's on the level of `Hey, look at my new Swatch. I've got the yellow one while you're still wearing the blue.' ... It's a little thing, but it helps."
___
By MATTHEW FORDAHL, AP Technology Writer Wed Aug 24,12:36 AM ET
AP Technology Writer Greg Sandoval contributed to this report.
___
On the Net:
http://www.google.com/talk
The new program, Google Talk, will compete against similar free services offered for several years by America Online Inc., Microsoft Corp. and Yahoo Inc. All are vying to increase their presence on PCs to boost online ad revenue and name recognition.
The launch was due to come two days after Google unveiled another free program that aggregates information on a computer desktop. It also comes less than a week after the company announced plans to raise $4 billion in a secondary stock offering — which some analysts speculated could be used to fund far-flung projects such as Internet telephony.
As a newcomer to messaging, Google could face an uphill battle.
AOL's messaging program has about 41.6 million U.S. users, followed by Yahoo Messenger with 19.1 million and MSN Messenger with 14.1 million, according to ComScore Media Metrix's July report.
Users of those services are unlikely to switch unless the friends and colleagues on their "buddy lists" do the same. The top instant messaging services still do not communicate with each other, though promises of such "interoperability" have been made for years.
Google based its software on open standards, so it will work with smaller networks that are based on the same technology. Text messages can be exchanged with users of Apple Computer Inc.'s iChat, Cerulean Studios' Trillian and the open-source Gaim program.
Google also is inviting programmers to build its technology into their software.
"It means other people and developers will be able to add value to our network by being able to add this to computer games, productivity applications and anywhere else they want," said Georges Harik, director of product management at Google.
The new Google program features a basic user interface with few graphics, much like the main Google search site. It does not spawn pop-up windows or display ads like America Online's Instant Messenger.
"We'll have an uncluttered interface that allows you to search over your contacts pretty easily," Harik said. "It just stays out of your way unless you want to connect to someone."
Google Talk, which is being released in a beta test version, works only on PCs running
Windows 2000 and Windows XP. Eventually, the company plans to release a version for Apple's Mac OS X. Google Talk also requires users to have an account with the company's free Gmail e-mail system. Gmail previously was available only to those invited by a current account holder, but now Google is opening up registration to anyone in the United States.
Voice chat requires that both the caller and recipient have speakers and a microphone hooked up to their computers. It does not currently offer an adapter to which regular phones can be connected. And unlike Internet phone services such as Vonage and Skype, Google's voice service does not support calls to the regular telephone system.
Harik also made clear that Google has no intention of trying to become a popular bridge to the other major instant-messaging providers. "We're not going to do anything like force other networks to interoperate with us," he said. "We're not going to arbitrarily break into their protocols."
However, since Google Talk runs on open standards, outside developers who incorporate the service into their programs could try to enable such interoperability.
Because of Google's large and loyal user base, the company's foray into instant messaging could threaten the other players, said Sara Radicati, head of The Radicati Group Inc., a technology research firm. As evidence, Radicati cited Google's entry into e-mail, when it became chic to have a Gmail account.
"We've seen people show off their Google address," she said. "It's on the level of `Hey, look at my new Swatch. I've got the yellow one while you're still wearing the blue.' ... It's a little thing, but it helps."
___
By MATTHEW FORDAHL, AP Technology Writer Wed Aug 24,12:36 AM ET
AP Technology Writer Greg Sandoval contributed to this report.
___
On the Net:
http://www.google.com/talk
Sunday, August 14, 2005
New Internet worm targeting Windows
SEATTLE (Reuters) - A new Internet virus targeting recently uncovered flaws in Microsoft Corp.'s (MSFT - news) Windows operating system is circulating on the Internet, an anti-virus computer software maker said on Monday.
The ZOTOB virus appeared shortly after the world's largest software maker warned of three newly found "critical" security flaws in its software last week, including one that could allow attackers to take complete control of a computer.
Trend Micro Inc. (4704.T) said that the worm exploits security holes in Microsoft's Windows 95, 98, ME, NE, 2000 and XP platforms and can give computer attackers remote access to affected systems.
"Hundreds of infection reports were sighted in the United States and Germany," Tokyo-based Trend Micro said.
But computer security engineers at Microsoft said that the worm is only targeting
Windows 2000 and not the other versions of Windows.
"It only affected Windows 2000," said Stephen Toulouse, a manager at Microsoft's Security Response Center. "So far its has shown a very limited impact -- we're not seeing any widespread impact to the Internet, but we remain vigilant."
The latest virus drops a copy of itself into the Windows system folder as BOTZOR.EXE and modifies the system's host file in the infected user's computer to prevent the user from getting online assistance from anti-virus Web sites, Trend Micro added.
The worm can also connect to a specific Internet relay chat server and give hackers remote control over affected systems, which can be used to infect other unpatched machines in a network and slow down network performance.
"Since most users may not be aware of this newly announced security hole so as to install the necessary patch during last weekend, we can foresee more infections from WORM_ZOTOB," it said.
Last Tuesday, Microsoft issued patches to fix its security flaws as part of its monthly security bulletin. The problems affect the Windows operating system and Microsoft's Internet Explorer Web browser.
Microsoft has warned that an attacker could exploit a vulnerability in its Internet Explorer Web browser, lure users to malicious Web pages and could run a software code on the user's PC giving the attacker control of the affected computer.
Computer users should update their anti-virus pattern files and apply the latest Microsoft patches to protect their computer systems, Trend Micro said.
More than 90 percent of the world's PCs run on the Windows operating system and Microsoft has been working to improve the security and reliability of its software.
The ZOTOB virus appeared shortly after the world's largest software maker warned of three newly found "critical" security flaws in its software last week, including one that could allow attackers to take complete control of a computer.
Trend Micro Inc. (4704.T) said that the worm exploits security holes in Microsoft's Windows 95, 98, ME, NE, 2000 and XP platforms and can give computer attackers remote access to affected systems.
"Hundreds of infection reports were sighted in the United States and Germany," Tokyo-based Trend Micro said.
But computer security engineers at Microsoft said that the worm is only targeting
Windows 2000 and not the other versions of Windows.
"It only affected Windows 2000," said Stephen Toulouse, a manager at Microsoft's Security Response Center. "So far its has shown a very limited impact -- we're not seeing any widespread impact to the Internet, but we remain vigilant."
