Four months after it modified Windows 7 to stop the Conficker worm from spreading through infected flash drives, Microsoft has ported the changes to older operating systems, including Windows XP and Vista, the company announced on Friday.
In April, Microsoft altered AutoRun and AutoPlay, a pair of technologies originally designed for CD-ROM content, to keep malware from silently installing on a victim's PC. The Conficker worm, which exploded onto the PC scene in January, snatching control of millions of machines, used several methods to jump from PC to PC, including USB flash drives.
Conficker copied a malicious "autorun.inf" file to any USB storage device that was connected to an already-infected machines, then spread to any other PC if the user connected the device to that second computer and picked the "Open folder to view files" option under "Install or run program" in the AutoPlay dialog.
Microsoft responded by changing Windows 7 so that the AutoPlay dialog no longer let users run programs, except when the device was a nonremovable optical drive, like a CD or DVD drive. After the change, a flash drive connected to a Windows 7 system only let users open a folder to browser a list of files.
Four months ago, Microsoft promised to make similar changes in other operating systems -- Windows XP, Vista, Server 2003 and Server 2008 -- but declined to set a timeline.
On Friday, Microsoft used its Security Research & Defense blog to announce the availability of the updates for XP, Vista and the two Server editions.
Microsoft issued the updates almost three weeks ago, on Aug. 25, but did not push them to users automatically via Windows Update, or the corporate patch service Windows Server Update Services (WSUS). Instead, users must steer to Microsoft's download site, then download and install the appropriate update manually. Links to the download are included in a document posted on the company's support site.
The Windows XP update weighs in at 3MB, while the one for Vista is about 7MB.
The AutoRun and AutoPlay changes debuted in the Windows 7 Release Candidate (RC), which was available for public downloading from May 4 to Aug. 20. Windows 7 is set to go on sale Oct. 22.
By Gregg Keizer
Computerworld
Tuesday, September 15, 2009
Company hosting Joe Wilson fundraising site recovers from DDoS attack
A company providing online payment-processing services for U.S. Rep. Joe Wilson (R-S.C.) is back online after being disrupted by a distributed denial-of-service attack over the weekend.
The attack on Piryx began Friday afternoon and lasted into the early hours of Saturday morning, temporarily disrupting a Wilson fundraising effort that was under way at that time, Piryx CEO Tom Serres said. It also knocked out services for about 150 other Piryx clients, he said.
Piryx is a nonpartisan Austin-based start-up that provides services to help political candidates and nonprofits manage online campaigns and fundraising.
Serres said the company was contacted by Wilson's office last week and asked to manage online donations from supporters rallying behind the congressman after he shouted "You lie!" during President Obama's address to Congress on health care reform Wednesday.
Hours after the company began hosting Wilson's home page on its servers, Piryx found itself the target of a distributed denial-of-service attack, Serres said. Such attacks are designed to render servers and networks inaccessible by flooding them with useless traffic.
The attacks appear to have been directed at the JoeWilsonforCongress.com site, Serres said. At the time the attacks started, the site was handling about 100 transactions per minute and had already collected more than $100,000 from people who wanted to contribute to Wilson's campaign, he said.
Initially, the traffic generated by the DDoS attack was manageable, but soon Piryx began noticing "massive bandwidth spikes" that knocked its servers offline, Serres said. The data center hosting Piryx's servers confirmed that it was the victim of a DDoS attack. At its peak, the DDoS flood generated about 1Gbit/sec. of traffic, which is about 1,000 times the normal traffic on Piryx, Serres said.
After several failed attempts at mitigating the attacks, filters were put in place to block the traffic early Saturday morning. Service has been normal since then, Serres said. It's not known from where the attacks originated, but he said it appears to have been initiated by those opposed to Wilson's comments. "It was clearly politically motivated to take down Wilson's ability to raise funds online," Serres noted.
The incident appears to be one of the rare instances of a politically motivated attack against a Web site in the U.S., said Kirsten Dennesen, an intelligence analyst with VeriSign's iDefense Labs. The attention attracted by Wilson's comments, especially through social media tools such as Facebook and Twitter, appears to have contributed to the attack, she said.
"One question is whether there are going to be any response attacks," she added.
By Jaikumar Vijayan
Computerworld
The attack on Piryx began Friday afternoon and lasted into the early hours of Saturday morning, temporarily disrupting a Wilson fundraising effort that was under way at that time, Piryx CEO Tom Serres said. It also knocked out services for about 150 other Piryx clients, he said.
Piryx is a nonpartisan Austin-based start-up that provides services to help political candidates and nonprofits manage online campaigns and fundraising.
Serres said the company was contacted by Wilson's office last week and asked to manage online donations from supporters rallying behind the congressman after he shouted "You lie!" during President Obama's address to Congress on health care reform Wednesday.
Hours after the company began hosting Wilson's home page on its servers, Piryx found itself the target of a distributed denial-of-service attack, Serres said. Such attacks are designed to render servers and networks inaccessible by flooding them with useless traffic.
The attacks appear to have been directed at the JoeWilsonforCongress.com site, Serres said. At the time the attacks started, the site was handling about 100 transactions per minute and had already collected more than $100,000 from people who wanted to contribute to Wilson's campaign, he said.
Initially, the traffic generated by the DDoS attack was manageable, but soon Piryx began noticing "massive bandwidth spikes" that knocked its servers offline, Serres said. The data center hosting Piryx's servers confirmed that it was the victim of a DDoS attack. At its peak, the DDoS flood generated about 1Gbit/sec. of traffic, which is about 1,000 times the normal traffic on Piryx, Serres said.
After several failed attempts at mitigating the attacks, filters were put in place to block the traffic early Saturday morning. Service has been normal since then, Serres said. It's not known from where the attacks originated, but he said it appears to have been initiated by those opposed to Wilson's comments. "It was clearly politically motivated to take down Wilson's ability to raise funds online," Serres noted.
The incident appears to be one of the rare instances of a politically motivated attack against a Web site in the U.S., said Kirsten Dennesen, an intelligence analyst with VeriSign's iDefense Labs. The attention attracted by Wilson's comments, especially through social media tools such as Facebook and Twitter, appears to have contributed to the attack, she said.
"One question is whether there are going to be any response attacks," she added.
By Jaikumar Vijayan
Computerworld
Monday, September 14, 2009
Wi-Fi 802.11n sudah resmi loh sekarang!!
Setelah menunggu lama, akhirnya teknologi Wi-Fi jenis "n" sudah resmi diluncurkan dimana sebelumnya masih sebatas "draft".
Bagi anda yang ada rencana untuk membeli Router, notebook atau lainnya yang berhubungan dengan koneksi Wi-Fi kami sarankan untuk menunggu sebentar lagi untuk memiliki produk dengan sertifikasi 802.11n yang resmi.
