Tech News Update

2006-05-03T14:55:00.000-04:00

Firefox gets a fresh security update

Mozilla has issued a security update for its Firefox open-source browser, just weeks after it released a large fix to address several browser security flaws.

The Firefox 1.5.0.3 update is designed to address vulnerabilities in versions 1.5 through 1.5.0.2.
Malicious attackers could exploit the flaws to cause a denial-of-service attack, which in turn may allow them to take remote control of a user's system, according to an alert from security research company Secunia, which rates the flaw as "highly critical."

The flaws may be exploited when people attempt to engage a deleted component with designMode turned on. While this typically will crash the browser, it could also result in an attacker running malicious code, according to a Mozilla security advisory. Mozilla oversees the development of the Firefox browser.

The organization said it released the 1.5.0.3 version early to tackle the security issue. As a result, plans for a larger update will be bumped to version 1.8.0.4.

The latest security release follows one issued in mid-April. The 1.5.0.2 version was designed to address seven vulnerabilities, five of which were "critical" and could allow a malicious attacker to run code with virtually no user interaction.

2006-03-23T13:30:00.000-05:00

Clouds over Redmond

The latest delay for Windows Vista highlights a mounting challenge for Microsoft--finding a way to update its most important product on any kind of reasonable schedule.

With all the setbacks, it will be more than five years between Windows XP and Windows Vista. And for even that delivery schedule, Microsoft had to scale back many of the major advances that were planned for the new operating system.

Although Windows has largely maintained its dominant share of the operating system market, the software maker's inability to regularly update the product poses a growing risk to its cash cow.

"Microsoft is going to be feeling more pressure, especially as applications get to be more OS-agnostic," or not tied to a particular operating system, Gartner analyst Michael Silver said.
Microsoft has long spoken out about its need to be constantly innovating, with executives pointing to the fate that bedeviled IBM in the 1970s and 1980s, when it became seen as a lumbering giant in a field of nimbler and more agile competitors.

"I've been around IBM, and I saw how IBM overdid it," Steve Ballmer said in a 2003 interview with The Seattle Times. In that interview, the Microsoft CEO described the opportunities that IBM's slowed pace created for Microsoft when the PC came around, and talked about Microsoft's need to avoid that fate. "Maybe we will, maybe we won't--but we have strategy control, we have technology control, we've got financial control," he said.

Of course, recognizing the dangers and being able to escape the same fate are two different things.

One of the key problems is that the two halves of creating a new OS--programming and testing--are both getting longer to accomplish. On the development side, Microsoft has spent years re-architecting its software development practices in order to boost security, and such rigor also takes time. On top of that, the time spent testing new code has increased, although automated tools have helped some. Chairman Bill Gates noted on Tuesday that as many as half of the worker-hours put into Vista have gone into testing.

Microsoft also faces the challenge of trying to support all of the hundreds of millions of Windows machines out there. The company frequently takes pride in showing off how its latest and greatest operating system can run even the oldest applications.

"We are very backwards-compatible people," Gates said at an Office developer conference this week.

Apple Computer, which has taken a very different approach, has not been afraid to cut support for older Mac machines and software in its efforts to modernize its operating system. The results are a narrower security footprint and a much smaller number of types of systems against which to test.

Michael Cherry, a Directions on Microsoft analyst, said that although Microsoft is in a somewhat different situation, it can take lessons from Apple. The Mac seller took a one-time hit when it made major architectural changes with OS X and since then has focused on more modest, but noticeable, feature enhancements.

"There haven't been huge, massive changes," Cherry said. "But people have looked at them and said, 'Nice job. Let's buy it.'"

Cherry said that Microsoft shouldn't need to make significant changes to most of the underlying architecture of Windows at this point--only occasional upgrades should be needed, to add things such as new networking protocols. "Everything else should be about putting fancy sinks on top of the plumbing," Cherry said.

With Vista, Microsoft originally hoped to make major changes to the underlying code, adding in a new file storage mechanism called WinFS, along with all-new graphics and communications methods. It eventually had to pull out WinFS entirely and scale back several other architectural changes in order to make the project more manageable.

In the future, Microsoft may well look to focus more energy in interim releases on updating some of the companion programs that are part of Windows, as opposed to the core operating system code. Gates talked on Monday of the need, for example, to update Internet Explorer more often.

But Cherry said it's more than just a different approach that is needed.

2006-03-15T09:39:00.000-05:00

Got Wireless Security?

GetNetWise and Symantec team up to offer a wireless security primer.

You've got a wireless network. You can use your computer anywhere in your house. But your neighbors may be benefiting too. If your network is not secured, they can "borrow" Internet access from you--no need to pay for their own. No harm, no foul, right?

Not exactly, say Symantec and the Internet Education Foundation, a nonprofit organization.

Symantec and the IEF have joined forces to help educate people about the risks of leaving their wireless devices unsecured. Hackers searching for financial information, business records, or sensitive e-mail can enter into your open network as easily as if you left your personal and business files at the curbside, they say. They have created a new public awareness campaign to educate people about these dangers, and to provide tips on how you can protect your personal files from hackers.

The Wireless Security Initiative is aimed at the 56 million Americans who use wireless technology. The WSI site offers tips for encrypting networks and provides step-by-step flash video tutorials, says Tim Lordan, executive director of the Internet Education Foundation.

"Wireless technology is becoming a fabric of our daily lives," Lordan says. "We want to be on the forefront of making sure that everyone's wireless devices, whether it be a smart phone, PDA or laptop, are protected and secure."

Widespread Problem

Symantec Vice President Sarah Hicks says the company recently found that nearly 50 percent of wireless users in Houston, Los Angeles, New York, and Chicago "leave their doors wide open." Researchers drove through neighborhoods with a wireless-enabled laptop and discovered thousands of unsecured networks.

Hicks said the problem is not confined to notebooks: 60 percent of consumers keep confidential business or client data on handheld devices.

Representative Mike Honda (D-Calif.) lauds the new initiative and says it will bring an increased sense of security to consumers.

"We need to ensure that consumers feel comfortable with the security of their wireless connections before we can expect to see the sort of saturation of wireless technologies and mobile productivity that is commonplace in Asia. Our counterparts overseas are surging ahead," Honda says.

2006-03-02T13:26:00.000-05:00

Teenager Claims to Find Flaw in Gmail

Blogger says he has discovered a flaw in Google's e-mail service that allows JavaScript to run.

A teenage blogger claims to have discovered a flaw in Google's Gmail service that allows JavaScript to run, potentially allowing a malicious hacker to gather e-mail addresses or compromise an account.
The supposed flaw may already have been fixed, however.
The teenager identifies himself in his blog as a 14-year-old named Anthony. His entry about Gmail is available online.

Getting the Message

He wrote that he was trying to e-mail JavaScript code from a Yahoo account to a Gmail account. The code will run in a preview pane, he wrote.

But if the code is mailed from one Gmail account to another, it is filtered out, he said.

Some visitors to the blog reported being able to replicate the findings, but others said later that they were not able to and that the supposed flaw had been fixed.

Google representatives in London could not immediately comment, saying the report would be forwarded to their technical staff.

2006-03-01T16:58:00.000-05:00

Republicans tout high-tech agenda

WASHINGTON--Republican leaders from the U.S. House of Representatives on Wednesday promoted a series of policy proposals they hope will keep the nation's already-flourishing tech industry dominant in the future.

"Competitiveness" was the buzzword at a press conference in the basement of the U.S. Capitol, where House Speaker Dennis Hastert and 10 House leaders from the Republican High-Tech Working Group talked up a wide-ranging agenda tied closely to goals outlined by President Bush in his State of the Union speech last month.

"In short, America needs an education system that produces the finest students in the world, who enter an economy that is not hampered by regulatory red tape, frivolous lawsuits and an anticompetitive tax structure," Hastert said.

Rep. Bob Goodlatte of Virginia and Rep. Lamar Smith of Texas said they planned to introduce later on Wednesday a broad legislative package called the Innovation and Competitiveness Act, which includes several components that enjoy support from tech players.

A copy of that bill was not readily available. A summary sheet suggested the measure would aim at promoting research and development, increasing investment in math and science education, and eliminating "cumbersome regulations" and "stifling taxation" for technology companies. It would also include a section aimed at cutting back on so-called frivolous lawsuits of all sorts and proposals designed to create incentives for digitizing the health care system.

Leaders at the press conference repeatedly thanked the technology industry for its massive contributions to the economy--45 percent of the nation's gross domestic product, by one congressman's estimate--and painted the new legislative steps as a top priority.

The Republicans' take on policy overlaps in some ways with the "innovation agenda" announced by House Democrats, but, as usual, an ideological split remains. House Democratic Leader Nancy Pelosi said Wednesday that her party was committed to working with Republicans but belittled their proposal, saying Democrats "are committed to doing much more."