The latest virus drops a copy of itself into the Windows system folder as BOTZOR.EXE and modifies the system's host file in the infected user's computer to prevent the user from getting online assistance from anti-virus Web sites, Trend Micro added.
The worm can also connect to a specific Internet relay chat server and give hackers remote control over affected systems, which can be used to infect other unpatched machines in a network and slow down network performance.
"Since most users may not be aware of this newly announced security hole so as to install the necessary patch during last weekend, we can foresee more infections from WORM_ZOTOB," it said.
Last Tuesday, Microsoft issued patches to fix its security flaws as part of its monthly security bulletin. The problems affect the Windows operating system and Microsoft's Internet Explorer Web browser.
Microsoft has warned that an attacker could exploit a vulnerability in its Internet Explorer Web browser, lure users to malicious Web pages and could run a software code on the user's PC giving the attacker control of the affected computer.
Computer users should update their anti-virus pattern files and apply the latest Microsoft patches to protect their computer systems, Trend Micro said.
More than 90 percent of the world's PCs run on the Windows operating system and Microsoft has been working to improve the security and reliability of its software.
Friday, August 12, 2005
The exploits of August
Within hours of Microsoft's critical patch release Tuesday, security experts were banging the alarm bell with a hammer.
Marc Maiffret, chief hacking officer of Aliso Viejo, Calif.-based eEye Digital Security, sent this message to the patch management forum hosted by Roseville, Minn.-based Shavlik Technologies: "All in all… it's a nasty time in IT between the two very critical remote SYSTEM Microsoft flaws released… and the Cisco IOS shellcode exploits floating around. You better be paying attention to your security."
Then Glendale, Calif.-based Panda Software sent out this statement: "In recent years, the month of August has seen a series of alerts caused by the propagation of malicious code, which have in some cases caused serious damage to IT systems." Panda offered up these examples: the Sircam and CodeRed attacks of August 2001, the Mimail, Blaster and Sobig-F attacks of August 2003; and the Bagle-AH, Mydoom-N and Bagle-AM worms that came along during the "black period" of August 2004.
Are these warnings simply hype to sell the latest security products? Or are they a prudent response to cyberthreats that have clearly gotten grimmer this past year? Users asked for their opinions seemed to lean toward hype. But in the end, a little FUD may be necessary to save IT professionals from complacency.
Todd Towles, a network systems analyst at a medium-sized, Southeastern-based retail chain, said in an e-mail interview that it should surprise no one that some security vendors "may use the media frenzy to their business advantage."
But, he added, "In today's security world, every possible attack angle must be taken into account and researched. Security professionals have to be right 100% of the time while the attackers only have to be right once. Companies hope for the best-case scenario, yet must prepare for the worst. Each company must examine its current security posture and then set the alarm bell threshold accordingly."
Exploits circulating One reason IT shops may want to set the threshold high this month is that exploit code is already circulating for flaws outlined in four of the six bulletins Microsoft released Tuesday.
"The vulnerabilities addressed in MS005-038, MS005-039, MS05-040 and MS05-043, all covered in this month's Fat Tuesday festivities… have fallen victim already to publicly released exploits," George Bakos, a handler for the Bethesda, Md.-based SANS Internet Storm Center (ISC), wrote in his shift diary Friday. "I haven't built or tested any of it, so I can't personally vouch for the effectiveness [of] any of it, but if it isn't working as intended you can bet it will be shortly. Patch up, folks."
Some of that exploit code was outlined Friday in several advisories from the French Security Incident Response team (FrSIRT).
As far as Maiffret is concerned, the two most critical patches to install are MS05-039,which fixes flaws in the Plug and Play program, and MS05-043, which fixes an unchecked buffer in the Printer Spooler service. Both programs are embedded in Windows and attackers could exploit the vulnerabilities to take complete control of affected systems.
"MS05-039 is a remote RPC vulnerability that can lead, in some configurations, to remote SYSTEM compromise or at least local SYSTEM privilege escalation," he said in the posting to Shavlik's patch management forum. "This is a very easy-to-exploit vulnerability. The time to reverse engineer this patch and find the vulnerability to exploit should only be a few hours (it took us an hour, as we didn't report the bug). There is a good chance you will see exploits for this within the next few days and if someone is bent out of shape this would be easy for them to base a worm on." The risks are similar with MS05-043, he said.
That assessment, made Tuesday, proved correct, and Microsoft has since issued an advisory acknowledging the exploit code for the Plug and Play flaw.
Nobody's panicking -- yet Asked what he makes of all this, Eric Case, support systems analyst for the University of Arizona's Department of Chemical and Environmental Engineering, said in an e-mail exchange that he's "a little worried about the holes that now have exploits in the wild," but isn't about to panic. Of course, that may change when students return soon.
"As a university, we're a big target and the students come back next week and classes start on the 22nd," he said. "So I'm more worried about the infected/exploited laptop[s] that are about to descend on campus. I can patch all the faculty, staff, lab machines but I won't see the students' laptops until after they're on the wire."
John Gehrke, a systems administrator for the U.S. Geological Survey's Denver, Colo.-based Branch of Quality Systems, expressed confidence in an e-mail interview that the right tools are in place to protect his department.
"I myself do certain things like run IE through Freedom Websecure's proxy, so that tends to filter out some potential crud," he said. "And, of course, we have current antispyware, antivirus, port monitoring, system file integrity checks and so on, so normally I have some idea of what could slip in to a local network -- hopefully!"
Towles said he's keeping a wary watch on the Internet Explorer flaws that were patched Tuesday, but he isn't panicking, either. After all, he said, any experienced IT administrator knows what it takes to minimize the threat.
"The vulnerabilities were serious and the quick release of exploit code only drove home that point," he said. "However, by utilizing proxy servers and advanced Web content filtering software, the threat of those vulnerabilities can be reduced. This is a perfect example of the 'defense-in-depth' security approach."
Indeed, the Plug and Play vulnerability could potentially be crafted into a Sasser-type worm in the near future, he said. But if that happens, he added, "The global impact will most likely not reach Sasser's epidemic proportions. Patch administrators learned a hard but valuable lesson from the CodeRed and Sasser worms. Patch management is no longer viewed as a luxury. It is now viewed as a necessity."
By Bill Brenner, News Writer12 Aug 2005 SearchSecurity.com
Marc Maiffret, chief hacking officer of Aliso Viejo, Calif.-based eEye Digital Security, sent this message to the patch management forum hosted by Roseville, Minn.-based Shavlik Technologies: "All in all… it's a nasty time in IT between the two very critical remote SYSTEM Microsoft flaws released… and the Cisco IOS shellcode exploits floating around. You better be paying attention to your security."