Keuntungan dari 802.11n adalah kecepatan transfernya yang bisa mencapai 600 Mbps, bandingkan dengan 802.11g hanya 100 Mbps.
Walaupun sebenarnya sudah banyak alat yang mendukung 802.11n tetapi sebenarnya itu masih belum resmi dan boleh dibilang belum optimal dibandingkan dengan produk yang nantinya sudah bersertifikasi "n" secara resmi.
by Otakku
Tetapi jangan kuatir kok, tergantung produsen alat yang bersangkutan, kemungkinan besar kita bisa mengup-grade firmwarenya dari "Draft N" ke "N" yang resmi.
Dan bagaimana dengan rencana upgrade itu sendiri? Perlukah kita meng-upgrade dari versi b/g ke n? Sebenarnya tergantung kebutuhan, kalau selama ini anda sudah merasa cukup maka tidak perlu, sebaliknya kalau memang koneksi Wi-Fi biasa anda gunakan untuk nonton film, mungkin ini perlu dilakukan.
Yang harus diingat, upgrade router dari jenis b/g ke "n" tidak akan berguna bila notebook atau komputer anda tidak diup-grade ke "n" juga. :-)
Mungkin sebelum upgrade, anda bisa mencoba untuk mengoptimalkan Wi-Fi yang ada dengan membaca artikel kami tentang
Bagi anda yang ada rencana untuk membeli Router, notebook atau lainnya yang berhubungan dengan koneksi Wi-Fi kami sarankan untuk menunggu sebentar lagi untuk memiliki produk dengan sertifikasi 802.11n yang resmi.
Keuntungan dari 802.11n adalah kecepatan transfernya yang bisa mencapai 600 Mbps, bandingkan dengan 802.11g hanya 100 Mbps.
Walaupun sebenarnya sudah banyak alat yang mendukung 802.11n tetapi sebenarnya itu masih belum resmi dan boleh dibilang belum optimal dibandingkan dengan produk yang nantinya sudah bersertifikasi "n" secara resmi.
by Otakku
Tetapi jangan kuatir kok, tergantung produsen alat yang bersangkutan, kemungkinan besar kita bisa mengup-grade firmwarenya dari "Draft N" ke "N" yang resmi.
Dan bagaimana dengan rencana upgrade itu sendiri? Perlukah kita meng-upgrade dari versi b/g ke n? Sebenarnya tergantung kebutuhan, kalau selama ini anda sudah merasa cukup maka tidak perlu, sebaliknya kalau memang koneksi Wi-Fi biasa anda gunakan untuk nonton film, mungkin ini perlu dilakukan.
Yang harus diingat, upgrade router dari jenis b/g ke "n" tidak akan berguna bila notebook atau komputer anda tidak diup-grade ke "n" juga. :-)
Mungkin sebelum upgrade, anda bisa mencoba untuk mengoptimalkan Wi-Fi yang ada dengan membaca artikel kami tentang
NYTimes.com Warns of Malware on Site
Online scammers have apparently found a new way to reach their marks: They've started running ads on the Web site of The New York Times.
The newspaper warned readers Sunday that so-called rogue antivirus sellers had been spotted on its Web site, NYTimes.com. Their products, often promoted by Eastern European criminal organizations, are either ineffective or actually end up infecting the computers of people who purchase them.
"Some NYTimes.com readers have seen a pop-up box warning them about a virus and directing them to a site that claims to offer antivirus software," the Times said in a "Note to Readers," posted to its Web site Sunday. "We believe this was generated by an unauthorized advertisement and are working to prevent the problem from recurring." The newspaper did not respond to a request for more information on the issue.
Because online advertisements are usually sold through networks, sites like NYTimes.com often have to rely on other companies to make sure that the ads they carry are appropriate.
Blogger Troy Davis was hit with the ad Saturday night. After taking a closer look, he discovered that JavaScript code in a New York Times ad redirected him to a Web site that popped up a browser Window designed to look like it is conducting a scan of the system. The window warns, "Your computer is infected."
"It's a fake page for a nonexistent antivirus app, which is actually malware," Davis wrote in his analysis of the issue.
The rogue antivirus problem got a lot of attention one year ago, when Microsoft and the Washington State Attorney General's office sued a pair of Texas companies for allegedly pushing the software.
Since then, things have only gotten worse.
In the past three months, rogue antivirus software has emerged as a major online problem, according to Paul Ferguson, a researcher with antivirus vendor Trend Micro. "Its pervasive," he said in an instant message interview. "Right now, they are going full-tilt."
Criminals use a variety of tricks to get people to shell out for the bogus products: They use search engine optimization techniques to get search engines like Google to list Web sites that display the pop-up ads, or they'll flog them through social media sites like Twitter or Facebook. They even use malicious Trojan horse programs to pop up error messages in hopes that people will buy.
Robert McMillan, IDG News Service
The newspaper warned readers Sunday that so-called rogue antivirus sellers had been spotted on its Web site, NYTimes.com. Their products, often promoted by Eastern European criminal organizations, are either ineffective or actually end up infecting the computers of people who purchase them.
"Some NYTimes.com readers have seen a pop-up box warning them about a virus and directing them to a site that claims to offer antivirus software," the Times said in a "Note to Readers," posted to its Web site Sunday. "We believe this was generated by an unauthorized advertisement and are working to prevent the problem from recurring." The newspaper did not respond to a request for more information on the issue.
Because online advertisements are usually sold through networks, sites like NYTimes.com often have to rely on other companies to make sure that the ads they carry are appropriate.
Blogger Troy Davis was hit with the ad Saturday night. After taking a closer look, he discovered that JavaScript code in a New York Times ad redirected him to a Web site that popped up a browser Window designed to look like it is conducting a scan of the system. The window warns, "Your computer is infected."
"It's a fake page for a nonexistent antivirus app, which is actually malware," Davis wrote in his analysis of the issue.
The rogue antivirus problem got a lot of attention one year ago, when Microsoft and the Washington State Attorney General's office sued a pair of Texas companies for allegedly pushing the software.
Since then, things have only gotten worse.
In the past three months, rogue antivirus software has emerged as a major online problem, according to Paul Ferguson, a researcher with antivirus vendor Trend Micro. "Its pervasive," he said in an instant message interview. "Right now, they are going full-tilt."
Criminals use a variety of tricks to get people to shell out for the bogus products: They use search engine optimization techniques to get search engines like Google to list Web sites that display the pop-up ads, or they'll flog them through social media sites like Twitter or Facebook. They even use malicious Trojan horse programs to pop up error messages in hopes that people will buy.
Robert McMillan, IDG News Service
Why Macs Can't Beat PCs with Windows 7
I regularly use both Windows and Mac PCs, so any comments that I've never used a Mac are bunk. I've been using Windows 7 since before its public beta release at the first of this year. I use my Mac for video editing, iPhone development, etc. I love all of my computers equally -- my Windows PC, my Mac and my Linux servers. They all do what I ask them to do very well, and I have things about each that I like and things I don't.