"It proposes nothing to bridge the digital divide through access to broadband," Pelosi said in a statement distributed to reporters at the Republicans' press conference. "It fails to propose any new ideas to achieve American energy independence." The Democrats' agenda, among other things, calls for incentives intended to bring broadband to all Americans and for increased investment in alternative energy sources.

At the time the Democrats' agenda was released, Hastert issued a statement accusing Democrats of voting against legislation considered important to tech interests.

Tech industry representatives have commended the efforts from both sides and indicated they don't care which party takes the lead, as long as someone is listening and poised to set industry priorities into law.

"Our message to the president and Congress is simple--let's work together to get a program done this year," said Ralph Hellman, president of the Information Technology Industry Council, whose members include Apple, Cisco, Dell, eBay, IBM, Intel and Microsoft.

2006-02-23T10:52:00.000-05:00

Bye-bye, BlackBerry?

A federal court hearing scheduled for Friday that could lead to the shutdown of BlackBerry devices throughout the United States is forcing longtime BlackBerry users to think about life without their mobile gadgets.

On Capitol Hill, where "CrackBerry" addiction is rampant, some thumb-typists are even expressing their anxiety in poetry. "'Freedom!' will the joyful say, Released from slavery today! Yet others'll suffer horrid angst if their little screens go blank," Larry Neal, deputy staff director for communications at the U.S. House of Representatives' Energy and Commerce Committee, wrote in an 18-line poem.

Tongue-in-cheek poetry aside, to millions of BlackBerry users, there's nothing funny about Friday's court hearing, which could draw to an end one aspect of the long-running patent spat between Ontario-based Research In Motion and Virginia-based patent-holding firm NTP.
At the hearing in U.S. District Judge James Spencer's Richmond, Va., courtroom, lawyers for NTP, RIM and the federal government will argue over whether to issue an injunction on the sale and support of the wireless devices on American turf, as well as the amount of damages due to NTP from RIM.

Spencer's ruling could come as early as Friday afternoon, but it's more likely to be handed down early next week. NTP has already said it will wait 30 days before shutting down the service, though it's not clear if that grace period starts on Friday or the day the decision is made public.

NTP in 2002 won a jury verdict that found that BlackBerry devices and software infringed on patents held by the late Thomas Campana, co-founder of the holding company. An injunction later arrived with that victory, but it was stayed and the damages were put in escrow pending the appeals process, which ended at the Supreme Court's door earlier this year. Given that the fundamental question of infringement has withstood the appeals process, NTP will ask for another injunction during Friday's hearing.

"I'm shocked that RIM hasn't settled," said Gary Abelev, a patent attorney with the New York law firm Dorsey & Whitney. The company had the opportunity to settle the case for $450 million last year, but that deal fell through. An injunction would prevent the sale of RIM's primary source of revenue in its largest market, effectively crippling the company.

RIM's answer to a possible injunction is a so-called workaround. The company earlier this month revealed sketchy details of the software-based workaround it says will be made available for download if an injunction occurs.

NTP is likely to argue that the workaround violates the same claims in the patents, and numerous hearings will probably follow, Abelev said. If the workaround is declared invalid, RIM is back to square one with nothing to show for millions in legal fees, he said.RIM's other hope is that the U.S. Patent and Trademark Office strikes down all of NTP's patents. The BlackBerry received a boost Wednesday when the USPTO issued a final rejection of one of the five patents in question, but NTP can appeal that decision through several more avenues, extending the case even further.

Watching and waitingOn Capitol Hill, all 100 senators, 435 House members and myriad staffers tote BlackBerrys. "It might be a nice change," said one Senate aide, who asked to remain anonymous. "Instead of looking at my BlackBerry the first thing in the morning, I might actually be able to take a shower without work on my mind."

Lawyers at the Los Angeles law firm Allen & Matkins are less amused at the prospect of losing their BlackBerrys. The firm's chief technology officer, Frank Gillman, is counting on RIM's workaround to keep his legal team in contact with clients, he said in an e-mail interview.

2006-02-21T14:24:00.000-05:00

Google admits Desktop security risk

Businesses have been warned by research company Gartner that the latest Google Desktop Beta has an "unacceptable security risk," and Google agrees.

On Feb. 9, Google unveiled Google Desktop 3, a free, downloadable program that includes an option to let users search across multiple computers for files. To do that, the application automatically stores copies of files, for up to a month, on Google servers. From there, copies are transferred to the user's other computers for archiving. The data is encrypted in transmission and while stored on Google servers.
The risk to enterprises, according to Gartner, lies in how this shared information is pooled by Google. The data is transferred to a remote server, where it is stored and can then be shared between users for up to 30 days.

Gartner said in a report on Thursday that the "mere transport (of data) outside the enterprise will represent an unacceptable security risk to many enterprises," as intellectual property could be transported out of the business.

Google said that it recognized the risk, and recommended that companies take action. "We recognize that this is a big issue for enterprise. Yes, it's a risk, and we understand that businesses may be concerned," said Andy Ku, European marketing manager for Google.
Google confirmed that data was temporarily transported outside of businesses when the Search Across Computers feature was used, and that this represented "as much of a security risk as e-mail does."

"Theoretically any intellectual property can be transferred outside of a company," Ku said. "We understand that there are a lot of security concerns about the Search Across Computers feature, but Google won't hold information unless the user or enterprise opts in (to the feature)."

Google said that security was the concern of individual businesses. "The burden falls on enterprises to look after security issues," Ku said. "Companies can disable the Search Across Computers facility."

Gartner said that sensitive documents may be inadvertently shared by workers, who may not have specialist knowledge of regulatory or security restrictions.

Google said it was unable to comment on the risks posed when individuals share sensitive information. "Some users may, and some users may not be able to," said Ku, adding that companies should follow their own policies.

"At the end of the day, each company should make its own decision. If they are uncomfortable, they shouldn't enable the feature," Ku said. "It's about what a company deems to be best corporate policy."

Gartner has recommended that businesses use Google Desktop for Enterprise, as this allows systems administrators to centrally turn off the Search Across Computers feature, which it said should be "immediately disabled."

Companies "must also evaluate what they are allowing to be indexed, and whether they are comfortable that they can adequately bar the sharing of data with Google's servers," said Gartner.

Google agreed that Google Desktop Enterprise would better mitigate security risks. "If you're given a choice, choose Enterprise," said Ku.

2006-02-17T09:08:00.000-05:00

Attack code out for latest Microsoft flaw

Two examples of computer code that exploit a flaw in Windows Media Player have become available only days after Microsoft released a patch to fix the bug.

The "proof-of-concept" exploits that take advantage of a flaw in the media player were posted on the Web over the past couple of days. The flaw, rated "critical" by Microsoft, could enable an attacker to seize control of a vulnerable computer system.

The appearance of proof-of concept code is usually a sign that actual attacks are not far off. Microsoft, when it released its patch Tuesday, urged users to upgrade their systems as soon as possible.

Microsoft recently issued patch MS06-005 as part of its monthly security update. The vulnerability in Windows Media Player can compromise a system through malicious images embedded in the player.

Versions of Windows Media Player affected by the bug include 7.1 through 10. The vulnerability was also tagged as "critical" by the French Security Incident Response Team, or FrSIRT, a research outfit that published one of the two exploits.

Microsoft announced the release of seven fixes on Tuesday, including a "critical" patch for a Windows Meta File vulnerability in Internet Explorer. It exists only in IE 5.01 with Service Pack 4 on Windows 2000 and IE 5.5 with Service Pack 2 on Windows ME, Microsoft said in the security advisory.

2006-02-10T15:34:00.000-05:00

Critical patch coming for Windows Media Player

Microsoft said it will send out seven security bulletins on Tuesday as part of its regular monthly patching cycle.

Four of the alerts are for problems with the Windows operating system, and another covers both Windows and Microsoft Office. The last two relate to Office and Windows Media Player respectively.

At least two of the alerts received Microsoft's highest risk rating of "critical," according to an advanced notification posted Thursday on Microsoft's Web site. The notice is designed to give companies a chance to prepare for coming updates.

One critical correction is for the Media Player, and another is among the four patches for Windows, the company said.

Microsoft rates as "critical" any security threat that could allow a malicious Internet worm to spread without any action required on the part of the user.

The company also said it plans to upgrade the company's Malicious Software Removal Tool, designed to stop a host of malicious code, including viruses and worms.

Last month, Microsoft patched two holes that could have allowed an attacker to gain complete control over vulnerable PCs or servers running the Microsoft software.

2006-02-01T14:51:00.000-05:00

Microsoft Warns of File-Trashing Worm

Security advisory issued, but experts think danger not as great as originally reported.

Microsoft has published a security advisory warning Windows users of a file-trashing worm that has been circulating via e-mail for several weeks. The worm, which is programmed to destroy a wide variety of files on the third day of every month, has been circulating since mid-January, and is estimated to have infected between 250,000 and 300,000 systems worldwide.

