Thursday, May 31, 2007

FireFox add-ons may open doors to hackers

The majority of Firefox extensions are hosted and updated from Mozilla's own SSL-secured site and are not vulnerable to this attack. However a number of broadly used third-party extensions, including Google Toolbar, Yahoo Toolbar, Extension, Facebook Toolbar, AOL Toolbar, Toolbar, Netcraft Anti-Phishing Toolbar and PhishTank SiteChecker are among the at-risk add-ons that update from their own unsecured servers.

Christopher Soghoian, a Ph.D. student at Indiana University, outlined how "man in the middle" attackers, especially in public wireless networks, could disguise malware as a Firefox extension and surreptitiously plant their code in lieu of a normal update to one of the vulnerable extensions.

"It's sort of a compounding of errors," Soghoian said. "Mozilla didn't tell developers that they should update from a secure link; they erred in assuming everyone would know to do that. But the add-on developers are at fault for not using a secure server."

"It was really frustrating. Firefox was fantastic, but some of the other firms, they either ignored my e-mails or didn't reply," Soghoian said. He fingered Google Inc. as especially uncooperative. Between April 16 and May 24, he sent Google's security team five e-mails but received only one reply, on May 25, that said the group was working on a fix that was to be deployed before today. As of today, however, Google Toolbar was being served from an unsecured URL.

"This was really eye-opening," said Soghoian, who interned with Google's Application Security Team last summer.

"Vendors should be doing everything possible to encourage researchers," he said. "They should be encouraging us to come to them rather than sell the vulnerabilities to iDefense or Tipping Point. Ignoring researchers isn't the best way to encourage an open dialog."

Soghoian recommended that until affected extension vendors release secure updates, users should either remove or disable all Firefox extensions and toolbars that have not been downloaded from the official Mozilla Add-Ons site.

In an e-mail today, Mozilla's director of ecosystem development, Mike Shaver, acknowledged the danger that insecurely hosted and updated add-ons pose, and he urged extension developers to fix the problem.

"We strongly encourage the providers of such add-ons to remedy their hosting situation promptly to minimize the exposure to the users of their software," Shaver said. "Users of add-ons hosted on AMO, including all of the ones we've been working on, are not at risk here."

On another note Mozilla released 6 new patches for FireFox today. The updates bring the current browser to Version, and the 2005 edition to Firefox can be downloaded from the Mozilla Web site for Windows, Mac OS X and Linux; Firefox, meanwhile, is available from a different page. Current users can also update using the Check for Updates command in the help menu.

Tuesday, May 29, 2007

Google Adds Street-Level Pictures to Google Maps

Initially, Street View images are available in Denver, Las Vegas, Miami, New York, and San Francisco. Additional cities will be covered in the future.

Google today launched Google Maps Street View, a new Google Maps feature that shows a 360-degree view from the streets of select cities.

"With Street View, you can virtually explore city neighborhoods by viewing and navigating within 360-degree scenes of street-level imagery," said Stephen Chau, product manager for Google Maps, in a blog post. "It feels as if you're walking down the street!"

Initially, Street View images are available in Denver, Las Vegas, Miami, New York, and San Francisco. Additional cities will be covered in the future.

At some point, these images may include live video feeds. While Google has other engineering priorities right now, Alan Eustace, senior VP of engineering & research, expressed interest in live video feeds while speaking with reporters at Google's recent Searchology event and noted that company co-founder Larry Page felt similarly.

Amazon's search engine pioneered the use of street images in its local search service back in January 2005. The company spent eight months compiling a database of 35 million images in 22 cities by sending drivers around the streets of major cities in vehicles equipped with GPS devices, cameras, and computers. Former CEO Udi Manber now works at Google as a VP of engineering.

Sony, Philips Unveil Flexible OLED Displays

Two of the world's biggest flat-panel display makers unveiled flexible full-color displays this week.

Two of the world's biggest flat-panel display makers, Sony Corp. and LG.Philips LCD Co. Ltd., unveiled flexible full-color displays at a display industry show in California this week.

Sony took the wraps off its prototype on Thursday and released an impressive video showing the display being bent to form a semi-circle while still displaying a moving video image. The 2.5-inch display has a resolution of 160 pixels by 120 pixels making it a little larger than the typical cell phone screen and a little lower resolution.

The screen from LG.Philips LCD is larger at 4 inches in diagonal width and has a higher resolution of 320 pixels by 240 pixels. In contrast to Sony's video, LG.Philips LCD released only a photo that showed the display curved at a slight angle.