But frankly, the differences in the Windows 7 and Mac OS X platforms from a usability standpoint are pretty much nil. Windows 7 has simplified much of the complexity introduced in Vista and made Windows a very clean and easy-to-use OS. I would even go so far as to predict that the days of Apple trampling all over Windows in the "I'm a Mac" commercials are pretty much over. Not to say Apple won't go after Windows 7 as soon as Windows 7 has some vulnerability or issue Apple can exploit in a TV commercial. I'll grant, too, that Apple still has its "cool" factor and Windows isn't like to encroach on that. But Windows 7 is not only a "good enough" operating system, it is so much better an OS and user experience that Apple will have to think hard before using the same advertising tactics that worked so well on Vista.
Here are the five reasons Apple fears Windows 7:
Clean and Simple User Experience. There is now very little difference between the easy user experience on Windows 7 and Mac OS X. Gone from Windows 7 are Vista's loads of unnecessary bloatware applications, confusing and poorly designed configuration dialog boxes, and moronic UAC popups that impeded a user's productivity at every turn. The new task bar is more simple and straightforward than Mac OS X's crowded icon bar. Windows also has very good screen configuration settings that make switching between monitor configurations extremely easy. And the Control Panel has been redesigned to the basics of what end users need to manage Windows 7. Like it or not, we're now down to personal preference when it comes to usability and ease of use.
Mac Crashes More. Fact is, my Windows 7 systems don't crash... ever. Those days of frequent Windows Explorer crashes went away when I installed the Windows 7 RC. My Mac now crashes more often (about once a month or so) than Windows 7, and my Mac isn't over laden with junk on it.
Flexibility and Lower Cost. Microsoft has updated its "PC hunter" commercials but they still show how easy it is to find a better value when buying a Windows PC over a Mac. You have to use some pretty convoluted math to come to the conclusion Macs don't cost more than PCs for the equivalent devices. If you buy a Mac it's going to be because you consciously have decided you want a Mac instead of a PC, you hate Microsoft, you prefer the Mac user interface, etc.
Performance. We may not have side-by-side Windows 7 and Mac OS X performance comparisons yet (I'm sure we will soon) but Windows 7 isn't the performance hog Vista was. The experience is great. Windows 7 tools are fast, applications don't freeze up waiting for resources, disk I/O performance is great, memory utilization is much more efficient. Startup, shutdown and sleep are fast. Outlook still has its issues with not responding but overall we're talking a speedy experience on Windows 7. Now add that to the fact that Windows has access to the latest hardware advances -- you can crack the core on the latest Intel i7 or other hardware advances.
Mac Security Is NOT Better Than Windows 7. Many still live with the myth that Mac OS X doesn't have any security issues while Windows does. That myth ignores the facts. For example, Apple just released 18 security patches (the smallest collection of patches this year) for Mac OS X on August 5th. Many try to argue that not all the fixes are for Mac OS X, but rather for other software that might be included with it. To compare apples-to-apples (pun intended) you have to stack up the software each vendor ships with their products, not selective parts of it. While it is true that Windows is still a much larger security target because of it's market share, it isn't true that the Mac doesn't have plenty of security issues of its own.
* Sponsored Resource:Improve your network with the right mix of features, performance and pricing.
* Sponsored Resource:Growing your business requires the right tools. Dell's networking servers can help.
* Sponsored Resource:Thinking about a new Laptop? Lenovo has models to meet everyone's needs.
* Sponsored Resource:Twitter: A how-to guide for using Twitter as a business tool.
* Sponsored Resource:Smartphone security threats are on the rise. Is it time to safegaurd your device?
For more information about enterprise networking, go to NetworkWorld. Story copyright 2008 Network World Inc. All rights reserved.
But frankly, the differences in the Windows 7 and Mac OS X platforms from a usability standpoint are pretty much nil. Windows 7 has simplified much of the complexity introduced in Vista and made Windows a very clean and easy-to-use OS. I would even go so far as to predict that the days of Apple trampling all over Windows in the "I'm a Mac" commercials are pretty much over. Not to say Apple won't go after Windows 7 as soon as Windows 7 has some vulnerability or issue Apple can exploit in a TV commercial. I'll grant, too, that Apple still has its "cool" factor and Windows isn't like to encroach on that. But Windows 7 is not only a "good enough" operating system, it is so much better an OS and user experience that Apple will have to think hard before using the same advertising tactics that worked so well on Vista.
Here are the five reasons Apple fears Windows 7:
Clean and Simple User Experience. There is now very little difference between the easy user experience on Windows 7 and Mac OS X. Gone from Windows 7 are Vista's loads of unnecessary bloatware applications, confusing and poorly designed configuration dialog boxes, and moronic UAC popups that impeded a user's productivity at every turn. The new task bar is more simple and straightforward than Mac OS X's crowded icon bar. Windows also has very good screen configuration settings that make switching between monitor configurations extremely easy. And the Control Panel has been redesigned to the basics of what end users need to manage Windows 7. Like it or not, we're now down to personal preference when it comes to usability and ease of use.
Mac Crashes More. Fact is, my Windows 7 systems don't crash... ever. Those days of frequent Windows Explorer crashes went away when I installed the Windows 7 RC. My Mac now crashes more often (about once a month or so) than Windows 7, and my Mac isn't over laden with junk on it.
Flexibility and Lower Cost. Microsoft has updated its "PC hunter" commercials but they still show how easy it is to find a better value when buying a Windows PC over a Mac. You have to use some pretty convoluted math to come to the conclusion Macs don't cost more than PCs for the equivalent devices. If you buy a Mac it's going to be because you consciously have decided you want a Mac instead of a PC, you hate Microsoft, you prefer the Mac user interface, etc.
Performance. We may not have side-by-side Windows 7 and Mac OS X performance comparisons yet (I'm sure we will soon) but Windows 7 isn't the performance hog Vista was. The experience is great. Windows 7 tools are fast, applications don't freeze up waiting for resources, disk I/O performance is great, memory utilization is much more efficient. Startup, shutdown and sleep are fast. Outlook still has its issues with not responding but overall we're talking a speedy experience on Windows 7. Now add that to the fact that Windows has access to the latest hardware advances -- you can crack the core on the latest Intel i7 or other hardware advances.
Mac Security Is NOT Better Than Windows 7. Many still live with the myth that Mac OS X doesn't have any security issues while Windows does. That myth ignores the facts. For example, Apple just released 18 security patches (the smallest collection of patches this year) for Mac OS X on August 5th. Many try to argue that not all the fixes are for Mac OS X, but rather for other software that might be included with it. To compare apples-to-apples (pun intended) you have to stack up the software each vendor ships with their products, not selective parts of it. While it is true that Windows is still a much larger security target because of it's market share, it isn't true that the Mac doesn't have plenty of security issues of its own.