Security researchers have given the worm a variety of names. Microsoft calls it Win32/Mywife.E@mm, but it is also known as Nyxem, Blackdoom, W32.Blackmal.E@mm, Tearec, and Kama Sutra. And while there have been reports that the malicious software has infected millions of computers, Microsoft believes that the attack is "much more limited and is not in the range of millions at this time," according to the Microsoft security advisory, released Monday.

In fact, several security researchers believe that the Nyxem threat has been overstated. "There's been way more attention given it in the media than it deserves," said Russ Cooper, a senior information security analyst at Cybertrust in Herndon, Virginia. The dramatic nature of this worm's behavior, with its file-destroying instructions, and inflated reports of infections have helped fuel media interest, he said.

Watch Out for Feb. 3 If Infected

Between 250,000 and 300,000 PCs have been infected, estimates Johannes Ullrich, chief research officer for the SANS Institute. However, that number represents a very small number of total Internet users, Cooper said. "How many people do you think had their hard disks fail yesterday?" he asked. "Probably a number as significant as one eighth of 1 percent.... It had nothing to do with a worm or a virus. I'm not saying [300,000] is not large number, but it's not like it is everybody in the city of Columbus, Ohio."

For those who are infected, however, Friday, February 3, will be a long day. On that day the worm will overwrite a wide range of files, including Word documents, Excel spreadsheets, PowerPoint presentations, and .pdf files, replacing their contents with the phrase: "DATA Error [47 0F 94 93 F4 K5]," Microsoft said.

Microsoft's advisory tells customers to use up-to-date antivirus software, most of which can detect the Nyxem infection, and to use caution before opening unknown e-mail attachments.

How It Works

For a PC to become infected by Nyxem , a user must first click on a PIF (Program Information File) file attached to an e-mail, which is typically blocked by corporate antivirus software, according to Cooper. "If you're letting it through and you're a company, then you probably don't have antivirus. So you've already got a problem." PIFs are data files used to help programs written for Microsoft's pre-Windows DOS run in a Windows environment.

Nyxem does not rely on a Windows vulnerability, but instead uses "social engineering" techniques to spread, tricking users to click on files that promise racy content like "Miss Lebanon 2006" or "School girl fantasies gone bad," according to security researchers.
Ullrich agreed that the majority of users do not need to worry about Nyxem.

"The story here is if you are hit, you do have other vulnerabilities than this problem," he said.

2006-01-30T11:48:00.000-05:00

Is Windows Vista too protective

One of the most intriguing new features in Windows Vista is a major change in the way user accounts work. Windows XP allows accounts to reside in either the Administrators group (where they have full control over the system, including the ability to install a piece of spyware or a virus) or in the Users group, where their capabilities are so limited as to be practically unusable.

Windows Vista adds a feature called User Account Control (UAC), which until recently was called User Access Protection (UAP) and grows out of research into least-privileged user accounts (LUA), a drum that Microsoft Senior Consultant Aaron Margosis has been banging for some time on his Non-Admin blog.

The theory behind UAC is sound: When you’re about to do something that requires an administrator’s privileges, you need an administrator’s consent. For a regular user, that means typing in a set of credentials (username/password) that belong to a member of the Administrators group; if you’re already an administrator, you just have to click a Permit button. This option allows you to see when a program or process is trying to do something that can have an impact on your system’s stability, and it’s an effective way to block untrained or naive users from accidentally screwing up their system.

(The UAC team has a new blog where they’re sharing some of the technical details behind this feature.)

UAC in the current build of Windows Vista is working, but not well. Some programs fail when they can’t get full system access or when they try to save a file to an area where the current user doesn’t have write privileges. The barrage of dialog boxes is annoying, especially during the initial phases of setting up a system. And those permission boxes can be confusing - at this early stage of the beta, some key Windows Vista components are still unsigned, leading to dialog boxes like this one, which appears when you try to run a Control Panel applet:

The annoyance factor is even higher when you factor in the steady stream of warnings from Windows Defender and Internet Explorer.
It’s possible to disable UAC so that you can run with administrator privileges full-time. But as Josh at Windows Connected argues, doing so means you’re not giving this feature the testing it needs. From a personal point of view, I have no choice but to grit my teeth and figure out how to work with UAC, because I have to document the inner workings of this feature for Windows Vista Inside Out.

I’m hoping that this feature will work much more smoothly in future beta versions. If it doesn’t, the UAC team had better be prepared for some caustic reviews.

2006-01-27T16:42:00.000-05:00

Could your laptop be worth millions?

The average laptop could contain data worth almost $1 million, according to new research.

A report released Friday by security-software company Symantec suggests that an ordinary notebook holds content valued at 550,000 pounds ($972,000), and that some could store as much as 5 million pounds--or $8.8 million--in commercially sensitive data and intellectual property.

The same research, commissioned by Symantec, shows that only 42 percent of companies automatically back up employees' e-mails, where much of this critical data is stored, and 45 percent leave it to the individual to do so.

"It's alarming that executives have mobile devices containing data of such financial value and that very little is being done to protect the information on them," said Lindsey Armstrong, a vice president for Europe, the Middle East and Africa at Symantec.

The threat of stolen laptops is a real concern. About 50 percent of respondents to an FBI computer crime survey said their organization had suffered theft of a notebook or other mobile gear in 2005.

On Wednesday, investment consultancy Ameriprise Financial, an offshoot of American Express, said the theft of a company laptop had exposed sensitive data of about 230,000 customers and advisers.

The message to businesses is clear, Symantec said: Ensure all data is backed up regularly and that laptops out on the road are thoroughly secure and don't unnecessarily contain sensitive data.

"It is critical that businesses start looking beyond just the price of the hardware and recognize that they also need to invest in protecting the data stored on these machines," Armstrong said.

Past research in the U.K. suggests that as many as 10,000 laptops are left in the backs of British taxis each year and civil servants are among the worst offenders.

Hanging Up on Tech Support

2006-01-25T09:37:00.000-05:00

Fed up with phone help? Online tools for solving PC problems are getting better.

Sooner or later, it happens to all of us. Sometimes there are disturbing warnings: You may start to hear weird clicking sounds, or see cryptic messages that appear, chillingly, out of the blue. Other times your gear simply dies before you suspect that anything is amiss.

Either way, you need tech support, and you need it now.
But if you've ever whiled away half a day on hold listening to pop hits of the 1970s, or had difficulty understanding the patois of a customer service representative from an overseas call center, you know that telephone tech support is broken. And even if you're willing to give it a shot, in some instances support isn't available when you thought it would be. Dell's cheaper PCs, for example, offer only 90 days of warranty support.

But where can you find assistance when you're staring into the depths of PC purgatory and your presentation is due in 6 hours? Well, as long as your problem doesn't prevent you from going online (perhaps using a second computer), the solution might be just a few browser links away. The trick is to know where--and how--to find it.

Room for Improvement

If there's a tarnished silver lining to the sorry state of phone support these days, it's that Web-based support seems to be improving--albeit slowly. People who responded to our annual Reliability and Service survey reported that, in general, the support information they found on companies' sites was more relevant and more likely to address their problems than it had been in past years.

Granted, that's faint praise. The online support experiences of most users I've heard from run the gamut from abysmal to merely adequate. But the trend of companies improving and expanding their online support options can only be positive news for consumers.
Most hardware and software vendors already provide at least basic Web services such as information centers (Microsoft's exhaustive Knowledge Base is one example) and e-mail support; many companies also supply assistance via live chat. Some of the bigger players, including Dell, Intuit, and Microsoft, have implemented more-sophisticated support resources for some products. Among these offerings are expert-moderated user forums and newsgroups, links to product-specific blogs, remote diagnostic and troubleshooting utilities, and even Webcasts.

Start Searching

If your problem seems to be associated with a particular application or device--for example, you consistently see the same error message from your financial application whenever you try to download data--start by visiting the vendor's site and searching the support database there for your error message.

Many sites allow you to search by entering a question or a brief phrase describing the problem (for instance, "system crashes when I begin download"). Search engines have a limited ability to process complex ideas, so keep your search phrase as clear and simple as possible. Include keywords, such as "download" and "install," when you can, but also identify the problem so the query isn't too vague.
If your search comes up empty, fire off an e-mail to the company's tech support address; better yet, look for a link to live chat.

Regardless, you'll almost certainly have to complete several fields of very detailed information before you even get to the point of describing your problem--so keep all your system specs, along with any error messages, handy. This is where screen shots and cut-and-pasted documents can be helpful.

If you reach a tech support rep in an online chat forum, try to be as succinct as you can while still providing all the pertinent information about the problem.

Online support reps typically work on multiple cases simultaneously, which can make their response times aggravatingly slow. Though you can't do much about that, try to keep your patience and don't let the support representative end the session until you're satisfied with the answers you receive. Generally, you'll then have the option to get a copy of the chat session, often via e-mail: Be sure to do so, as it may come in handy if you need to pursue the matter further.

Beyond the Vendor

Sometimes, however, you simply cannot get satisfaction from a vendor's Web site. Ian Richards, editor of the Tech Support Alert Web site and e-mail newsletter, puts it bluntly: "Often online support tools represent boilerplate solutions that may be great for standard problems but marginalize difficult ones."