Typically flat-panel displays are built onto thin sheets of glass but the Sony and LG.Philips screens are made on thin sheets of plastic and metal respectively. That allows them to be bent but also introduces a range of other problems such as keeping everything aligned and working while the panel is flexed. Indeed the video of Sony's prototype showed several bad pixels and other problems.

Neither company has said when it thinks the displays will be ready to go on sale but early customers might be attracted to them for reasons other than their flexibility, said Paul Semenza, an analyst with iSuppli Corp., who attended the Society for Information Display conference where they were announced.

"What tends to get forgotten is that these displays are also rugged and lightweight," he said. "Those are valuable properties."

Sony sees OLED technology as important for its future products and is putting a lot of research and development resources behind screens like that unveiled this week.

The screens are different from today's LCD (liquid crystal display) and PDP (plasma display panel) screens in that OLED pixels use an organic material that emits its own light, so no backlight is needed. That means the screens consume less power and can be made thinner. OLEDs also handle fast-moving images better and offer good color reproduction.

At the Consumer Electronics Show in Las Vegas in January the company showed off prototype televisions based on larger, non-flexible 11-inch and 27-inch OLED panels. Thanks to the lack of a backlight the 11-inch prototype was just 11 millimeters thick but displayed a vibrant, colorful image. Sony plans to have its first OLED TVs on sale in Japan this year.

Last week in Tokyo Sony unveiled its latest OLED TV prototypes, which appeared to be close to commercialization. The sets had an integrated digital TV tuner and could also accept a high-definition input via an HDMI (high definition multimedia interface) connector.

Michigan man dodges prison in theft of Wi-Fi

A Michigan man who used a coffee shop's unsecured Wi-Fi to check his e-mail from his car could have faced up to five years in prison, according to local TV station WOOD. But it seems few in the village of Sparta, Mich., were aware that using an unsecured Wi-Fi connection without the owner's permission--a practice known as piggybacking--was a felony.

Each day around lunch time, Sam Peterson would drive to the Union Street Cafe, park his car and--without actually entering the coffee shop--check his e-mail and surf the Net. His ritual raised the suspicions of Police Chief Andrew Milanowski, who approached him and asked what he was doing. Peterson, probably not realizing that his actions constituted a crime, freely admitted what he was doing.

"I knew that the Union Street had Wi-Fi. I just went down and checked my e-mail and didn't see a problem with that," Peterson told a WOOD reporter.

Milanowski didn't immediately cite or arrest Peterson, mostly because he wasn't certain a crime had been committed. "I had a feeling a law was being broken," the chief said. Milanowski did some research and found Michigan's "Fraudulent access to computers, computer systems, and computer networks" law, a felony punishable by five years in prison and a $10,000 fine.

Milanowski, who eventually swore out a warrant for Peterson, doesn't believe Milanowski knew he was breaking the law. "In my opinion, probably not. Most people probably don't."

Indeed, neither did Donna May, the owner of the Union Street Cafe. "I didn't know it was really illegal, either," she told the TV station. "If he would have come in (to the coffee shop), it would have been fine."

But apparently prosecutors were more than aware of the 1979 law, which was revised in 2000 to include protections for Wi-Fi networks.

"This is the first time that we've actually charged it," Kent County Assistant Prosecutor Lynn Hopkins said, adding that "we'd been hoping to dodge this bullet for a while."

However, Peterson won't be going to prison for piggybacking. Because he has no prior record, Peterson will have to pay a $400 fine, do 40 hours of community service and enroll in the county's diversion program.

Tuesday, May 22, 2007

Software pirate to pay $205,000 fine for illegal eBay sales

The defendant also agreed to help authorities ID others involved in the scheme

May 22, 2007 (Computerworld) -- A software pirate who sold illegal copies of Symantec Corp. software on the online auction site eBay Inc. has agreed to pay a $205,000 fine.

In an announcement today, the Software & Information Industry Association (SIIA) trade group, which filed suit in the case on behalf of Symantec -- a SIIA member -- said the defendant has also agreed to assist authorities in identifying the parties who actually made and distributed the illegal software that was sold.

Keith Kupferschmid, senior vice president of intellectual property for the Washington-based SIIA, said the name and location of the defendant is being kept secret under the terms of the settlement.