* Sponsored Resource:Improve your network with the right mix of features, performance and pricing.
* Sponsored Resource:Growing your business requires the right tools. Dell's networking servers can help.
* Sponsored Resource:Thinking about a new Laptop? Lenovo has models to meet everyone's needs.
* Sponsored Resource:Twitter: A how-to guide for using Twitter as a business tool.
* Sponsored Resource:Smartphone security threats are on the rise. Is it time to safegaurd your device?
For more information about enterprise networking, go to NetworkWorld. Story copyright 2008 Network World Inc. All rights reserved.
Mitchell Ashley, Network World
Aug 26, 2009 10:00 am
Microsoft: No TCP/IP patches for you, XP
- Microsoft late last week said it won't patch Windows XP for a pair of bugs it quashed Sept. 8 in Vista, Windows Server 2003 and Windows Server 2008.
The news adds Windows XP Service Pack 2 (SP2) and SP3 to the no-patch list that previously included only Windows 2000 Server SP4.
"We're talking about code that is 12 to 15 years old in its origin, so backporting that level of code is essentially not feasible," said security program manager Adrian Stone during Microsoft's monthly post-patch Webcast, referring to Windows 2000 and XP.
"An update for Windows XP will not be made available," Stone and fellow program manager Jerry Bryant said during the Q&A portion of the Webcast (transcript here).
Last Tuesday, Microsoft said that it wasn't patching Windows 2000 because creating a fix was "infeasible."
The bugs in question are in Windows' implementation of TCP/IP, the Web's default suite of connection protocols. All three of the vulnerabilities highlighted in the MS09-048 update were patched in Vista and Server 2008. Only two of the trio affect Windows Server 2000 and Windows XP, Microsoft said in the accompanying advisory, which was refreshed on Thursday.
In the revised advisory, Microsoft explained why it won't patch Windows XP, the world's most popular operating system. "By default, Windows XP SP2, Windows XP SP3 and Windows XP Professional x64 Edition SP2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability," the company said. "Windows XP SP2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network."
Although the two bugs can be exploited on Windows 2000 and XP, Microsoft downplayed their impact. "A system would become unresponsive due to memory consumption ... [but] a successful attack requires a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases."
Microsoft rated the vulnerabilities on Windows 2000 and XP as "important" on Windows 2000, and as "low" on XP. The company uses a four-step scoring system, where "low" is the least-dangerous threat, followed in ascending order by "moderate," "important" and "critical."
The same two bugs were ranked "moderate" for Vista and Server 2008, while a third -- which doesn't affect the older operating systems -- was rated "critical."
During the Q&A, however, Windows users repeatedly asked Microsoft's security team to explain why it wasn't patching XP, or if, in certain scenarios, their machines might be at risk. "We still use Windows XP and we do not use Windows Firewall," read one of the user questions. "We use a third-party vendor firewall product. Even assuming that we use the Windows Firewall, if there are services listening, such as remote desktop, wouldn't then Windows XP be vulnerable to this?"
"Servers are a more likely target for this attack, and your firewall should provide additional protections against external exploits," replied Stone and Bryant.
Another user asked them to spell out the conditions under which Microsoft won't offer up patches for still-supported operating systems. Windows Server 2000 SP4, for example, is to receive security updates until July 2010; Windows XP's support doesn't expire until April 2014.
Stone's and Bryant's answer: "We will continue to provide updates for Windows 2000 while it is in support unless it is not technically feasible to do so."
Skipping patches is very unusual for Microsoft. According to a Stone and Bryant, the last time it declined to patch a vulnerability in a support edition of Windows was in March 2003, when it said it wouldn't fix a bug in Windows NT 4.0. Then, it explained the omission with language very similar to what it used when it said it wouldn't update Windows 2000.
"Due to these fundamental differences between Windows NT 4.0 and Windows 2000 and its successors, it is infeasible to rebuild the software for Windows NT 4.0 to eliminate the vulnerability," Microsoft said at the time.
(Computerworld ; By Gregg Keizer)
The news adds Windows XP Service Pack 2 (SP2) and SP3 to the no-patch list that previously included only Windows 2000 Server SP4.
"We're talking about code that is 12 to 15 years old in its origin, so backporting that level of code is essentially not feasible," said security program manager Adrian Stone during Microsoft's monthly post-patch Webcast, referring to Windows 2000 and XP.
"An update for Windows XP will not be made available," Stone and fellow program manager Jerry Bryant said during the Q&A portion of the Webcast (transcript here).
Last Tuesday, Microsoft said that it wasn't patching Windows 2000 because creating a fix was "infeasible."
The bugs in question are in Windows' implementation of TCP/IP, the Web's default suite of connection protocols. All three of the vulnerabilities highlighted in the MS09-048 update were patched in Vista and Server 2008. Only two of the trio affect Windows Server 2000 and Windows XP, Microsoft said in the accompanying advisory, which was refreshed on Thursday.
In the revised advisory, Microsoft explained why it won't patch Windows XP, the world's most popular operating system. "By default, Windows XP SP2, Windows XP SP3 and Windows XP Professional x64 Edition SP2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability," the company said. "Windows XP SP2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network."
Although the two bugs can be exploited on Windows 2000 and XP, Microsoft downplayed their impact. "A system would become unresponsive due to memory consumption ... [but] a successful attack requires a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases."
Microsoft rated the vulnerabilities on Windows 2000 and XP as "important" on Windows 2000, and as "low" on XP. The company uses a four-step scoring system, where "low" is the least-dangerous threat, followed in ascending order by "moderate," "important" and "critical."
The same two bugs were ranked "moderate" for Vista and Server 2008, while a third -- which doesn't affect the older operating systems -- was rated "critical."
During the Q&A, however, Windows users repeatedly asked Microsoft's security team to explain why it wasn't patching XP, or if, in certain scenarios, their machines might be at risk. "We still use Windows XP and we do not use Windows Firewall," read one of the user questions. "We use a third-party vendor firewall product. Even assuming that we use the Windows Firewall, if there are services listening, such as remote desktop, wouldn't then Windows XP be vulnerable to this?"
"Servers are a more likely target for this attack, and your firewall should provide additional protections against external exploits," replied Stone and Bryant.
Another user asked them to spell out the conditions under which Microsoft won't offer up patches for still-supported operating systems. Windows Server 2000 SP4, for example, is to receive security updates until July 2010; Windows XP's support doesn't expire until April 2014.
Stone's and Bryant's answer: "We will continue to provide updates for Windows 2000 while it is in support unless it is not technically feasible to do so."
Skipping patches is very unusual for Microsoft. According to a Stone and Bryant, the last time it declined to patch a vulnerability in a support edition of Windows was in March 2003, when it said it wouldn't fix a bug in Windows NT 4.0. Then, it explained the omission with language very similar to what it used when it said it wouldn't update Windows 2000.