For more complicated issues, independently run tech support sites or user forums may be invaluable. "Volunteer support is expanding, and some of these sites are outstanding," Richards says.

One way of ferreting out useful third-party sites is to repeat your error-message search on Google, Yahoo Search, or another general-purpose engine. Often this leads to obscure newsgroups or user forums where you may gain insights from others who have had a similar problem.

The best advice frequently comes from other users, so be sure to include sites like PCMechanic, Suggest a Fix, Tech Support Forum, and Tech Support Guy in your research.

Another site worth visiting is Experts Exchange, where IT professionals provide quick answers on just about any tech topic. There is a catch, however: You must pony up $10 a month to use the site.

Hundreds of helpful online third-party tech support resources--some free, and others requiring subscriptions or service fees--specialize in helping hapless PC users chase the ghosts from their machines. The Web is also home to plenty of product-, product category-, and service-specific support sites, such as Broadband Reports, which focuses on communications and ISP issues, and Fixyourownprinter.com, which posts discussions of particular problems, links to repair kits, and more. Some companies even host resources of this type on their own Web site; Intuit, for example, includes discussions, user forums, and links to blogs where users can look for practical information and advice.

A good place to unearth resources is Richards's site, Tech Support Alert, which serves up a healthy collection of tech support links (including active sites and user forums), reviews, and advice on an extensive range of technology topics.

Of course, some problems are so complex that all the Web resources in the world won't help you escape their toils. And if you can't get online at all, you'll probably have to call tech support eventually. But with a little research, some scrupulous note-taking, and an extra dose of patience, you just might be able to cure your tech woes without having to pick up the phone.

Spam Slayer: Next-Generation Spam

2006-01-24T16:24:00.000-05:00

Spammers adapt quickly. One day they're sending out mortgage leads using a computer server in Shanghai. The next day, they're sending pitches for Viagra using a zombie PC in Detroit. It's all part of their efforts to avoid getting caught, and to trick ISPs' spam filters into letting their messages through.

Spam exterminators know this cat-and-mouse game all too well. Nonetheless, they say that 2005 was a good year in the fight against spam. In 2005, the volume of spam being sent stopped growing at double-digit rates, and many ISPs and e-mail providers claimed to have prevented more than 90 percent of unwanted e-mail from reaching their customers' inboxes.

But in the anti-spam world, there is barely time to rest on your laurels. Reps at several ISPs whom I spoke with say they are gearing up for new challenges in 2006, when they expect spammers to grow more sinister.

What follows is a list of what spam experts and ISPs say will be keeping them on their toes in 2006.

From Spam Zombie to Zombie Armies

Read on for complete story
Spam Slayer: Next-Generation Spam

2006-01-22T21:07:00.000-05:00

FAQ: Will your Intel-based Mac run Windows?

Apple Computer's announcement of new Macs based on processors from Intel raises an interesting question: Since both the Mac and Windows operating systems now run on Intel-based hardware, shouldn't it be easy to run both on the same computer?

That simple question deserves a simple answer. But there isn't one--at least not right now. Reaching the nirvana of running the two most popular desktop operating systems on one machine is a lot harder than you might expect.

Apple has said that it wasn't planning to support Windows on the "MacTel," but the company also said it wouldn't try to stop people from doing so. Still, some of the technical choices Apple has made in designing the new Intel-based Macs have made running Windows a challenge.

The good news? Plenty of people have been working to break down the barriers, so it should only be a matter of time before Windows shows up on the iMac's 20-inch widescreen display.
Even after solving the technical challenges, there are also legal hurdles. Just because you might get Windows running on a Mac, or Tiger running on their Dell, doesn't mean it's legal.

Finally, even if the legal and technical obstacles are overcome, many people say just being able to boot both operating systems independently is not the answer. Most people will want the systems to interact, which means some form of emulation or virtualization. Some small developers are making promises in this area, but just how quickly this will happen--or how quickly the emulated OS will run--remains to be seen.

We're not engineers or lawyers, but here's our best stab at answering some common questions:

Complete story link
MSN Tech & Gadgets

2006-01-20T08:38:00.000-05:00

Google Rebuffs Feds on Search Requests

Google Inc. is rebuffing the Bush administration's demand for a peek at what millions of people have been looking up on the Internet's leading search engine _ a request that underscores the potential for online databases to become tools for government surveillance.

Mountain View-based Google has refused to comply with a White House subpoena first issued last summer, prompting U.S. Attorney General Alberto Gonzales this week to ask a federal judge in San Jose for an order to hand over the requested records.

The government wants a list all requests entered into Google's search engine during an unspecified single week _ a breakdown that could conceivably span tens of millions of queries. In addition, it seeks 1 million randomly selected Web addresses from various Google databases.
In court papers that the San Jose Mercury News reported on after seeing them Wednesday, the Bush administration depicts the information as vital in its effort to restore online child protection laws that have been struck down by the U.S. Supreme Court.

Yahoo Inc., which runs the Internet's second-most used search engine behind Google, confirmed Thursday that it had complied with a similar government subpoena.

Although the government says it isn't seeking any data that ties personal information to search requests, the subpoena still raises serious privacy concerns, experts said. Those worries have been magnified by recent revelations that the White House authorized eavesdropping on civilian communications after the Sept. 11 attacks without obtaining court approval.

"Search engines now play such an important part in our daily lives that many people probably contact Google more often than they do their own mother," said Thomas Burke, a San Francisco attorney who has handled several prominent cases involving privacy issues.

"Just as most people would be upset if the government wanted to know how much you called your mother and what you talked about, they should be upset about this, too."
The content of search request sometimes contain information about the person making the query.

For instance, it's not unusual for search requests to include names, medical profiles or Social Security information, said Pam Dixon, executive director for the World Privacy Forum.
"This is exactly the kind of thing we have been worrying about with search engines for some time," Dixon said. "Google should be commended for fighting this."

Every other search engine served similar subpoenas by the Bush administration has complied so far, according to court documents. The cooperating search engines weren't identified.
Sunnyvale, Calif.-based Yahoo stressed that it didn't reveal any personal information. "We are rigorous defenders of our users' privacy," Yahoo spokeswoman Mary Osako said Thursday. "In our opinion, this is not a privacy issue."

Microsoft Corp. MSN, the No. 3 search engine, declined to say whether it even received a similar subpoena. "MSN works closely with law enforcement officials worldwide to assist them when requested," the company said in a statement.

As the Internet's dominant search engine, Google has built up a valuable storehouse of information that "makes it a very attractive target for law enforcement," said Chris Hoofnagle, senior counsel for the Electronic Privacy Information Center.

The Department of Justice argues that Google's cooperation is essential in its effort to simulate how people navigate the Web.

In a separate case in Pennsylvania, the Bush administration is trying to prove that Internet filters don't do an adequate job of preventing children from accessing online pornography and other objectionable destinations.

Obtaining the subpoenaed information from Google "would assist the government in its efforts to understand the behavior of current Web users, (and) to estimate how often Web users encounter harmful-to-minors material in the course of their searches," the Justice Department wrote in a brief filed Wednesday

Google _ whose motto when it went public in 2004 was "do no evil" _ contends that submitting to the subpoena would represent a betrayal to its users, even if all personal information is stripped from the search terms sought by the government.

"Google's acceding to the request would suggest that it is willing to reveal information about those who use its services. This is not a perception that Google can accept," company attorney Ashok Ramani wrote in a letter included in the government's filing.

Complying with the subpoena also wound threaten to expose some of Google's "crown-jewel trade secrets," Ramani wrote. Google is particularly concerned that the information could be used to deduce the size of its index and how many computers it uses to crunch the requests.
"This information would be highly valuable to competitors or miscreants seeking to harm Google's business," Ramani wrote.

Dixon is hoping Google's battle with the government reminds people to be careful how they interact with search engines.

"When you are looking at that blank search box, you should remember that what you fill can come back to haunt you unless you take precautions," she said.

Windows XP Service Pack 3: Not Until 2007

2006-01-17T15:33:00.000-05:00

The 'preliminary' due date for the next collection of fixes and patches for Microsoft's desktop operating system is as more than a year later than many company watchers were expecting.
Microsoft has gone public with a tentative date for its third service pack for Windows XP. And that date — the latter half of 2007 — is considerably later than many company watchers were expecting.
Microsoft has published the due-date for Windows XP Service Pack 3 (SP3) on its Windows Lifecycle Web site. While Microsoft characterized the date as "preliminary," it is still as much as a year later than a number of customers, partners and industry analysts had been anticipating.