Then Glendale, Calif.-based Panda Software sent out this statement: "In recent years, the month of August has seen a series of alerts caused by the propagation of malicious code, which have in some cases caused serious damage to IT systems." Panda offered up these examples: the Sircam and CodeRed attacks of August 2001, the Mimail, Blaster and Sobig-F attacks of August 2003; and the Bagle-AH, Mydoom-N and Bagle-AM worms that came along during the "black period" of August 2004.
Are these warnings simply hype to sell the latest security products? Or are they a prudent response to cyberthreats that have clearly gotten grimmer this past year? Users asked for their opinions seemed to lean toward hype. But in the end, a little FUD may be necessary to save IT professionals from complacency.
Todd Towles, a network systems analyst at a medium-sized, Southeastern-based retail chain, said in an e-mail interview that it should surprise no one that some security vendors "may use the media frenzy to their business advantage."
But, he added, "In today's security world, every possible attack angle must be taken into account and researched. Security professionals have to be right 100% of the time while the attackers only have to be right once. Companies hope for the best-case scenario, yet must prepare for the worst. Each company must examine its current security posture and then set the alarm bell threshold accordingly."
Exploits circulating One reason IT shops may want to set the threshold high this month is that exploit code is already circulating for flaws outlined in four of the six bulletins Microsoft released Tuesday.
"The vulnerabilities addressed in MS005-038, MS005-039, MS05-040 and MS05-043, all covered in this month's Fat Tuesday festivities… have fallen victim already to publicly released exploits," George Bakos, a handler for the Bethesda, Md.-based SANS Internet Storm Center (ISC), wrote in his shift diary Friday. "I haven't built or tested any of it, so I can't personally vouch for the effectiveness [of] any of it, but if it isn't working as intended you can bet it will be shortly. Patch up, folks."
Some of that exploit code was outlined Friday in several advisories from the French Security Incident Response team (FrSIRT).
As far as Maiffret is concerned, the two most critical patches to install are MS05-039,which fixes flaws in the Plug and Play program, and MS05-043, which fixes an unchecked buffer in the Printer Spooler service. Both programs are embedded in Windows and attackers could exploit the vulnerabilities to take complete control of affected systems.
"MS05-039 is a remote RPC vulnerability that can lead, in some configurations, to remote SYSTEM compromise or at least local SYSTEM privilege escalation," he said in the posting to Shavlik's patch management forum. "This is a very easy-to-exploit vulnerability. The time to reverse engineer this patch and find the vulnerability to exploit should only be a few hours (it took us an hour, as we didn't report the bug). There is a good chance you will see exploits for this within the next few days and if someone is bent out of shape this would be easy for them to base a worm on." The risks are similar with MS05-043, he said.
That assessment, made Tuesday, proved correct, and Microsoft has since issued an advisory acknowledging the exploit code for the Plug and Play flaw.
Nobody's panicking -- yet Asked what he makes of all this, Eric Case, support systems analyst for the University of Arizona's Department of Chemical and Environmental Engineering, said in an e-mail exchange that he's "a little worried about the holes that now have exploits in the wild," but isn't about to panic. Of course, that may change when students return soon.
"As a university, we're a big target and the students come back next week and classes start on the 22nd," he said. "So I'm more worried about the infected/exploited laptop[s] that are about to descend on campus. I can patch all the faculty, staff, lab machines but I won't see the students' laptops until after they're on the wire."
John Gehrke, a systems administrator for the U.S. Geological Survey's Denver, Colo.-based Branch of Quality Systems, expressed confidence in an e-mail interview that the right tools are in place to protect his department.
"I myself do certain things like run IE through Freedom Websecure's proxy, so that tends to filter out some potential crud," he said. "And, of course, we have current antispyware, antivirus, port monitoring, system file integrity checks and so on, so normally I have some idea of what could slip in to a local network -- hopefully!"
Towles said he's keeping a wary watch on the Internet Explorer flaws that were patched Tuesday, but he isn't panicking, either. After all, he said, any experienced IT administrator knows what it takes to minimize the threat.
"The vulnerabilities were serious and the quick release of exploit code only drove home that point," he said. "However, by utilizing proxy servers and advanced Web content filtering software, the threat of those vulnerabilities can be reduced. This is a perfect example of the 'defense-in-depth' security approach."
Indeed, the Plug and Play vulnerability could potentially be crafted into a Sasser-type worm in the near future, he said. But if that happens, he added, "The global impact will most likely not reach Sasser's epidemic proportions. Patch administrators learned a hard but valuable lesson from the CodeRed and Sasser worms. Patch management is no longer viewed as a luxury. It is now viewed as a necessity."
By Bill Brenner, News Writer12 Aug 2005 SearchSecurity.com
Monday, August 01, 2005
Copyright Crackdown
The record industry has been targeting online music sharing for years, but now it has undertaken a new war--against "casual piracy."
Sony BMG and EMI have begun shipping compact discs using technology that limits the number of copies you can make of any disc to three. And you can't port songs from affected CDs to Apple IPod players unless you request a workaround from Sony.
The move, along with other recent developments in copyright protection such as the Supreme Court's ruling this summer in MGM v.
Grokster, a copyright infringement case pitting Hollywood against the Grokster peer-to-peer network (see "Court Sets File-Sharing Limits"), could have a lasting impact on your entertainment choices. And you may not like the remix.
Sony BMG's copy-protected CDs incorporate First 4 Internet's XCP2 (extended copy protection) technology. The company is the first major label to offer XCP2-protected CDs to consumers, although Sony BMG already ships some CDs using MediaMax copy protection from SunnComm. The new effort uses different technology, but with the same end result for consumers: a limited ability to copy. By the end of this year, Sony BMG says, most of its CDs sold in the United States will incorporate one of these technologies.
EMI is employing a similar strategy with its CDs, using technology from Macrovision that lets you make just three copies; the first titles using the technology should be on sale in stores by the time you read this.
'Speed Bumps'
"Our goal is to create a series of speed bumps that make it clear to users that there are limits [to copying]," says Thomas Hesse, president of Sony BMG's Global Digital Business Group. "If you attempt to burn 20 copies and distribute them to all of your friends, that's not appropriate."
Sony BMG labels discs that use the technology as copy-protected. The company says that its customers find a limit of three copies to be fair.