"Due to these fundamental differences between Windows NT 4.0 and Windows 2000 and its successors, it is infeasible to rebuild the software for Windows NT 4.0 to eliminate the vulnerability," Microsoft said at the time.
(Computerworld ; By Gregg Keizer)
Tuesday, April 7, 2009
Websense Unveils Its First Web Security Appliance
Websense is readying its first hardware appliance, which will run the vendor's Secure Web Gateway Software including anti-malware filtering, SSL traffic inspection, application controls, and threat protections for Web surfing.
View this product in a slideshow.
The V10000 Web Gateway Appliance "is the first appliance we've ever done," says Dave Meizlik, director of product marketing. For customers, a hardware-based platform can provide the opportunity to consolidate servers, since the Secure Web Gateway Software typically runs on more than one server, depending on components installed.
The V10000 appliance will include a Web-based management platform. Because the hardware appliance makes use of the Xen virtualization platform, it will be possible to add new functional security components in the future, Meizlik said.
The V10000 starts at US$16,000 and is expected to ship at the end of April.
Ellen Messmer, Network World
View this product in a slideshow.
The V10000 Web Gateway Appliance "is the first appliance we've ever done," says Dave Meizlik, director of product marketing. For customers, a hardware-based platform can provide the opportunity to consolidate servers, since the Secure Web Gateway Software typically runs on more than one server, depending on components installed.
The V10000 appliance will include a Web-based management platform. Because the hardware appliance makes use of the Xen virtualization platform, it will be possible to add new functional security components in the future, Meizlik said.
The V10000 starts at US$16,000 and is expected to ship at the end of April.
Ellen Messmer, Network World
Kaiser hospital cans 15 for peeking at octuplet mom's medical records
In the latest example of employee data-snooping, a Kaiser Permanente hospital located in a Los Angeles suburb has fired 15 workers and reprimanded eight others for improperly accessing the medical records of Nadya Suleman, the California woman who gave birth to octuplets in January.
The unauthorized accessing of Suleman's electronic records at the facility in Bellflower, Calif., violated a California law designed to safeguard the privacy of health care data, according to Kaiser spokesman Jim Anderson. He said the improper activities were discovered through increased network-monitoring procedures put in place by the hospital in connection with the birth of the octuplets.
Kaiser also conducted extra training to remind hospital employees of the need to keep patient data confidential, Anderson said.
The snooping incidents highlight the lack of adequate data-security controls at hospitals and other health care organizations, said Deborah Peel, who heads the Patient Privacy Rights Foundation in Austin.
Peel claimed that such privacy breaches occur on a broad scale because of the health care industry's continued reliance on "primitive" user-access controls. At large enterprises like Kaiser, she noted, thousands of workers may be able to access patient data, even if they don't need to do so.
In a similar case, the medical center at the University of California, Los Angeles, disclosed last April that as many as 165 doctors and other workers had improperly accessed the medical records of numerous celebrities over a 13-year period.
But such incidents aren't restricted to the health care industry. In January 2008, federal officials disclosed that U.S. Department of State employees and contractors had snooped in the electronic passport records of various politicians and celebrities, including then-Sen. Barack Obama's.
Jay Cline, president of Minnesota Privacy Consultants, thinks the "Facebook effect" is partly to blame. Users of social networks "have become used to poking through other people's profiles," Cline said, "and they see no ethical difference doing the same thing with employee and customer databases."
He added that IT and security managers need to make three things clear to employees: "Our systems are not Facebook. We're watching system usage closely. Use them for authorized purposes only, or you may be fired."
By Jaikumar Vijayan
Computerworld
The unauthorized accessing of Suleman's electronic records at the facility in Bellflower, Calif., violated a California law designed to safeguard the privacy of health care data, according to Kaiser spokesman Jim Anderson. He said the improper activities were discovered through increased network-monitoring procedures put in place by the hospital in connection with the birth of the octuplets.
Kaiser also conducted extra training to remind hospital employees of the need to keep patient data confidential, Anderson said.
The snooping incidents highlight the lack of adequate data-security controls at hospitals and other health care organizations, said Deborah Peel, who heads the Patient Privacy Rights Foundation in Austin.
Peel claimed that such privacy breaches occur on a broad scale because of the health care industry's continued reliance on "primitive" user-access controls. At large enterprises like Kaiser, she noted, thousands of workers may be able to access patient data, even if they don't need to do so.
In a similar case, the medical center at the University of California, Los Angeles, disclosed last April that as many as 165 doctors and other workers had improperly accessed the medical records of numerous celebrities over a 13-year period.
But such incidents aren't restricted to the health care industry. In January 2008, federal officials disclosed that U.S. Department of State employees and contractors had snooped in the electronic passport records of various politicians and celebrities, including then-Sen. Barack Obama's.
Jay Cline, president of Minnesota Privacy Consultants, thinks the "Facebook effect" is partly to blame. Users of social networks "have become used to poking through other people's profiles," Cline said, "and they see no ethical difference doing the same thing with employee and customer databases."
He added that IT and security managers need to make three things clear to employees: "Our systems are not Facebook. We're watching system usage closely. Use them for authorized purposes only, or you may be fired."
By Jaikumar Vijayan
Computerworld
Bill Seeks to Give Feds New Security Powers
Two U.S. senators last week proposed legislation that would give federal officials new powers to create and enforce data security standards for key parts of the private sector -- and even shut down systems in some cases.
The Cybersecurity Act of 2009 would empower the National Institute of Standards and Technology to set "measurable and auditable" security standards for all networks and systems run by federal agencies, government contractors and businesses that support critical infrastructure services.
NIST would also be charged with developing a standard for testing and accrediting software built by or for those groups. In addition, the bill would enable the president to order that critical infrastructure networks be disconnected in the event of cybersecurity emergencies or for reasons of national security.
The bill, which was introduced by Sens. Jay Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine), doesn't specifically define what would qualify as a critical network or system.
But in a statement, Rockefeller cited a broad set of examples. "We must protect our critical infrastructure at all costs," he said. "From our water to our electricity, to banking, traffic lights and electronic health records -- the list goes on."
Snowe added that the public and private sectors "must unite on all fronts," and she warned of a possible "cyber-Katrina" if action isn't taken quickly.
The bill "loosely parallels" a set of cybersecurity recommendations released in December by an outside commission that was set up by the Washington-based Center for Strategic and International Studies, Snowe noted.
Another provision would require the development of a licensing and certification program for government and private-sector security professionals. Meanwhile, a companion bill calls for the addition of a national cybersecurity adviser within the Executive Office of the President.
But Brian Chess, chief scientist at security vendor Fortify Software Inc., isn't convinced that new regulations aimed at the private sector will improve data safeguards. "Security is an attitude," he said, "and it's hard to legislate attitude."