Complete Story
Windows XP Service Pack 3: Not Until 2007

2006-01-16T09:51:00.000-05:00

Putting The Screws To Google

What if 2006 is the year big media players take aim at Google's (GOOG ) kneecaps? No, not with more lawsuits; the Authors Guild, the Association of American Publishers -- on behalf, in part, of BusinessWeek's parent company, The McGraw-Hill Companies (MHP ) -- and Agence France-Presse have already sued the search behemoth. Rather, picture this: Walt Disney (DIS ), News Corp. (NWS ), NBC Universal, and The New York Times (NYT ), in an odd tableau of unity, join together and say: "We are the founding members of the Content Consortium. Next month we launch our free, searchable Web site, which no outside search engines can access." (A simple bit of code is all it takes to bar all or some major search engines from accessing a site.) "From now on we'll make our stuff available and sell ads around it and the searches for it, but only on our terms. Who else wants to join us? Membership's free."

complete story link

Microsoft Ships First Vista Security Patches

2006-01-14T17:38:00.000-05:00

WOW!! It starts before it begins!

Microsoft Corp. has shipped the first critical security update for Windows Vista, the next version of its flagship operating system.
Over the weekend, the company released patches for beta testers running the Windows Vista December CTP (Community Technology Preview) and Windows Vista Beta 1, and warned that the new operating system was vulnerable to a remote code execution flaw in the Graphics

Read on
Microsoft Ships First Vista Security Patches

FBI Warns of Mining Accident E-Mail Scam

2006-01-13T09:23:00.000-05:00

Message purports to be from a doctor soliciting money for the tragedy's sole survivor.

The U.S. Federal Bureau of Investigations is warning Internet users to be on the look out for a fraudulent e-mail soliciting money for a survivor of a mine accident in West Virginia last week.

The e-mail purports to be written by a doctor at the hospital where the miner is being treated and describes the condition of the survivor and the financial assistance that is needed for a full recovery.

The accident cost the lives of 12 miners and there was just one survivor. He is still hospitalized and in partial coma, according to news reports.

Rescue attempts were heavily covered by U.S. media and the story stayed in the news spotlight for several days partly because initial reports of survivors turned out to be incorrect.

Under Investigation

"The FBI takes these matters seriously and is working with other law enforcement and private industry partners to identify the person(s) responsible," the agency says in a statement.

"Anyone who has received an e-mail of this nature is asked to contact the FBI's Internet Crime Complaint Center (IC3) via the Web site at http://www.ic3.gov/," the statement says.

The bureau also repeated its standard advice to refrain from opening or responding to unsolicited e-mails and to verify thoroughly any requests for money or personal information received via e-mail before responding.

Mozilla's Thunderbird 1.5 takes flight

2006-01-12T12:25:00.000-05:00

"Mozilla released on Thursday its updated e-mail application, Thunderbird 1.5, which is designed to deliver improved security and functionality. "

link to full story

'What's Kodak's Strategy?' - Leadership and Innovation - MSNBC.com

2006-01-11T08:52:00.000-05:00

'What's Kodak's Strategy?' - Leadership and Innovation - MSNBC.com:

Microsoft pushes out Windows patch ahead of time

2006-01-05T15:35:00.000-05:00

Microsoft to issue patch early

MSN Tech & Gadgets

Microsoft's WMF Patch Leaks Out

2006-01-05T09:57:00.000-05:00

Microsoft's WMF Patch Leaks Out

2006-01-05T09:44:00.000-05:00

Gates Shows off Vista

Link
Tech & Gadgets

2006-01-04T08:39:00.000-05:00

A serious flaw in Windows is generating a rising number of cyberattacks, but Microsoft says it won't deliver a fix until next week.

Link for full story

2006-01-03T20:02:00.000-05:00

Windows flaw spawns dozens of attacks

A flaw in Microsoft's Windows Meta File has spawned dozens of attacks since its discovery last week, security experts warned Tuesday.

The attacks so far have been wide-ranging, the experts said, citing everything from an MSN Messenger worm to spam that attempts to lure people to click on malicious Web sites.

The vulnerability can be easily exploited in Windows XP with Service Pack 1 and 2, as well as Windows Server 2003, security experts said. Older versions of the operating system, including Windows 2000 and Windows ME, are also at risk, though in those cases the flaw is more difficult to exploit, said Mikko Hypponen, chief research officer at F-Secure.

"Right now, the situation is bad, but it could be much worse. The potential for problems is bigger than we have ever seen," Hypponen said. "We estimate 99 percent of computers worldwide are vulnerable to this attack."

The Windows Meta File flaw uses images to execute arbitrary code, according to a security advisory issued by the Internet Storm Center. It can be exploited just by the user viewing a malicious image.

Microsoft plans to release a fix for the WMF vulnerability as part of its monthly security update cycle on Jan. 10, according to the company's security advisory.

"We have seen dozens of different attacks using this vulnerability since Dec. 27," Hypponen said. "One exploits image files and tries to get users to click on them; another is an MSN Messenger worm that will send the worm to people on your buddy list, and we have seen several spam attacks."

He added that some of the spam attacks have been targeted to select groups, such as one that purports to come from the U.S. Department of State. The malicious e-mail tries to lure the user to open a map attachment and will then download a Trojan horse. The exploit will open a backdoor on the user's system and allow sensitive files to be viewed.

The WMF flaw has already resulted in attacks such as the Exploit-WMF Trojan, which made the rounds last week.

Although Microsoft has not yet released a patch, security vendors such as F-Secure and the Internet Storm Center are noting Ilfak Guilfanov, a Russian security engineer, has released an unofficial fix that has been found to work.

"Ilfak Guilfanov has published a temporary fix which does not remove any functionality from the system," F-Secure noted in its daily security blog. "All pictures and thumbnails continue to work normally."

Security companies also are advising computer users to unregister the related "shimgvw.dll" portion of the Windows platform. Unregistering the dll, however, may also disable certain Windows functions and has not been thoroughly tested, according to a security advisory issued by Secunia.

Despite the potential for a large number of computer users to be affected by exploits related to this vulnerability, Hypponen said the chances of a widespread outbreak from a virus, as people return to work from the long holiday, are unlikely.

"We are still far away from a massive virus," he said. "Most people get attacked by this if they (search for something on the Internet) and get a million results. They may click on a link that goes to a malicious Web site or one that has been hacked, and then get infected."

2005-12-28T09:52:00.000-05:00

The 50 Greatest Gadgets of the Past 50 Years

http://www.pcworld.com/news/article/0,aid,123950,00.asp

2005-12-23T10:53:00.000-05:00

Merry Christmas, Happy Hanukah and a Prosperous New Year to all!!!

2005-12-21T08:54:00.000-05:00

FTC says federal spam law has worked. MAYBE!!

WASHINGTON--About 70 percent of the world's e-mail messages continue to be spam. But the number is leveling off, which federal officials on Tuesday cited as evidence that a law enacted two years ago is working.

At a press conference here, the Federal Trade Commission released a report (click here for PDF), delivered last week to Congress, that said the so-called Can-Spam Act is "effective in providing protection for consumers."

Can-Spam has permitted the agency to pursue lawsuits against spammers and has spurred adoption of commercial e-mail "best practices," such as including an "opt out" link and the sender's postal address in any unsolicited message, said Lydia Parnes, director of the FTC's Bureau of Consumer Protection.

What remains unclear, however, is how effective the law has been. Statistics compiled by antispam companies show that the total number of junk e-mail messages has leaped 62 percent in the last year. At the same time, filtering technology has dramatically improved, which could account for in-boxes not completely overflowing.

Some critics of Can-Spam, which requires an opt-out approach rather than a stricter "opt in" standard, have even suggested that the law may have increased the amount of junk e-mail. That's because Congress intentionally killed tougher state laws, such as one in California that had required recipients to opt into commercial mailing lists.

The FTC's Parnes acknowledged that it was problematic to attribute a cause-and-effect relationship to the 2003 law. "I think it's difficult to parse out the effectiveness of the law versus the technological advances in reducing spam," she said.

Parnes also warned that the nature of spam content appears to be growing increasingly malicious, and spammers continue to evade law enforcement by registering with domain name registrars under false names. The FTC encouraged improvements in spam-busting technology and in "domain-level authentication," as well as a continued effort to educate consumers about the Web bane.

The FTC drew its conclusions based on its own experiences with enforcing the legislation and interviews with "scores of individuals," including consumer group representatives, e-mail marketers, Internet service providers, law enforcers and computer scientists.
The agency used data from e-mail security company MX Logic, among others, to conclude that the number of spam messages is leveling off or even declining. That company calculated that in the past year, an average of 68 percent of the messages it screened fell into the spam category--down from an average of 77 percent last year.

But because the overall number of e-mail messages is rising, a slightly smaller percentage of a much larger number means that spam continues to grow. To derive its numbers, MX Logic evaluates a random sample of 10,000 messages each week from its roughly 7,000 business clients.

"We would not make the statement today that spam has completely declined," said Scott Chasin, the company's chief technology officer. "What we can say, and what we believe, is that spam has declined as far as reaching the consumer's in-box. I think it's a big difference from saying overall spam volumes are down."