Sony BMG CDs using the XCP2 technology launch their own software to track the number of copies you make.
When you insert the CD into your Windows-based computer, the disc launches its own audio player software, which warns you that you'll be allowed to make only three copies of the disc. You can make those copies from within the Sony BMG audio player, or you can use that software to rip the files to your music library. (For this purpose you must use a music player that supports secure Windows Media Audio files, like Musicmatch, RealPlayer, or Windows Media Player, but not Apple's ITunes.)
The copy protections are not iron-clad, however: You can make three copies of the CD on each PC on which you load it. You can also make three additional copies of the CD from the tracks that you have ripped to your Windows Media Player library. Once you have burned CDs using Windows Media Player, the tracks cease to be protected, and you can upload this audio CD into another media player, such as ITunes. And once the tracks are uploaded, you can burn them as often as you like.
One potential problem for consumers is that the protected CDs prevent PC users from moving songs to Apple IPods. That's because Apple refuses to license its FairPlay digital rights management technology so that other companies can accommodate it. If you inquire, though, Sony BMG will e-mail you a workaround.
This raises a key point about XCP2: It's not meant to be unbreakable, according to First 4 Internet's chief executive Mathew Gilliat-Smith. "We have achieved a good balance of protection and playability."
In fact, XCP2 is not as strict as XCP, the company's original product. Sony BMG and the other major labels have been using XCP since 2002 on prerelease CDs sent to radio stations and internal employees, Gilliat-Smith says. XCP not only prevents copying, but in some cases prevents discs from playing in certain devices, he says. Sony chose XCP2, not XCP, for consumer CDs because discs with that encryption play well in most devices.
XCP2 may affect more than just CDs: The company is currently working on versions for DVDs and online music files, Gilliat-Smith says. Sony BMG will ship the DVD technology to U.S. movie studios for use in prerelease copies of movies by late 2005, he hopes, and will introduce a version for commercial DVDs later. He declines to say which movie studios have expressed interest in using the technology.
What's Fair Use?
Not everybody thinks that record companies' focus on "casual piracy" is smart. Some copyright law reform advocates say that sharing copies of music with family members and friends and making "mix" compilations have long been social norms--it's the sharing with strangers that costs record companies significant revenue. If record companies insist otherwise, they'll make people ignore copyright rules wholesale, says Ernest Miller, a Yale Law School fellow who works on copyright reform issues. (See his blog here.)
The term "casual piracy" is "really a bit of propaganda," according to Miller. "It's an effort to use language to frame the legal arguments," he says.
The record companies want to chip away at the existing standard for fair use and move casual copying into the realm of copyright infringement, he says. Someday, the definition of "casual piracy" could be important in a lawsuit.
What's next? Like it or not, copy protection on CDs will only increase, in the opinion of IDC senior analyst Susan Kevorkian. She expects that more companies will follow Sony BMG's lead. "There's a very narrow line between casual copying and proliferation of content online," she says.
As for the war against casual piracy, you should understand that Sony BMG is not looking to prosecute you for making more than three copies, Miller says. The company is really attempting to shape future legal battles.
"They're looking for ways to extend their control over music and charge for the various ways we use music," he says. Whether companies can do so and avoid a consumer backlash remains to be seen.
Court Sets File-Sharing Limits
The long-brewing court case of MGM v. Grokster finally came to a head in late June, when the
U.S. Supreme Court ruled in favor of the recording industry. Movie and recording companies had sued Grokster and StreamCast Networks (owners of the Morpheus peer-to-peer service) for encouraging users of their peer-to-peer services to download and trade copyrighted songs without paying for them. Grokster argued that it wasn't liable for the actions of consumers using the service, but the Supreme Court disagreed.
Why should you care about this decision? For starters, the Grokster ruling will change the way courts interpret the precedent set by the famous Sony v. Universal (or Betamax) case of the mid-1980s. Movie companies had sued Sony, claiming that the VCR could help consumers break copyright laws; but the Supreme Court ruled in Sony's favor, declaring that if a product had significant legal uses, the creator was not responsible if some people used it illegally.
The Grokster ruling could affect the way companies design their products in the future, discouraging innovation.
It will probably be some time before the ruling's exact impact becomes clear. U.S. appellate courts must apply this Supreme Court opinion to cases before them. (For more on the ruling, see "Technology on Trial: What's at Stake").
What the Grokster decision won't do is shut down online piracy, says Forrester Research vice president Josh Bernoff. And record companies are still free to sue individuals for piracy.
Copy Controls May Be Stalling Mobile Music
Users of Rhapsody 3, RealNetworks' newest version of its music service, weren't singing a sweet tune when the upgrade was released in May. When the software debuted, many users--including some PC World editors--had trouble transferring songs to music players. Yahoo's new Music Unlimited service (still in beta) has been serving up some similar glitches. Is the culprit Microsoft Windows Digital Rights Management 10 technology, which both Real and Yahoo are using?
Though some of the problems have now been fixed, Rhapsody's troubled debut illustrates how copy-control technology can alienate music customers. Real, in an effort to make its music portable, offered users the ability to copy songs to a music player for an additional $5 a month. To do so, Real relied on Microsoft's DRM, which is designed to allow users to play back music from a subscription service such as Rhapsody or Yahoo Music Unlimited on a portable player. The software makes the song unavailable as soon as your subscription ends.
Finding a Fix
With so many companies involved--Microsoft, Real, Yahoo, and the various device makers--it's hard to determine exactly what's causing the problem. "There are too many moving parts," says Mike McGuire, research director for GartnerG2.
Real and Yahoo both say that they are working on the problems and that reliability has improved since we first reviewed the services (see this article and this article). Yahoo released an upgrade in late June that corrects some bugs, notes Ian Rogers, a developer for Yahoo Music Unlimited, but he admits that it doesn't solve every problem. "The top customer service issues are related to DRM," Rogers says. "The biggest issue is, customers get into a state where the Microsoft DRM doesn't work anymore and they can't play protected tracks," he says.
Microsoft has developed a workaround, which Yahoo passes on to customers, Rogers says. The hitch has affected only about 1 percent of the service's users, he points out, but "for them, it's a show-stopper."
Real has released several updates for Rhapsody 3, including one in mid-June that addresses the top complaints, according to spokesperson Matt Graves. As for Microsoft DRM 10 failing occasionally, "it's something we've heard," Graves acknowledges. But he says that he doesn't know it to be a "significant" problem for Rhapsody users.