Jaikumar Vijayan, Computerworld
The Cybersecurity Act of 2009 would empower the National Institute of Standards and Technology to set "measurable and auditable" security standards for all networks and systems run by federal agencies, government contractors and businesses that support critical infrastructure services.
NIST would also be charged with developing a standard for testing and accrediting software built by or for those groups. In addition, the bill would enable the president to order that critical infrastructure networks be disconnected in the event of cybersecurity emergencies or for reasons of national security.
The bill, which was introduced by Sens. Jay Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine), doesn't specifically define what would qualify as a critical network or system.
But in a statement, Rockefeller cited a broad set of examples. "We must protect our critical infrastructure at all costs," he said. "From our water to our electricity, to banking, traffic lights and electronic health records -- the list goes on."
Snowe added that the public and private sectors "must unite on all fronts," and she warned of a possible "cyber-Katrina" if action isn't taken quickly.
The bill "loosely parallels" a set of cybersecurity recommendations released in December by an outside commission that was set up by the Washington-based Center for Strategic and International Studies, Snowe noted.
Another provision would require the development of a licensing and certification program for government and private-sector security professionals. Meanwhile, a companion bill calls for the addition of a national cybersecurity adviser within the Executive Office of the President.
But Brian Chess, chief scientist at security vendor Fortify Software Inc., isn't convinced that new regulations aimed at the private sector will improve data safeguards. "Security is an attitude," he said, "and it's hard to legislate attitude."
Jaikumar Vijayan, Computerworld
AP takes aim at Web sites over unlicensed news content
The Associated Press, one of the world's largest news providers, plans to take legal action against Web portals and other sites that use its content without paying for a license, the organization said Monday.
The announcement comes amid tough times for the news industry, which has been hurt by the loss of advertising revenue to the Internet. The AP also blamed the theft of news content for some of the news industry's misfortune, one reason it will go after Internet sites that fail to pay for licenses.
"We can no longer stand by and watch others walk off with our work under misguided legal theories," said Dean Singleton, chairman of the AP, in a speech on Monday.
"We are mad as hell, and we are not going to take it any more," he added.
Hundreds of newspapers face closure within the next few years, many in the U.S.
The Tribune Co., for example, owner of the newspapers, including the Chicago Tribune, the Los Angeles Times, The Baltimore Sun and dozens of TV stations, filed for bankruptcy in December. Last month, The McClatchy Co., the third largest media company in the U.S. and owner of The Miami Herald and The Kansas City Star, announced another restructuring plan that will further reduce staff by 1,600 people this year.
Journalists at the Minneapolis Star Tribune on Sunday launched a Web site to save their newspaper.
The AP plans to develop a system to track online content to make sure it's being used legally. It will also set up new search engine pages that point users to "the most authoritative sources of breaking news," it said in a statement.
"AP and its member newspapers and broadcast associate members are the source of most of the news content being created in the world today," said Singleton. "We must be paid fully and fairly."
To help member news organizations through the recession, the AP announced further price reductions for its photos, video and written news content.
AP subscribers will see $30 million in savings in 2009 and another $35 million in savings in 2010 from reductions in fees. The AP has set up new plans for members to choose from, that offer a variety of discounts and packages, including national and local news as well as international events.
In the U.S., the reductions will reduce its revenues from U.S. newspapers by around a third between 2008 and 2010, AP said in a statement.
The AP, a nonprofit news organization, was founded by a group of U.S. newspapers in 1846 to provide news coverage. Today, the AP serves news organizations around the world from 243 bureaus in 97 countries, offering stories, videos and photos of news events.
Changes in subscriber plans as well as revenue losses from U.S. newspapers, will reduce AP revenue from U.S. newspapers to about $135 million in 2010, about 20% of AP's total revenue, and down from $210 million last year.
By Dan Nystedt
IDG News Service
The announcement comes amid tough times for the news industry, which has been hurt by the loss of advertising revenue to the Internet. The AP also blamed the theft of news content for some of the news industry's misfortune, one reason it will go after Internet sites that fail to pay for licenses.
"We can no longer stand by and watch others walk off with our work under misguided legal theories," said Dean Singleton, chairman of the AP, in a speech on Monday.
"We are mad as hell, and we are not going to take it any more," he added.
Hundreds of newspapers face closure within the next few years, many in the U.S.
The Tribune Co., for example, owner of the newspapers, including the Chicago Tribune, the Los Angeles Times, The Baltimore Sun and dozens of TV stations, filed for bankruptcy in December. Last month, The McClatchy Co., the third largest media company in the U.S. and owner of The Miami Herald and The Kansas City Star, announced another restructuring plan that will further reduce staff by 1,600 people this year.
Journalists at the Minneapolis Star Tribune on Sunday launched a Web site to save their newspaper.
The AP plans to develop a system to track online content to make sure it's being used legally. It will also set up new search engine pages that point users to "the most authoritative sources of breaking news," it said in a statement.
"AP and its member newspapers and broadcast associate members are the source of most of the news content being created in the world today," said Singleton. "We must be paid fully and fairly."
To help member news organizations through the recession, the AP announced further price reductions for its photos, video and written news content.
AP subscribers will see $30 million in savings in 2009 and another $35 million in savings in 2010 from reductions in fees. The AP has set up new plans for members to choose from, that offer a variety of discounts and packages, including national and local news as well as international events.
In the U.S., the reductions will reduce its revenues from U.S. newspapers by around a third between 2008 and 2010, AP said in a statement.
The AP, a nonprofit news organization, was founded by a group of U.S. newspapers in 1846 to provide news coverage. Today, the AP serves news organizations around the world from 243 bureaus in 97 countries, offering stories, videos and photos of news events.
Changes in subscriber plans as well as revenue losses from U.S. newspapers, will reduce AP revenue from U.S. newspapers to about $135 million in 2010, about 20% of AP's total revenue, and down from $210 million last year.
By Dan Nystedt
IDG News Service
Are You Infected? A Smart and Simple Test.
A common tactic used by malware is to block the infected computer from connecting to the Web sites of antivirus and security companies. Such blocks are meant to prevent you and your antivirus program from getting help in removing the infection.
The Conficker worm and many other types of malware take this step, and one good thing that came out of all the hype and drama surrounding last week's April 1 doomsday for Conficker was this little gem from the Conficker Working Group, an industry coalition formed to fight the worm.
The group's "Conficker Eye Chart" pulls images from three sites that Conficker is known to block and displays them in a box. Below the box is a guide to interpreting how you see the images -- if they all show up you're in good shape, but if one or more doesn't display it could indicate a Conficker (or other malware) infection.
It's a smart and near-instantaneous test that couldn't be any easier, but keep in mind that if your computer uses a proxy server for Web traffic, which can be the case in some companies, you might be infected and still be able to see the images.
pcworld
Erik Larkin
The Conficker worm and many other types of malware take this step, and one good thing that came out of all the hype and drama surrounding last week's April 1 doomsday for Conficker was this little gem from the Conficker Working Group, an industry coalition formed to fight the worm.