"We give a certain level of confidentiality in order for us to get additional information," Kupferschmid said. The lawsuit, Symantec et al. v. Chan (a pseudonym) et al., was one of several civil cases brought by the SIIA. Several cases are still pending, as are several criminal cases being brought by the FBI, he said.

The case was originally filed in U.S. District Court in the Central District of California as part of the SIIA's Auction Litigation Program, which was started to monitor online auction sites for illegal software sales and file related lawsuits on behalf of member vendors.

Some 90% of the software sold on auction sites such as eBay is counterfeit, according to studies, Kupferschmid said.

The $205,000 settlement is in excess of the amount the unnamed software pirate made through the sales of the software.

In the lawsuit, the SIIA charged the defendant with infringing on Symantec's copyrights and trademarks in such titles as Norton PartitionMagic, Norton AntiVirus, pcAnywhere and Norton SystemWorks, as well as illegally reselling OEM, unbundled and counterfeit software.

The SIIA says it represents more than 800 members, including software and information companies.

Monday, May 14, 2007

Top Threat: Windows Hacktivation

Symantec is reporting on a Trojan horse that mimics the Windows activation interface.

What they are calling Trojan.Kardphisher doesn't do most of the technical things that Trojan horses usually do; it's a pure social engineering attack, aimed at stealing credit card information. In a sense, it's a standalone phishing program.

Once you reboot your PC after running the program, the program asks you to activate your copy of Windows and, while it assures you that you will not be charged, it asks for credit card information. If you don't enter the credit card information it shuts down the PC. The Trojan also disables Task Manager, making it more difficult to shut down..

Running on the first reboot is clever. It inherently makes the process look more like it's coming from Windows itself, and it removes the temporal connection to running the Trojan horse. The program even runs on versions of Windows prior to XP, which did not require activation.

This is not an attack that will sneak by you. The executable is nearly 1MB large. But if you find yourself in this situation you should be able to disable it in Windows Safe mode by removing the registry keys described in the Symantec writeup and deleting the program it points to. Updated antivirus software should also be able to remove it.

Wednesday, May 09, 2007

Yahoo shuting down popular services

Yahoo Inc. has told users it will shut down its North American Web auction site. Just last week they announced plans to shut down Yahoo Photos in June, asking users to move to Yahoo's Web 2.0 photo sharing site, Flickr.

According to a message posted on the Yahoo Auctions site at, the service will no longer accept new auction lists from June 3. The last day to bid or buy goods and services on the auction site is June 16.

The latest closure applies to Yahoo's U.S. and Canadian auction sites. Yahoo auction sites in three Asian markets—Hong Kong, Singapore and Taiwan will remain open.

"After careful consideration, we have decided to close down our Yahoo US and Canada Auction sites to better serve our valued customers through other Yahoo properties," the U.S. auctions site told visitors on Tuesday.

Yahoo continues to offering a range of U.S. e-commerce sites, including ones for shopping, auto sales, classified advertising and small business.

On Friday, Jeff Weiner, executive vice president of Yahoo's Network Division, said in a company statement: "We are making great strides in our ongoing efforts to align Yahoo's resources and focus on core strategic priorities."

According to audience measurement firm comScore Inc., online auction leader eBay Inc. accounted for more than 94 percent of online auctions activity among U.S. Web users last week. Online retail giant Inc.'s U.S. auction site accounted for one-third of a percentage point, while Yahoo's auctions held only an 0.2 percent share.

"It comes with little surprise given Yahoo's advertising relationship with eBay, and eBay's massive dominance of the auction category," Hitwise research director LeeAnn Prescott wrote in a blog post.

A year ago, eBay and Yahoo announced a strategic alliance to cooperate on a range of services in their core U.S markets.

As of Friday, May 4, 2007 certain Yahoo auction features were discontinued. A limited set of customer service features and account tools will be available through October 29.

Memory prices drop again analyst expect good eals through June.

DRAM prices drop again; deals likely through June

A glut in the memory market is keeping prices down

Users looking to add more dynamic RAM to their PCs are likely to see bargains throughout May and June as prices of memory chips continue to crash.

The contract price of the most widely used DRAM -- 512Mbit, 667-MHz double data rate, second generation (DDR2) chips -- slid below $2 for the first time in the first half of May. The chips dropped 8.8% from mid-April to $1.94 per chip, according to DRAMeXchange Technology Inc., a Taiwan-based company that runs an online DRAM market.