The FTC also said the number of legitimate commercial e-mailers complying with Can-Spam is on the rise. MX Logic, however, reported that only 3 percent of the total messages it screened last year and 4 percent this year actually met those standards--that is, providing a subject line that jibes with the body of the message, a postal address, an opt-out link, and, in the case of adult-oriented e-mail, the FTC-mandated "SEXUALLY EXPLICIT" label in the subject line.
"I think largely the most compliance has come from the legitimate e-mail marketers that are desperately trying to find their own identity for their content because they, too, are suffering from deliverability issues due to spam-filtering at the end point," Chasin said.

Jordan Ritter, chief technology officer of Cloudmark, another e-mail security company, said it's tough to measure whether spam is actually on the decline--and, if so, what role the Can-Spam Act actually plays.

For its part, Cloudmark reported a 62 percent increase in the number of spam messages in the past year. In mid-December of this year, its users have flagged about 3.5 million messages per day as spam, whereas they designated 2.2 million at the same time last year. (The percentage of spam messages flagged, however, barely changed, as the total number of messages the company checked also grew from 450 million per day last year to about 800 million this year.)

"I think different organizations and different constituencies see different things," Ritter said. "I can definitely say from our technology, as well as the many ISPs we work with, that the process has worsened and the burden is becoming more expensive to carry."

More spam lawsuitsAlso on Tuesday, the FTC announced that it's in the "early stages" of litigating cases against three more alleged U.S. spam operators, while attorney generals in Florida, North Carolina and Texas filed their own suits against three additional spammers.
The cases--part of what the FTC calls "Operation Button Pusher"--involve alleged scams related to mortgages, online pharmaceuticals and a product called Fuel Saver Pro that claims to boost vehicle fuel efficiency and reduce emissions. A spam database kept by Microsoft tipped off the U.S. government in each instance.

The Canadian government also has joined the crackdown operations. Andrea Rosen, assistant deputy commissioner for the Canadian Competition Bureau, appeared at the press conference to announce two recent settlements with spammers who promoted Fuel Saver Pro. An estimated 400 victims in Canada, the United States, the United Kingdom, France and Australia fell for the claims, Rosen said.

Since Can-Spam was adopted in 2003, the FTC, Department of Justice, state attorneys general, and Internet service providers have brought more than 50 cases against suspected spammers. Parnes admitted that she had "no idea" what percentage of the world's spammers those prosecutions represent.

The FTC still contends that Congress doesn't need to change Can-Spam.
But, citing concerns over its ability to fight spam that originates abroad, the agency renewed its call for a piece of legislation that would beef up its ability to share information with international enforcement agencies. The proposal was approved by the U.S. Senate Commerce Committee last week, but it was unclear when it would proceed to consideration by the full Senate.

2005-12-18T08:43:00.000-05:00

Dasher worm gallops onto the Net

A Windows-targeted worm that drops spying software on vulnerable PCs is spreading across the Internet, security experts have warned.

The Dasher.B worm exploits a flaw in Microsoft Windows Distributed Transaction Coordinator, or MDTC, security companies said Friday. Microsoft announced and patched the hole in the component for transaction processing in October. However, initial glitches with the update may have left some users without a properly implemented fix, Sophos said.

"The worry is that the problems with the patch may have prevented it from being successfully rolled out onto some vulnerable computers," Graham Cluley, senior technology consultant at the security company, said in a statement.

Cluley noted that computers running Windows 2000 and those that have not been updated with MS05-051 face the greatest risk.

Dasher.B is a network worm that has the potential to open a back door on computers with the MSDTC flaw, security experts said. The infected systems are then prompted to connect to a remote computer for instructions. Once connected, it downloads a malicious program that tracks keystrokes.

"This new worm aims (to) install software that tries to infect other vulnerable systems, and that also can be used to log keystrokes and turn the computer into a remotely controlled 'bot' system," James Rendell, a technical product manager at Internet Security Systems, said in a statement.

A third version of the worm emerged Friday, Dasher.C, which almost looks identical to Dasher.B, said Oliver Friedrichs, senior manager at Symantec's Security Response Center.
Three versions of Dasher--B, C and A, which emerged earlier this week--have infected at least 3,000 systems worldwide, Friedrichs said, noting the growth rate of the infection has since leveled off.

Security experts at Internet Security Systems expressed concern about the new worm and warned users to be vigilant.

The United Kingdom's computer emergency response team also issued an advisory Friday on Dasher.B, citing an update from the Australian CERT.

2005-12-17T14:09:00.000-05:00

Time Warner to Sell 5% AOL Stake to Google for $1 Billion

Go to link for full story

Full story

2005-12-15T12:38:00.000-05:00

Gunk Busters!

Get your PC running like new with these easy tips for clearing the crud out of Windows, applications, and hardware.

Good article from PC WORLD

http://www.pcworld.com/howto/article/0,aid,123407,pg,1,00.asp

2005-12-14T12:36:00.000-05:00

Microsoft Patch Tuesday Cleans Up IE

Link

2005-12-13T09:37:00.000-05:00

Hotwiring Your Search Engine

Google a topic, and the results are based on popularity, right? Wrong. Inside the shadowy world of 'SEOs.'

http://www.msnbc.msn.com/id/10415455/site/newsweek/

2005-12-12T08:35:00.000-05:00

Critical Windows Patch Expected

Malware removal tool update is among scheduled December fixes.

Microsoft is planning two software security fixes--at least one of them rated as critical--as part of December's release of security updates, next week.

Both patches are for the Windows OS, according to a statement on Microsoft's Web site. A critical rating for a bug means that a worm could take advantage of it without the user taking any action.

The patches for the bugs, called "updates" by Microsoft, will come as part of the company's regular monthly patch release cycle. Microsoft releases most software patches on the second Tuesday of each month, a date that has come to be known as "Patch Tuesday" by security professionals.

Other Patch Plans

Microsoft also will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the company's Download Center Web site. The tool will not be distributed using Software Update Services, however.

Additionally, the company will release two non-security, high-priority patches on Windows Update and Software Update Services, and three non-security high-priority patches on Microsoft Update and Windows Server Update Services.

In November, Microsoft released one software patch that addressed three critical security vulnerabilities in the way that Windows processes Windows Metafile, a graphics format used by some computer-aided design (CAD) applications.

2005-12-08T11:08:00.000-05:00

One in Four Users are Phishing Targets

Roughly one in four U.S. Internet users are targets of phishing attacks—phony e-mails seeking personal financial data—according to a study conducted by Time Warner Inc.'s Internet unit AOL and the National Cyber Security Alliance.

In a phishing attack, e-mails ask prospective victims to verify personal information through links to real-looking Web sites.

According to the study, 70 percent of consumers who received such e-mails thought they were from legitimate companies.

"Phishers are getting better at tricking consumers into revealing their bank account and financial information, and most Americans can't tell the difference between real e-mails and the growing flood of scams that lead to fraud and identity theft," said Tatiana Platt, AOL's chief trust officer, who's in charge of privacy and security.

"Consumers need to be aware of the risk, and they need to use critical protections like anti-virus software, spyware protection, and a firewall to help protect them from online threats," she said.
The study showed that 81 percent of home PC's lack either updated computer software, spyware protection or a secure firewall.

"Far too many people still lack the three fundamental protections they need to stay safe online," said Ron Teixeira, executive director, National Cyber Security Alliance.

2005-12-04T09:24:00.000-05:00

IE flaw lets intruders into Google desktop

Read on as it is never ending:

Story link

2005-12-03T13:44:00.000-05:00

Sober worm stalls MSN, Hotmail

The pesky Sober worm is to blame for disrupting e-mail traffic between Comcast account holders and users of Microsoft-based e-mail, Redmond said on Friday.

A variant of Sober known as Win32/Sober.Z@mm is pummeling servers at Hotmail and MSN with "unusually high mail load," causing delays in e-mail delivery to Hotmail and MSN customers, said Brooke Richardson, MSN's lead product manager. Richardson also indicated that Internet service providers besides Comcast may be having problems directing e-mail to Hotmail and MSN servers.

"We are working with Comcast and other ISPs to address (the) issues," Richardson said. "We're actively working to take the appropriate steps to remedy the situation as rapidly as possible. We sincerely apologize for any inconvenience."

Blog reports say that some Comcast subscribers, when sending e-mail to a Hotmail or MSN account, have received an error message saying their message was not received. However, Microsoft says that all e-mails, while some may be delayed, are eventually getting through.
A Microsoft spokesperson other than Richardson said that the problem began earlier this week but would not give a timetable for when it might be fixed.

The Sober worm first appeared in 2003 and can hijack a Windows-based computer and force it to repeatedly send spam e-mails. The continuous e-mailing can lead to overloaded servers and reduced network performance. Last month, a variant of the Sober worm was spread as an attachment that claimed to be an old class photo sent by a schoolmate.

2005-11-30T11:31:00.000-05:00

NEW VERSION OF MOZILLA FIREFOX 1.5

A new version of the Firefox Web browser debuted Tuesday, promising speedier browsing, swifter updates and better pop-up blocking.