The group's "Conficker Eye Chart" pulls images from three sites that Conficker is known to block and displays them in a box. Below the box is a guide to interpreting how you see the images -- if they all show up you're in good shape, but if one or more doesn't display it could indicate a Conficker (or other malware) infection.
It's a smart and near-instantaneous test that couldn't be any easier, but keep in mind that if your computer uses a proxy server for Web traffic, which can be the case in some companies, you might be infected and still be able to see the images.
pcworld
Erik Larkin
Saturday, March 21, 2009
Microsoft proud of first 'post-Gates' OS, Ballmer says of Windows 7
Windows 7 is the first operating system that Microsoft Corp. has developed away from the watchful eye of Bill Gates, and the technical managers who are leading the development process have had to adjust to life without the company's co-founder and former chief software architect, CEO Steve Ballmer said Thursday.
"We have a lot of people who are stepping up and growing in new ways," Ballmer said, speaking at the McGraw-Hill 2009 Media Summit in New York. "There's no question about that. I'm growing in some new ways. Some of the senior technical guys are growing in new ways."
Windows 7, which is expected make its debut later this year, is a product of some of the changes that have taken place since Gates retired from Microsoft last year, and company officials are proud of the result, Ballmer said in an on-stage interview conducted by BusinessWeek editor in chief Steve Adler.
"It's a great piece of work," Ballmer said of the upcoming operating system. "And it's a piece of work that was driven by a team ... independent of Bill and his leadership. And I think we're all, you know, feeling pretty good about it. We've got to finish it. But I think it'll be a big, big deal."
Indeed, a beta release of Windows 7 that became available in January is receiving positive reviews from many early users. That contrasts with its predecessor, Windows Vista, which took more than five years for Microsoft to develop and has been criticized by many business users and consumers.
Without saying so explicitly, Ballmer hinted that he and other executives were limited in their ability to make certain technical decisions at Microsoft while Gates was there. Gates left his day-to-day duties at Microsoft last July to work full time at the Bill and Melinda Gates Foundation, the philanthropic organization he formed with his wife. His former duties at Microsoft are now being split by Ray Ozzie, who replaced Gates as chief software architect, and Craig Mundie, who is the company's chief research and strategy officer.
Ballmer said the "No. 1 thing" that has changed at the company is the way he, Ozzie and Mundie interact as a team to make technology decisions. "The way the three of us accomplish, let me call it the job at the center of technology leadership, is certainly different than the way Bill did," he said.
Gates had more of the final say himself in technical decisions, according to Ballmer. "He was the founder," Ballmer said. "I might have been the CEO, but he was 'the Bill.' He actually didn't give orders much, but if he thought something should be done, you knew life would be intense if you didn't agree."
Even so, Ballmer added that given the choice, he and his colleagues would be happy to have Gates back.
"We miss Bill," he said. "I mean, if you gave sort of the average senior technical person at Microsoft a vote, 'Bill back, Bill not back,' they'd probably say, 'Yeah, it'd be great to have Bill back.' On the other hand, Bill's doing something important that everybody values, and I think everybody relishes the opportunity to grow and take more responsibility."
Ballmer declined to comment on when Windows 7 would be available, saying only that the company would release it "when it's ready." The official word from Microsoft is that Windows 7 will ship three years after Vista, which was released to business customers in November 2006 and the general public in January 2007.
By Elizabeth Montalbano
IDG News Service
"We have a lot of people who are stepping up and growing in new ways," Ballmer said, speaking at the McGraw-Hill 2009 Media Summit in New York. "There's no question about that. I'm growing in some new ways. Some of the senior technical guys are growing in new ways."
Windows 7, which is expected make its debut later this year, is a product of some of the changes that have taken place since Gates retired from Microsoft last year, and company officials are proud of the result, Ballmer said in an on-stage interview conducted by BusinessWeek editor in chief Steve Adler.
"It's a great piece of work," Ballmer said of the upcoming operating system. "And it's a piece of work that was driven by a team ... independent of Bill and his leadership. And I think we're all, you know, feeling pretty good about it. We've got to finish it. But I think it'll be a big, big deal."
Indeed, a beta release of Windows 7 that became available in January is receiving positive reviews from many early users. That contrasts with its predecessor, Windows Vista, which took more than five years for Microsoft to develop and has been criticized by many business users and consumers.
Without saying so explicitly, Ballmer hinted that he and other executives were limited in their ability to make certain technical decisions at Microsoft while Gates was there. Gates left his day-to-day duties at Microsoft last July to work full time at the Bill and Melinda Gates Foundation, the philanthropic organization he formed with his wife. His former duties at Microsoft are now being split by Ray Ozzie, who replaced Gates as chief software architect, and Craig Mundie, who is the company's chief research and strategy officer.
Ballmer said the "No. 1 thing" that has changed at the company is the way he, Ozzie and Mundie interact as a team to make technology decisions. "The way the three of us accomplish, let me call it the job at the center of technology leadership, is certainly different than the way Bill did," he said.
Gates had more of the final say himself in technical decisions, according to Ballmer. "He was the founder," Ballmer said. "I might have been the CEO, but he was 'the Bill.' He actually didn't give orders much, but if he thought something should be done, you knew life would be intense if you didn't agree."
Even so, Ballmer added that given the choice, he and his colleagues would be happy to have Gates back.
"We miss Bill," he said. "I mean, if you gave sort of the average senior technical person at Microsoft a vote, 'Bill back, Bill not back,' they'd probably say, 'Yeah, it'd be great to have Bill back.' On the other hand, Bill's doing something important that everybody values, and I think everybody relishes the opportunity to grow and take more responsibility."
Ballmer declined to comment on when Windows 7 would be available, saying only that the company would release it "when it's ready." The official word from Microsoft is that Windows 7 will ship three years after Vista, which was released to business customers in November 2006 and the general public in January 2007.
By Elizabeth Montalbano
IDG News Service
Researcher Cracks Mac in 10 Seconds
Charlie Miller, the security researcher who hacked a Mac in two minutes last year at CanSecWest's PWN2OWN contest, improved his time Wednesday by breaking into another Mac in under 10 seconds.
Miller, a principal analyst at Independent Security Evaluators LLC, walked off with a $5,000 cash prize and the MacBook he hacked.
"I can't talk about the details of the vulnerability, but it was a Mac, fully patched, with Safari, fully patched," said Miller Wednesday not long after he had won the prize. "It probably took 5 or 10 seconds." He confirmed that he had researched and written the exploit before he arrived at the challenge.
The PWN2OWN rules stated that the researcher could provide a URL that hosted his or her exploit, replicating the common hacker tactic of enticing users to malicious sites where they are infected with malware. "I gave them the link, they clicked on it, and that was it," said Miller. "I did a few things to show that I had full control of the Mac."
Two weeks ago, Miller predicted that Safari running on the Mac would be the first to fall.