Working Together
Microsoft says that it is collaborating with music player makers to improve the devices' firmware and eliminate troubles. "Microsoft continues to work with our device partners to offer 'out of the box' support for the growing number of subscription music services, and we're making great progress," says Kevin Unangst, director of marketing for the Windows Digital Media Division. "We're working closely with our partners to ensure the best possible consumer experience," he says.
Even if you buy a player now, you may need a firmware upgrade from the vendor, says GartnerG2's McGuire. These companies have not done as well for consumers as Apple has with ITunes and the IPod, he says. "You have to make this appear seamless and easy the way Apple does," he says.
Sony BMG and EMI have begun shipping compact discs using technology that limits the number of copies you can make of any disc to three. And you can't port songs from affected CDs to Apple IPod players unless you request a workaround from Sony.
The move, along with other recent developments in copyright protection such as the Supreme Court's ruling this summer in MGM v.
Grokster, a copyright infringement case pitting Hollywood against the Grokster peer-to-peer network (see "Court Sets File-Sharing Limits"), could have a lasting impact on your entertainment choices. And you may not like the remix.
Sony BMG's copy-protected CDs incorporate First 4 Internet's XCP2 (extended copy protection) technology. The company is the first major label to offer XCP2-protected CDs to consumers, although Sony BMG already ships some CDs using MediaMax copy protection from SunnComm. The new effort uses different technology, but with the same end result for consumers: a limited ability to copy. By the end of this year, Sony BMG says, most of its CDs sold in the United States will incorporate one of these technologies.
EMI is employing a similar strategy with its CDs, using technology from Macrovision that lets you make just three copies; the first titles using the technology should be on sale in stores by the time you read this.
'Speed Bumps'
"Our goal is to create a series of speed bumps that make it clear to users that there are limits [to copying]," says Thomas Hesse, president of Sony BMG's Global Digital Business Group. "If you attempt to burn 20 copies and distribute them to all of your friends, that's not appropriate."
Sony BMG labels discs that use the technology as copy-protected. The company says that its customers find a limit of three copies to be fair.
Sony BMG CDs using the XCP2 technology launch their own software to track the number of copies you make.
When you insert the CD into your Windows-based computer, the disc launches its own audio player software, which warns you that you'll be allowed to make only three copies of the disc. You can make those copies from within the Sony BMG audio player, or you can use that software to rip the files to your music library. (For this purpose you must use a music player that supports secure Windows Media Audio files, like Musicmatch, RealPlayer, or Windows Media Player, but not Apple's ITunes.)
The copy protections are not iron-clad, however: You can make three copies of the CD on each PC on which you load it. You can also make three additional copies of the CD from the tracks that you have ripped to your Windows Media Player library. Once you have burned CDs using Windows Media Player, the tracks cease to be protected, and you can upload this audio CD into another media player, such as ITunes. And once the tracks are uploaded, you can burn them as often as you like.
One potential problem for consumers is that the protected CDs prevent PC users from moving songs to Apple IPods. That's because Apple refuses to license its FairPlay digital rights management technology so that other companies can accommodate it. If you inquire, though, Sony BMG will e-mail you a workaround.
This raises a key point about XCP2: It's not meant to be unbreakable, according to First 4 Internet's chief executive Mathew Gilliat-Smith. "We have achieved a good balance of protection and playability."
In fact, XCP2 is not as strict as XCP, the company's original product. Sony BMG and the other major labels have been using XCP since 2002 on prerelease CDs sent to radio stations and internal employees, Gilliat-Smith says. XCP not only prevents copying, but in some cases prevents discs from playing in certain devices, he says. Sony chose XCP2, not XCP, for consumer CDs because discs with that encryption play well in most devices.
XCP2 may affect more than just CDs: The company is currently working on versions for DVDs and online music files, Gilliat-Smith says. Sony BMG will ship the DVD technology to U.S. movie studios for use in prerelease copies of movies by late 2005, he hopes, and will introduce a version for commercial DVDs later. He declines to say which movie studios have expressed interest in using the technology.
What's Fair Use?
Not everybody thinks that record companies' focus on "casual piracy" is smart. Some copyright law reform advocates say that sharing copies of music with family members and friends and making "mix" compilations have long been social norms--it's the sharing with strangers that costs record companies significant revenue. If record companies insist otherwise, they'll make people ignore copyright rules wholesale, says Ernest Miller, a Yale Law School fellow who works on copyright reform issues. (See his blog here.)
The term "casual piracy" is "really a bit of propaganda," according to Miller. "It's an effort to use language to frame the legal arguments," he says.
The record companies want to chip away at the existing standard for fair use and move casual copying into the realm of copyright infringement, he says. Someday, the definition of "casual piracy" could be important in a lawsuit.
What's next? Like it or not, copy protection on CDs will only increase, in the opinion of IDC senior analyst Susan Kevorkian. She expects that more companies will follow Sony BMG's lead. "There's a very narrow line between casual copying and proliferation of content online," she says.
As for the war against casual piracy, you should understand that Sony BMG is not looking to prosecute you for making more than three copies, Miller says. The company is really attempting to shape future legal battles.
"They're looking for ways to extend their control over music and charge for the various ways we use music," he says. Whether companies can do so and avoid a consumer backlash remains to be seen.
Court Sets File-Sharing Limits
The long-brewing court case of MGM v. Grokster finally came to a head in late June, when the
U.S. Supreme Court ruled in favor of the recording industry. Movie and recording companies had sued Grokster and StreamCast Networks (owners of the Morpheus peer-to-peer service) for encouraging users of their peer-to-peer services to download and trade copyrighted songs without paying for them. Grokster argued that it wasn't liable for the actions of consumers using the service, but the Supreme Court disagreed.
Why should you care about this decision? For starters, the Grokster ruling will change the way courts interpret the precedent set by the famous Sony v. Universal (or Betamax) case of the mid-1980s. Movie companies had sued Sony, claiming that the VCR could help consumers break copyright laws; but the Supreme Court ruled in Sony's favor, declaring that if a product had significant legal uses, the creator was not responsible if some people used it illegally.
The Grokster ruling could affect the way companies design their products in the future, discouraging innovation.
It will probably be some time before the ruling's exact impact becomes clear. U.S. appellate courts must apply this Supreme Court opinion to cases before them. (For more on the ruling, see "Technology on Trial: What's at Stake").