Firefox 1.5, available free via download, is the browser's first major update since creator the Mozilla Foundation introduced it about a year ago. Since then, Firefox has emerged as one of the most popular alternatives to Microsoft's Internet Explorer, with more than 100 million copies downloaded in the first year, more than 40 million active users and about 8 percent of the browser market.

Firefox is also one of the most widely distributed open-source programs, meaning anyone can use and modify the code. Thousands of volunteer programmers contributed to the new version of the browser, and more than 750,000 people were involved in testing it since Mozilla, a nonprofit, released the first test version Nov. 1.

New in the 1.5 version are more sophisticated security and performance features. In addition to a more effective pop-up blocker, the updated browser is designed to ease security updates. The program checks daily for patches, downloads them automatically and then prompts users to install them, said Chris Beard, vice president of products at Mozilla.

Other improvements include "forward" and "backward" browsing buttons designed to load Web pages more quickly. A new drag-and-drop feature for browser "tabs" lets users keep related pages together.

Firefox 1.5 also supports new Web programming standards, such as AJAX, that enable more graphical capabilities in Web pages. And the browser features more sophisticated application programming interfaces for people who build and use add-on programs, such as browser-based weather updates.

Mozilla plans to introduce new versions more frequently from now on. Firefox 2.0 is due in mid-2006, and the 3.0 release is set for the first quarter of 2007. The group expects to release security and stability updates every six to eight weeks.

In keeping with its grassroots image, Mozilla is tapping its users to help promote the new version of Firefox. It plans to publish their amateur video endorsements on its Web site. Anyone can upload a video for the group's review.

By-Pass Those Telephone Automated Machines

2005-11-29T10:07:00.000-05:00

This is a great way to pass those automated telephone machines when you call an Airline, Bank or any other business. If you have a number to add please do so. Paul English has compiled this sheet

Check this link for numbers listed
http://www.paulenglish.com/ivr/

Phishers Latest Evil

2005-11-28T11:31:00.000-05:00

Don't Trust the Padlock

Phishing schemes are all about deception, and recently some clever phishers have added a new layer of subterfuge called the secure phish. It uses the padlock icon indicating that your browser has established a secure connection to a Web site to lull you into a false sense of security. According to Internet security company SurfControl, phishers have begun to outfit their counterfeit sites with self-generated Secure Sockets Layer certificates. To distinguish an imposter from the genuine article, you should carefully scan the security certificate prompt for a reference to either "a self-issued certificate" or "an unknown certificate authority."

Bottom Line: I've long worried that phishers weren't doing more to secure my stolen personal information. Seriously, though, most standard tips still apply: Don't click links in unsolicited e-mail or IM, enter URLs by hand, and use countermeasures such as Netcraft's free Anti-Phishing Toolbar.

Who's Afraid of Google?? Everyone

2005-11-25T10:57:00.000-05:00

It seems no one is safe: Google is doing Wi-Fi; Google is searching inside books; Google has a plan for ecommerce.

Of course, Google has always wanted to be more than a search engine. Even in the early days, its ultimate goal was extravagant: to organize the world's information. High-minded as that sounds, Google's ever-expanding agenda has put it on a collision course with nearly every company in the information technology industry: Amazon.com, Comcast, eBay, Yahoo!, even Microsoft.

In less than a decade, Google has gone from guerrilla startup to 800-pound gorilla. In some ways, the company is a gentle giant. Whereas Microsoft infamously smothered new and open standards, Google is famous for supporting them. And the firm is softening its image, launching a philanthropic arm, Google.org, with nearly $1 billion earmarked for social causes. But that doesn't reduce the fear factor, and Google knows it. Omid Kordestani, the company's global sales guru, said at a recent conference, "We're trying to find ways so we are not viewed as a gorilla." Given its outsize ambitions, that's one search Google might not be able to handle.

Is the sky falling? That's how it looks to panicked tech companies across the Valley as they contend with Google's ever-expanding power and ambition.

VIDEOToday, Google Video is a motley mix: clips of monkeys performing karate and robot dogs attacking iguanas. Tomorrow? No one knows, but everyone is worried.Who's threatened: Comcast and other cable providers, Yahoo!, TV networks that still shun the NetSigns of panic: Comcast wants to be the Google of television. Yahoo! bristles at any mention of Google Video. Networks were stunned to find Google compiling a database of their programs.Reality check: Google Video is up and running. The question is, How much content can it attract - or pay for - to fill the database. Watch for a strategic acquisition, even something big. TiVo?

CLASSIFIEDS

When secrecy-obsessed Google let news of "Google Base" slip, it looked like an aggressive entrée into online classifieds. The test service can search ads like used-car and personals listings, which would mesh with Google Local and might even kick-start Orkut, Google's social network.Who's threatened: craigslist, eBay, Monster, Tribe.net Signs of panic: Within hours of the Base bombshell, eBay's market value dropped by almost $2 billion. And even before that, the classified sites were nervous. CareerBuilder and others fretted about letting Google host their feeds. Reality check: This may be an extension of Froogle rather than a stand-alone product. But it could expand to everything from travel to eBay-like offerings.

TELECOM

Free Wi-Fi in San Francisco, instant-messaging software, a widely anticipated VoIP foray - Google's telecom initiatives seem designed to make life radically easier for users.Who's threatened: Comcast, SBC, Verizon, Vonage, what's left of AOL

Signs of panic:

Surprisingly few so far, partially because Google says it has no plans to offer Wi-Fi beyond San Francisco. Still, Comcast coined the word Comcastic - is that its answer to Googlicious?Reality check: Something's clearly afoot, and it could be big. With great power comes great regulation - so Google recently opened a DC lobbying shop to combat "centralized control by network operators."

OPERATING SYSTEMS

If anyone can fulfill the dream of turning the Internet into the operating system, it's Google. If the company chooses to develop an OS, the move will cement Google's other initiatives into a powerful whole.Who's threatened: Apple, MicrosoftSigns of panic: When one of Microsoft's key operating system engineers defected to Google last year, Microsoft CEO Steve Ballmer threw a chair across an office and vowed to kill Google.Reality check: The migration of applications from PCs to the Net is already happening - and it's key to Google's future. But the likelihood of a Google OS depends on what Microsoft accomplishes with its new OS, Vista.

PRINT

What if a search engine trolled not just every page on the Web, but every page in every book? Amazon.com tried it first, then Google said it would "make the full text of all the world's books searchable by anyone."Who's threatened: Amazon, Microsoft, book publishersSigns of panic: Against the interests of a legion of obscure writers, the Authors Guild sued Google.

The Association of American Publishers, with more to fear, did the same. Microsoft and Yahoo! have joined a group that's creating its own book search service.Reality check: Making every book searchable sends a clear signal that Google has the brawn to organize the world's information. But a vicious backlash could drown out that message.

PRODUCTIVITY PROGRAMS

Google joined with Sun Microsystems in October to jointly promote and distribute apps like the Google Toolbar and Sun's free OpenOffice software. Wider distribution of the toolbar, Google's most potent Trojan horse, gives the search engine access to a world of desktops.Who's threatened: Apple, Corel, MicrosoftSigns of panic: Microsoft launched its own toolbar and protested the decision of the Massachusetts Information Technology Department to dump Office for open source alternatives.Reality check: It may be a fiendishly clever way to attack one of Microsoft's highest-margin products, but this tactic can't be a top priority. Google Toolbar will thrive without Sun.

ECOMMERCE

Froogle threatens no one yet. But what if, as the development of Google Wallet suggests, Google handled your every online transaction? The potential revenue from Google's cut of each purchase would make AdSense look like AdCents.

Who's threatened:

Amazon, Buy.com, eBaySigns of panic: After reports speculated that Google might take on PayPal, eBay said it would pay up to $4.1 billion for VoIP rebel Skype. Wall Street's read: With PayPal under fire, eBay needed a new growth area.

Reality check:

Rather than take on PayPal directly, the company may start with something less ambitious, like handling payments for premium video content. But after that? Watch out.

2005-11-23T20:55:00.000-05:00

Verizon Wireless Sues Another Spammer

Unwanted text messages from a Florida-based travel company were sent recently to 98,000 Verizon Wireless customers, according to a new lawsuit filed by the operator.

The Verizon Wireless litigation highlights an unfortunate circumstance for the 200 million U.S. cell phone subscribers. Spam on cell phones is becoming a fact of life in the U.S., despite aggressive defensive tactics by operators.

Even though cell phone spam is still relatively limited, it's nonetheless particularly heinous and forcing operators to get a handle on it sooner, rather than later. That's because their subscribers often pay a few pennies for each incoming message. Spam to a PC using a wired Internet connection doesn't create this particular financial side effect.

"Electronic attacks upon the Verizon Wireless interstate text messaging network will continue; indeed the latest attack was just weeks ago," Verizon attorneys wrote in the suit filed Monday in a U.S. District Court in New Jersey.

In this particular case, Verizon Wireless alleges that Passport Holidays LLC, of Ormond Beach, Fla., sent unsolicited text messages to about 98,000 Verizon Wireless subscribers in the latter part of October. The lawsuit accuses Passport Holidays of using an automated dialer to send the text messages to phones in three East Coast area codes.