That's great news for users. Falling DRAM rates can help offset recent increases in prices for LCD panels and keep PC prices in check. Users wanting to boost their systems' speed can also add more DRAM at a low cost. These prices aren't likely to last longer than the next few months. At $1.94 each, the chips are well below the $2.50 to $3 cost of production for chip makers, which will likely shift their production strategies in order to reverse the decline.

The second half of the year is also the strongest for PC sales, another factor that could stop the current downward trend.

DRAMeXchange said the DRAM market appears to be weaker than expected in May and June, and many companies in the supply chain, including module makers and PC vendors, have already built up inventories. Prices won't rebound until these inventories are drawn down.

The fall below $2 was also significant because of its relative ease, noted Gartner Inc. There was less resistance at that psychologically important level than expected, the industry researcher said.

Even though chip makers are producing DRAM at a loss, prices may not rebound quickly. The companies have to continue selling the chips to bring in cash so they can pay for their expensive DRAM factories. They could try shifting some production to other products, such as NAND flash memory and image sensors, where prices are firmer, but it takes months to tweak production lines for such a change. BY making that kind of shift, they could miss an uptick in the DRAM market.

Around three-fourths of all DRAM chips are bought and sold through contracts between DRAM makers and major PC vendors such as Dell Inc. Prices are renegotiated twice per month. The remaining one-fourth is sold on open spot markets, like commodities such as oil and gold.

Contract prices of the chips have fallen 67% since the start of the year, when they were fetching $5.95 each. Although many analysts watch DRAM prices as an indication that PC shipments might be slowing down, that's not likely the case this time.

DRAMeXchange said the decline was caused by chip makers switching some production lines to DRAM from NAND flash memory, which had seen prices fall for nearly six months before recently stabilizing. The change has caused an oversupply in DRAM, while the glut in NAND flash memory has eased. There does not appear to be any problem with the PC market, analysts said.

Monday, May 07, 2007

Joost gone wild!

Everywhere you turn these days Joost is all the buzz. From forum to forum, friend to friend invites or requests for invites seem to be spreading everywhere. Well why not spread it to my section of the world. Ive recently become a beta tester and now have a few Joost invites available. For more information on the Joost phenomena read my previous post "Joost ready to go live".

So far from my limited testing I'd have to say I can see a lot of potential here. However there seem to be a few things in the interface that I find lacking. The speed of the streaming video seems to be adequate, however on 384k-1.5mb AT&T dsl its nowhere near functional.

As it is still in beta mode and I've only been able to test it for a short period of time I'll limit my skepticism and say that I am optimistically hopeful that it not just a bunch of hype!

Wednesday, May 02, 2007

Top 15 geek blog sites

Lifehacker took our top spot because of its great time-saving tips
Computerworld staff

May 01, 2007 (Computerworld) -- Some blogs educate, help people collaborate, spark ideas and just plain expand our thought universe. Others stir emotions and anger us or make us laugh. The editors of Computerworld got together and offered up a list of their favorite blog sites. We pared down more than 50 submissions to the top 15 technology blog sites based on breadth of information, newsworthiness, design, frequency of updates and entertainment value.

Sure, the list is subjective, but we think this is one of the best catalogs of blogs that has ever been published. The entries ran the gamut, from serious technology news and reviews to commentary on games and the latest tech gadgets. We included some honorable mentions at the end because the competition was so close.

Of course, not everyone will agree with our selection. If you think a blog site that's not on our list deserved a top 15 spot, share it with us in the comments section.

1) Lifehacker
Lifehackers' motto says it all: "Don't live to geek, geek to live." This blog offers timesavers of just about every stripe, from Firefox shortcuts to tips from the "Getting things done" faithful.

2) IT Toolbox Blogs
IT Toolbox has a number of "in the trenches" IT pros who talk about technology and management issues. There are specialist blogs dealing with security, databases and project management, among other subjects. It's a versatile site.

3) Valleywag
Bring in the noise, bring in the snark. Valleywag is for those who believe that the tech industry lives or dies by the scuttlebutt pinging around Silicon Valley. And it's amusing for those of us who prefer that the lotus-eaters of Northern California stick with the dishing and tongue-wagging, leaving the rest of us to get the real work done.

4) Kotaku
Kotaku is the snarky, gamer uber-blog. It has everything from reviews and gossip to cheat tips. Just about anything you'll ever need, including which game to buy and how to play it.

5) Danger Room
Wired's military and defense blog writes about some of the coolest and scariest military technologies -- not to mention scandals, debates and other military news. Lots of video and imagery are included.

Next page