What the Grokster decision won't do is shut down online piracy, says Forrester Research vice president Josh Bernoff. And record companies are still free to sue individuals for piracy.
Copy Controls May Be Stalling Mobile Music
Users of Rhapsody 3, RealNetworks' newest version of its music service, weren't singing a sweet tune when the upgrade was released in May. When the software debuted, many users--including some PC World editors--had trouble transferring songs to music players. Yahoo's new Music Unlimited service (still in beta) has been serving up some similar glitches. Is the culprit Microsoft Windows Digital Rights Management 10 technology, which both Real and Yahoo are using?
Though some of the problems have now been fixed, Rhapsody's troubled debut illustrates how copy-control technology can alienate music customers. Real, in an effort to make its music portable, offered users the ability to copy songs to a music player for an additional $5 a month. To do so, Real relied on Microsoft's DRM, which is designed to allow users to play back music from a subscription service such as Rhapsody or Yahoo Music Unlimited on a portable player. The software makes the song unavailable as soon as your subscription ends.
Finding a Fix
With so many companies involved--Microsoft, Real, Yahoo, and the various device makers--it's hard to determine exactly what's causing the problem. "There are too many moving parts," says Mike McGuire, research director for GartnerG2.
Real and Yahoo both say that they are working on the problems and that reliability has improved since we first reviewed the services (see this article and this article). Yahoo released an upgrade in late June that corrects some bugs, notes Ian Rogers, a developer for Yahoo Music Unlimited, but he admits that it doesn't solve every problem. "The top customer service issues are related to DRM," Rogers says. "The biggest issue is, customers get into a state where the Microsoft DRM doesn't work anymore and they can't play protected tracks," he says.
Microsoft has developed a workaround, which Yahoo passes on to customers, Rogers says. The hitch has affected only about 1 percent of the service's users, he points out, but "for them, it's a show-stopper."
Real has released several updates for Rhapsody 3, including one in mid-June that addresses the top complaints, according to spokesperson Matt Graves. As for Microsoft DRM 10 failing occasionally, "it's something we've heard," Graves acknowledges. But he says that he doesn't know it to be a "significant" problem for Rhapsody users.
Working Together
Microsoft says that it is collaborating with music player makers to improve the devices' firmware and eliminate troubles. "Microsoft continues to work with our device partners to offer 'out of the box' support for the growing number of subscription music services, and we're making great progress," says Kevin Unangst, director of marketing for the Windows Digital Media Division. "We're working closely with our partners to ensure the best possible consumer experience," he says.
Even if you buy a player now, you may need a firmware upgrade from the vendor, says GartnerG2's McGuire. These companies have not done as well for consumers as Apple has with ITunes and the IPod, he says. "You have to make this appear seamless and easy the way Apple does," he says.
Monday, July 25, 2005
Japan Plans World's Fastest Computer
TOKYO - Japan has plans to start building a supercomputer next year that can operate 73 times faster than the world's fastest supercomputer, the government said Monday.
The American Blue Gene/L system supercomputer developed by International Business Machine Corp. at Lawrence Livermore National Laboratory in Livermore, California, currently holds the title of the world's fastest. That machine is capable of 136.8 teraflops, or 136.8 trillion calculations per second, according to Japan's Ministry of Education, Culture, Sports, Science and Technology.
Japan wants to develop a supercomputer that can operate at 10 petaflops, or 10 quadrillion calculations per second, which is 73 times faster than the Blue Gene, an official of the ministry said on condition of anonymity.
Kyodo News reported that the total amount for the project is estimated between 80 billion and 100 billion yen ($714 million to $893 million) and the ministry will request 10 billion yen ($89 million) for the next fiscal year's budget.
The ministry official could not confirm the figures, saying it has yet to reach a formal decision on the project, which is expected by the end of August.
But he said that if the budget for next year is approved, the ministry hopes to complete the next-generation supercomputer sometime in fiscal 2010, which ends in March 2011.
Japan's Earth Simulator supercomputer, introduced in 2002, had been the world's fastest until 2004, when the IBM's Blue Gene took the title, he said.
Currently, the Earth Simulator, at a speed of 35.9 teraflops, is ranked fourth after the IBM's two Blue Gene systems and
NASA's Columbia system, all in the United States, according to the top 500 list of the world's fastest supercomputers, released at the International Supercomputing Conference held in June in Heidelberg, Germany.
The Earth Simulator is used to track global sea temperatures, rainfall and crustal movement to predict natural disasters over the next few centuries.
The ministry wants to use the planned supercomputer for a wider use such as simulating the formation of galaxy and the interactions between a medicine and the human body.
By CHISAKI WATANABE, Associated Press Writer Mon Jul 25,10:47 AM ET
The American Blue Gene/L system supercomputer developed by International Business Machine Corp. at Lawrence Livermore National Laboratory in Livermore, California, currently holds the title of the world's fastest. That machine is capable of 136.8 teraflops, or 136.8 trillion calculations per second, according to Japan's Ministry of Education, Culture, Sports, Science and Technology.
Japan wants to develop a supercomputer that can operate at 10 petaflops, or 10 quadrillion calculations per second, which is 73 times faster than the Blue Gene, an official of the ministry said on condition of anonymity.
Kyodo News reported that the total amount for the project is estimated between 80 billion and 100 billion yen ($714 million to $893 million) and the ministry will request 10 billion yen ($89 million) for the next fiscal year's budget.
The ministry official could not confirm the figures, saying it has yet to reach a formal decision on the project, which is expected by the end of August.
But he said that if the budget for next year is approved, the ministry hopes to complete the next-generation supercomputer sometime in fiscal 2010, which ends in March 2011.
Japan's Earth Simulator supercomputer, introduced in 2002, had been the world's fastest until 2004, when the IBM's Blue Gene took the title, he said.
Currently, the Earth Simulator, at a speed of 35.9 teraflops, is ranked fourth after the IBM's two Blue Gene systems and
NASA's Columbia system, all in the United States, according to the top 500 list of the world's fastest supercomputers, released at the International Supercomputing Conference held in June in Heidelberg, Germany.
The Earth Simulator is used to track global sea temperatures, rainfall and crustal movement to predict natural disasters over the next few centuries.
The ministry wants to use the planned supercomputer for a wider use such as simulating the formation of galaxy and the interactions between a medicine and the human body.
By CHISAKI WATANABE, Associated Press Writer Mon Jul 25,10:47 AM ET
Airborne Viruses: Real Threat or Just Hype?