Those actions violates several federal and New Jersey laws, the suit contends.
A person answering the phone Wednesday at Paradise Holidays' offices said he was unaware of the suit, and had no other comment.

In addition to seeking legal protection, most operators develop, or purchases from other companies, technology to detect spam. Attacks like the one alleged in the recent lawsuit also trigger counter-measures, according to the lawsuit.

"We're sending a message to these kinds of outfits that they better sleep with one eye open if they invade our customers' privacy," said Verizon Wireless spokesman Tom Pica.

Zombies Boost New Sober Variant

2005-11-23T08:56:00.000-05:00

Anti-virus and e-mail security companies warned Internet users Tuesday about a new variant of the Sober worm that was flooding e-mail servers around the world, with help from zombie machines infected by earlier editions of the same worm.

Sober.AG is the latest in a long line of mass e-mail worms

It appeared Monday, after machines infected with older variants began spamming out the new version in a massive e-mail flood.

The e-mail messages use a variety of subterfuges to trick recipients into opening the virus attachment, including messages that pretend to come from the FBI and CIA, security firms said Tuesday.

E-mail security vendor MessageLabs of New York City said it blocked more than 2.7 million e-mail messages with the new Sober variant since around 7 p.m. GMT on Monday in what it called a "major offensive."

Symantec Corp. rated the worm, which it dubbed "Sober.X," a "Level 3" threat on a scale of one to five.

The company has received more than 1,600 samples of the worm from corporations and 300 from consumers, Symantec said in an e-mail statement.
Sober worms are nothing new, but the latest variant is much more widely distributed than other recent versions because it is being sent out, simultaneously, from countless other Sober-infected machines, or "bots," said Symantec.

The new worm also uses a variety of enticing messages, in both German and English, to trick users.

Messages that appear to come from the FBI or CIA tell users that their IP address has been logged on "more than 30 illegal Websites," and asks them to open an attached file containing a "list of questions."

Opening the file launches the Sober worm and infects the computer, anti-virus vendors said.

Other e-mail campaigns containing the Sober.AG worm promise recipients a glimpse of videos of jet-setters Paris Hilton and Nicole Richie if they open the file, according to an e-mail alert from Computer Associates International Inc.
The FBI issued a statement Tuesday warning the public to avoid falling for the scam.

Anti-virus vendors advised customers to update their anti-virus signatures and to be wary of scam e-mail messages. ´

Wave of Internet Attacks

2005-11-22T12:13:00.000-05:00

Popular Programs Suffer Wave of Internet Attacks

A new report on the top Internet vulnerabilities of 2005 finds a trend toward attacking common user applications.

Internet criminals are increasingly targeting popular applications like backup software and Web browsers instead of the operating systems that run them, according to a new report from government and industry security experts.

Attackers are targeting backup and recovery programs, as well as "the antivirus and other security tools that most organizations think are keeping them safe,". The shift toward finding and exploiting vulnerabilities in programs represents a major change from past years, when Windows and other operating systems and Internet services like Web and e-mail servers were the preferred targets.

"A new wave of attacks concentrated on application programs" in 2005, the report states.

Popular Software at Risk

In addition to holes in security and backup programs, critical vulnerabilities in instant messaging programs, Web browsers, file sharing applications, and media players are all listed among the Top 20.

And those vulnerabilities are drawing all the wrong sorts of attention. According to SANS, unwanted network traffic targeting Symantec Veritas BackupExec rocketed to 500,000 instances within days of an announced security hole in the product, up from a previous maximum of about 50,000 instances.

Symantec wasn't alone. Microsoft Office, Internet Explorer, Firefox, and AOL Instant Messenger also suffered from serious reported vulnerabilities, as did RealPlayer and iTunes. Also, according to a previous report from the Yankee Group, the number of flaws reported in antivirus and other security programs is increasing at a far faster rate than for Windows.
Opportunities for Criminals

Applications represent an increasingly attractive target because operating systems and Internet services have become more resilient after years of steady attacks. Many programs, on the other hand, lack any means for automatic program updates. The delay between an announced vulnerability and the time that an administrator or home user manually updates the software represents a window of opportunity for Internet criminals.

New awareness of critical security holes in the network devices that guide Internet traffic represents the second important shift in the Top 20, according to the report.

"Compromises of network devices can provide attackers one of the most fruitful platforms for eavesdropping and launching targeted attacks," it states.

Government organizations within the United States, the United Kingdom, and Canada all contributed to the report, as did Internet security companies TippingPoint and Qualys. The SANS Institute has been producing the Top 20 report since 2000.

News From Microsoft

2005-11-21T14:03:00.000-05:00

Microsoft adds e-mail, IM to Live.com

Microsoft has introduced a domain hosting service for its fledging Live.com product line.
The software giant on Friday launched the beta version of Windows Live Custom Domains service. It will provide e-mail, instant messaging and links to other MSN services to people who have existing Web site domain names.

The service is the latest that the Redmond, Wash., company has previewed since the unveiling earlier this month of Live.com, a Web site and set of rebranded services rooted in Microsoft's MSN Web portal business.

The company posted a list of Live.com-branded services under development on the Web site, Windows Live Ideas. Microsoft lists many of the services, such as its Live.com Web content aggregation site and Web-based Windows Live Mail site, in beta testing.

With its Custom Domains service, Microsoft will give consumers up to 20 e-mail accounts with 250MB per address for an existing Internet domain name.

It will include junk-mail filtering and virus scanning and allow a person to check e-mail from any Web-enabled PC. The service will simplify access to MSN Messenger, MSN Spaces and other MSN services, according to the company.

SKYPE: IS IT NEEDED???

2005-11-21T13:32:00.000-05:00

So Why Do We Need Skype, Anyway?

Opinion: There has been quite a debate going on as to whether Skype is safe for corporate use. The more important question: Do we need Skype or just want it? And is just wanting it worth the risk—even a small one?

There has been quite a debate going on as to whether or not Skype is safe for corporate use. Like most eWEEK.com readers, I am not deeply enough versed in security issues to make an independent decision on whether Skype is or is not secure.

The more important question: Do we need Skype or just want it? And is just wanting it worth the risk—even a small one?

The issue comes down to this: Do we really need another IM service through the firewall? Given that Skype, despite its wild popularity, doesn't seem all that different from the IM services offered by AOL, Yahoo, and MSN, the question becomes "Why should we allow another?"
Are users demanding another IM service for valid business reasons, or is Skype just the current fad?

Lacking a business justification, I don't see a good reason to take the chance on Skype or anything else. If Skype doesn't do more for you than present a potential risk, what's the value in taking the chance?

Click here to read more about Microsoft's deal with AOL and Yahoo to allow its enterprise IM server to interconnect with the companies' IM services.

Call me paranoid, but the truth is there really are people on the Internet that are out to get us. If Skype opens another door for these miscreants into the network, why should I allow it?
I am not—and indeed I cannot—say Skype is better or worse that anyone else's VOIP, though I do note that Skype has specifically said they are not building an enterprise-grade service.

That makes me think that while Skype may not be less secure than what already is on the network, that it won't be more secure, either. Since I already have enough security and administrative headaches, why accept another unless I have to?

This is, of course, the opposite of the "permissive" network administrator's position, which would be to allow Skype unless there is a proven, valid reason not to.

Maybe it comes down to what sort of parents you had and what they were willing to let you get away with.

My counter to the permissive argument would be that since any software can create problems, why take more chances than you have to?

Read more here about MSN and Yahoo Messenger joining forces.

Indeed, if we could remove other IM clients from the corporate network, that might be a good thing, too. One company I work with was recently hit pretty hard by a bug that was spread through AOL's IM network.

But, so many people there use it for business purposes that AIM wasn't yanked. That incident, along with those at other places, makes a case for reducing the number of IM networks in use rather than allowing them to increase.

Indeed, a wise enterprise is already looking at bringing the IM network in-house, with controlled links to external networks. This is the approach Microsoft is pushing, linking its enterprise IM to the AOL and Yahoo networks.

My bet is this is the first step toward IM becoming a paid service, at least in places where the network operators don't or can't force users to see their advertising.

IM is, however, such a valuable business tool that I believe companies should be willing to pay for it, though getting money for something long offered for free may prove an uphill battle.
Making IM a managed network resource, rather than unmanaged external service, should also improve security, while removing the necessity many users find for running multiple IM clients on their desktop.

If Skype wants to play in this environment and support connections to corporate IM systems, that's all the better.

Note that while I am using Microsoft as an example, because I have some idea what the company is up to, I really don't care whose IM software a company chooses, just that it makes life simpler and more secure.

Similarly, I have long called upon the IM network operators to support interoperability amongst their services.

My impression is that Skype really wants to be a consumer service, and it is probably fine for home use.

It may be fine for use at the office as well, but I have yet to hear an argument so compelling that Skype seems worth the bother.