When it comes to viruses, worms and other forms of malware infecting smartphones and PDAs, security vendors have been warning of the possible dangers for months. Until recently, however, their cries of alarm drew yawns from most industry analysts and security experts.
A case in point is a Gartner (NYSE: IT - news) report, released this summer, that concluded mobile-phone users will not see much virus activity in their mobile devices for at least two years. The report said that, for one, not many U.S. consumers have smartphones with which they exchange executable files. Second, the U.S. mobile-phone market lacks a dominant operating system for virus writers to target.
IDC research analyst David Linsalata presented a similar viewpoint about the impact of a new malware threat that targets smartphones running the Symbian Series 60 operating system. "Viruses and malware are certainly a threat that should be watched, but they are not necessarily an immediate threat," he said.
"These types of viruses only tend to affect smartphones that have the advanced capabilities that can run them," he explained. "With Doomboot.A, once the smartphone is infected, it sends out SMS messages, which drains the battery, and you end up losing your data."
However, the occurrence of Doomboot.A might signal that it is time to review the dangers and determine just what enterprises need to know to protect wireless devices in the hands of mobile workers.
Measuring the Threat
"The threat, meaning the essential impact of losing data to a virus, is pretty serious, and I base that on the extent of mobile connectivity and the damage that could be done," said McAfee Mobile Solutions senior product manager Drew Carter.
The Doomboot.A virus, for example, features an embedded worm called CommWarrior.B that perpetuates itself by sending out a flurry of unauthorized messages using the Symbian smartphone's Bluetooth radio.
The malware program relies on smartphone users downloading infected files onto their handsets, either from the Internet or by way of wireless Bluetooth or infrared connections.
Smartphones represent only a fraction of the total mobile-phone universe, and the Symbian OS is just one system among many offerings for smartphones. However, one disturbing implication of this particular threat is its proof-of-concept demonstration of how to hit user finances by surreptitiously sending out thousands of costly text messages.
Potential Impact
Perhaps the most immediate threat from a smartphone virus is the potential access to contact lists in infected phones. Even worse than inconvenience, such an attack could be costly.
"The biggest threat that I see right now is that Research In Motion's Blackberries and palmOne's PDAs are connected to names and addresses," said IBM Global Solutions Manager for Managed Security Services Doug Conorich.
"If somebody devised a virus sent out with a 'payload pull' and an 'address book out' it could send out messages to all those listed in the [handset's] address book," noted Conorich. "At 10 cents a message or more on some of the [wireless] plans, you can see that that cost to smartphone end-users could add up rather quickly."
And, as mobile malware evolves, the threat to enterprises could become even greater. "If you work for a multimillion dollar enterprise and a virus zips off all your files and sends them to someone else, then that could be a big problem," Linsalata said.
"One of the things that the OS people will have to change is the way that their phones accept applications...so that an SMS message will not be able to download an application and install it on the smartphone, which is the way that the Symbian one works," Conorich said.
Determining Responsibility
The question of who bears the burden of blame and liability is one of the first issues that mobile service providers will have to tackle when mobile viruses become widespread.
"The software vendors that produce mobile phone operating systems definitely have the responsibility of issuing patches to their products," said McAfee Mobile Solutions senior vice president Victor Kouznetsov. "But this is a totally separate issue from determining who is responsible for protecting smartphone users from a financial standpoint."
In today's wireless world, most operators focus their sales efforts on individual consumers despite the increasing popularity of taking enterprise data mobile, noted Kouznetsov. So the temptation is to blame the individual end-user.
Kouznetsov admitted, however, that antivirus tools are not yet widely available for mobile users. Thus, dealing with malware is currently outside the scope of individual subscribers.
"At this point it is the wireless operator's financial responsibility to address the issue," advised Kouznetsov. "Otherwise, consumers might feel threatened into not buying a
Nokia's phone running the Symbian OS."
Pressuring Wireless Carriers
In the U.S., cell-phone manufacturers are not directly accessible to the consumer, whether the user is an individual or a company buying many phones. The wireless provider selects the phones available and handles the configuration options. So the phone users have to rely on the service provider on matters involving virus protection.
"Enterprises, therefore, would be well advised to contact the operator they are using and standardizing on, and then demand that the operator include the technology and provide it on their handsets, or ask whether the operator will be including it in the future," Kouznetsov said.
Wireless carriers already are starting to feel the responsibility for embedding protection into their networks. In fact, McAfee already provides Japanese carrier NTT DoCoMo with malware-protection software that has been embedded in seventeen different phone models, Kouznetsov said.
"For the carrier it could be a powerful differentiating factor to say, 'We will protect you and make sure you are secure,'" Linsalata suggested. "But I can't see a carrier simply saying, 'You will always have antivirus protection and we will provide it for you.'" Linsalata sees malware protection emerging as a series of partnerships between wireless providers and security vendors.
Requirements for I.T. Managers
Another challenge that enterprises face is establishing the right standards and policies for the mobile workforce. "Mobile devices are often purchased by individuals who also want to access enterprise resources," Carter said.
"But does this really make sense? Today the technology is somewhat immature, but as it reaches a higher level of penetration, companies will need to adopt a more sophisticated approach," he suggested. "The other option is for enterprises to provide the mobile devices and set the standards, so if mobile workers want to connect to the network, then they need to buy these devices."
Despite all the malware hoopla, many viruses can be defeated using common sense. Mobile-device users will have to start following the same safe-use practices that they should be using on their computers, security experts emphasized.
"If you get a file from a friend, make sure he really wants you to install that new game or whatever," Linsalata said, adding that smartphone users should look for the industry certification standard for smartphones running the Symbian OS before installing anything. "If you get a message that the program is not Symbian Signed, first ask yourself whether you are really sure you want to install it," Linsalata said.
Bigger Enterprise Concerns
Going forward, one key for enterprises is to stay aware of this problem. According to Linsalata, mobile malware will only grow into a more significant threat as time goes on. But at the moment, the bigger concerns enterprises face are much simpler, he said.
Enterprises should remain centered on physical device security. They should concentrate on being able to wipe devices remotely and make sure that policies for passwords and data encryption are in place.
"Make sure the devices are physically secure with the data they contain backed up and encrypted," Linsalata said.
These more pressing needs should take priority because anyone can lose a device, but not everyone's device can get infected by a virus, at least right now, Linsalata said. "Focus on the more pressing security concerns about theft or physical loss in some other capacity," he added.
Written by: Mark Long, wireless.newsfactor.com
A case in point is a Gartner (NYSE: IT - news) report, released this summer, that concluded mobile-phone users will not see much virus activity in their mobile devices for at least two years. The report said that, for one, not many U.S. consumers have smartphones with which they exchange executable files. Second, the U.S. mobile-phone market lacks a dominant operating system for virus writers to target.
IDC research analyst David Linsalata presented a similar viewpoint about the impact of a new malware threat that targets smartphones running the Symbian Series 60 operating system. "Viruses and malware are certainly a threat that should be watched, but they are not necessarily an immediate threat," he said.
"These types of viruses only tend to affect smartphones that have the advanced capabilities that can run them," he explained. "With Doomboot.A, once the smartphone is infected, it sends out SMS messages, which drains the battery, and you end up losing your data."
However, the occurrence of Doomboot.A might signal that it is time to review the dangers and determine just what enterprises need to know to protect wireless devices in the hands of mobile workers.
Measuring the Threat
"The threat, meaning the essential impact of losing data to a virus, is pretty serious, and I base that on the extent of mobile connectivity and the damage that could be done," said McAfee Mobile Solutions senior product manager Drew Carter.
The Doomboot.A virus, for example, features an embedded worm called CommWarrior.B that perpetuates itself by sending out a flurry of unauthorized messages using the Symbian smartphone's Bluetooth radio.
The malware program relies on smartphone users downloading infected files onto their handsets, either from the Internet or by way of wireless Bluetooth or infrared connections.
Smartphones represent only a fraction of the total mobile-phone universe, and the Symbian OS is just one system among many offerings for smartphones. However, one disturbing implication of this particular threat is its proof-of-concept demonstration of how to hit user finances by surreptitiously sending out thousands of costly text messages.
Potential Impact
Perhaps the most immediate threat from a smartphone virus is the potential access to contact lists in infected phones. Even worse than inconvenience, such an attack could be costly.
"The biggest threat that I see right now is that Research In Motion's Blackberries and palmOne's PDAs are connected to names and addresses," said IBM Global Solutions Manager for Managed Security Services Doug Conorich.
"If somebody devised a virus sent out with a 'payload pull' and an 'address book out' it could send out messages to all those listed in the [handset's] address book," noted Conorich. "At 10 cents a message or more on some of the [wireless] plans, you can see that that cost to smartphone end-users could add up rather quickly."
And, as mobile malware evolves, the threat to enterprises could become even greater. "If you work for a multimillion dollar enterprise and a virus zips off all your files and sends them to someone else, then that could be a big problem," Linsalata said.
"One of the things that the OS people will have to change is the way that their phones accept applications...so that an SMS message will not be able to download an application and install it on the smartphone, which is the way that the Symbian one works," Conorich said.
Determining Responsibility
The question of who bears the burden of blame and liability is one of the first issues that mobile service providers will have to tackle when mobile viruses become widespread.
"The software vendors that produce mobile phone operating systems definitely have the responsibility of issuing patches to their products," said McAfee Mobile Solutions senior vice president Victor Kouznetsov. "But this is a totally separate issue from determining who is responsible for protecting smartphone users from a financial standpoint."
In today's wireless world, most operators focus their sales efforts on individual consumers despite the increasing popularity of taking enterprise data mobile, noted Kouznetsov. So the temptation is to blame the individual end-user.
Kouznetsov admitted, however, that antivirus tools are not yet widely available for mobile users. Thus, dealing with malware is currently outside the scope of individual subscribers.
"At this point it is the wireless operator's financial responsibility to address the issue," advised Kouznetsov. "Otherwise, consumers might feel threatened into not buying a
Nokia's phone running the Symbian OS."
Pressuring Wireless Carriers
In the U.S., cell-phone manufacturers are not directly accessible to the consumer, whether the user is an individual or a company buying many phones. The wireless provider selects the phones available and handles the configuration options. So the phone users have to rely on the service provider on matters involving virus protection.
"Enterprises, therefore, would be well advised to contact the operator they are using and standardizing on, and then demand that the operator include the technology and provide it on their handsets, or ask whether the operator will be including it in the future," Kouznetsov said.
Wireless carriers already are starting to feel the responsibility for embedding protection into their networks. In fact, McAfee already provides Japanese carrier NTT DoCoMo with malware-protection software that has been embedded in seventeen different phone models, Kouznetsov said.
"For the carrier it could be a powerful differentiating factor to say, 'We will protect you and make sure you are secure,'" Linsalata suggested. "But I can't see a carrier simply saying, 'You will always have antivirus protection and we will provide it for you.'" Linsalata sees malware protection emerging as a series of partnerships between wireless providers and security vendors.
Requirements for I.T. Managers
Another challenge that enterprises face is establishing the right standards and policies for the mobile workforce. "Mobile devices are often purchased by individuals who also want to access enterprise resources," Carter said.
"But does this really make sense? Today the technology is somewhat immature, but as it reaches a higher level of penetration, companies will need to adopt a more sophisticated approach," he suggested. "The other option is for enterprises to provide the mobile devices and set the standards, so if mobile workers want to connect to the network, then they need to buy these devices."
Despite all the malware hoopla, many viruses can be defeated using common sense. Mobile-device users will have to start following the same safe-use practices that they should be using on their computers, security experts emphasized.
"If you get a file from a friend, make sure he really wants you to install that new game or whatever," Linsalata said, adding that smartphone users should look for the industry certification standard for smartphones running the Symbian OS before installing anything. "If you get a message that the program is not Symbian Signed, first ask yourself whether you are really sure you want to install it," Linsalata said.
Bigger Enterprise Concerns
Going forward, one key for enterprises is to stay aware of this problem. According to Linsalata, mobile malware will only grow into a more significant threat as time goes on. But at the moment, the bigger concerns enterprises face are much simpler, he said.
Enterprises should remain centered on physical device security. They should concentrate on being able to wipe devices remotely and make sure that policies for passwords and data encryption are in place.
"Make sure the devices are physically secure with the data they contain backed up and encrypted," Linsalata said.
These more pressing needs should take priority because anyone can lose a device, but not everyone's device can get infected by a virus, at least right now, Linsalata said. "Focus on the more pressing security concerns about theft or physical loss in some other capacity," he added.
Written by: Mark Long, wireless.newsfactor.com
Subscribe to:
Posts (Atom)