PWN2OWN's sponsor, 3Com Inc.'s TippingPoint unit, paid Miller the $5,000 for the rights to the vulnerability he exploited and the exploit code he used. As it has at past challenges, it reported the vulnerability to on-site Apple representatives. "Apple has it, and they're working on it," added Miller.
According to Terri Forslof, the manager of security response at TippingPoint, another researcher later broke into a Sony laptop that was running Windows 7 by exploiting a vulnerability in Internet Explorer 8. "Safari and IE both went down," she said in an e-mail.
TippingPoint's Twitter feed added a bit more detail to Forslof's quick message: "nils just won the sony viao with a brilliant IE8 bug!"
Forslof was not immediately available to answer questions about the IE8 exploit.
TippingPoint will continue the PWN2OWN contest through Friday, and will pay $5,000 for each additional bug successfully exploited in Apple Inc.'s Safari, Microsoft Corp.'s Internet Explorer 8, Mozilla Corp.'s Firefox or Google Inc.'s Chrome. During the contest, IE8, Firefox and Chrome will be available on the Sony, while Safari and Firefox will be running on the MacBook. The researcher who exploited IE8 will, like Miller, be awarded not only the cash, but also the laptop.
"It was great," said Miller when asked how it felt to successfully defend his title. "But I was really nervous for some reason this time. Maybe it was because there were more people around. Lucky [the exploit] was idiot-proof, because if I had had to think about it, I don't know if I'd had anything."
This year's PWN2OWN also features a mobile operating system contest that will award a $10,000 cash prize for every vulnerability successfully exploited in five smartphone operating systems: Windows Mobile, Google's Android, Symbian, and the operating systems used by the iPhone and BlackBerry.
Miller said he won't enter the mobile contest. "I can't break them," said Miller, who was one of the first researchers to demonstrate an attack on the iPhone in 2007, and last year was the first to reveal a flaw in Android. "I don't have anything for the iPhone, and I don't know enough about Google."
CanSecWest, which opened Monday, runs through Friday in Vancouver, British Columbia.
Gregg Keizer, Computerworld
Miller, a principal analyst at Independent Security Evaluators LLC, walked off with a $5,000 cash prize and the MacBook he hacked.
"I can't talk about the details of the vulnerability, but it was a Mac, fully patched, with Safari, fully patched," said Miller Wednesday not long after he had won the prize. "It probably took 5 or 10 seconds." He confirmed that he had researched and written the exploit before he arrived at the challenge.
The PWN2OWN rules stated that the researcher could provide a URL that hosted his or her exploit, replicating the common hacker tactic of enticing users to malicious sites where they are infected with malware. "I gave them the link, they clicked on it, and that was it," said Miller. "I did a few things to show that I had full control of the Mac."
Two weeks ago, Miller predicted that Safari running on the Mac would be the first to fall.
PWN2OWN's sponsor, 3Com Inc.'s TippingPoint unit, paid Miller the $5,000 for the rights to the vulnerability he exploited and the exploit code he used. As it has at past challenges, it reported the vulnerability to on-site Apple representatives. "Apple has it, and they're working on it," added Miller.
According to Terri Forslof, the manager of security response at TippingPoint, another researcher later broke into a Sony laptop that was running Windows 7 by exploiting a vulnerability in Internet Explorer 8. "Safari and IE both went down," she said in an e-mail.
TippingPoint's Twitter feed added a bit more detail to Forslof's quick message: "nils just won the sony viao with a brilliant IE8 bug!"
Forslof was not immediately available to answer questions about the IE8 exploit.
TippingPoint will continue the PWN2OWN contest through Friday, and will pay $5,000 for each additional bug successfully exploited in Apple Inc.'s Safari, Microsoft Corp.'s Internet Explorer 8, Mozilla Corp.'s Firefox or Google Inc.'s Chrome. During the contest, IE8, Firefox and Chrome will be available on the Sony, while Safari and Firefox will be running on the MacBook. The researcher who exploited IE8 will, like Miller, be awarded not only the cash, but also the laptop.
"It was great," said Miller when asked how it felt to successfully defend his title. "But I was really nervous for some reason this time. Maybe it was because there were more people around. Lucky [the exploit] was idiot-proof, because if I had had to think about it, I don't know if I'd had anything."
This year's PWN2OWN also features a mobile operating system contest that will award a $10,000 cash prize for every vulnerability successfully exploited in five smartphone operating systems: Windows Mobile, Google's Android, Symbian, and the operating systems used by the iPhone and BlackBerry.
Miller said he won't enter the mobile contest. "I can't break them," said Miller, who was one of the first researchers to demonstrate an attack on the iPhone in 2007, and last year was the first to reveal a flaw in Android. "I don't have anything for the iPhone, and I don't know enough about Google."
CanSecWest, which opened Monday, runs through Friday in Vancouver, British Columbia.
Gregg Keizer, Computerworld
Ten Facebook Tips For Power Users
So you signed up for Facebook, added friends and photos, joined a few groups, and updated your profile status. But now what? Isn't there more to Facebook? There is.
Here are ten tips to tweak your profile and get more out of Facebook. These tips go beyond the typical and include ways to stay better connected to your friends and look good doing it. To compile this list I searched high and low and even called on Facebook for the best tips. Most are easy to do and all will add some Facebook pizzazz to your profile.
Tip One
Dig up demographic dirt on your friends with Socialistics : If you want to know the demographic breakdown on your Facebook universe of friends, this application does a nice job at breaking it down. Socialistics can show you information about your friends' ages, the languages they speak, their country of origin, and lots of other interesting information all within Facebook.
Socialistics data does not show up on your profile pages and you are not able to share Socialistics information with your Facebook Friends through your wall. However, if you want to take a look at the trends for your personal network, then add Socialistics to your profile and you can access it privately.
Tip Two
Power search tips : Just like Google and other search engines, Facebook has some built-in power search tools and terms to help you find people. Want to search your Facebook network or friends list, but you want to narrow the results to fall within an age range? Just enter a term using the "name," "y1" and "y2" search filters. For example, I wanted to find my buddy Colin from college, but I can’t remember how old he is. To find him I just entered in “name: Colin Bauer y1: 25 y2: 40” and voila! The search string asked Facebook to look for people named Colin Bauer between the ages of 25 and 40.
You can also use two search terms at once by dividing the terms with the "pipe character" (|) (the pipe is found on the same key as the backslash).
If you want people to easily find you when they search, fill out your profile as much as you can. That way your profile interests -- music, books, movies and so on -- will move you closer to the top of Facebook search results for those keywords. Check out Facebook's help page for more handy search terms.
Tip Three
Integrate Facebook information with Gmail : The Firefox add-on called Xoopit is designed to streamline browsing and sharing of files, photos, and videos with friends on other social networks via Google's Gmail service. One of Xoopit's handy features (seldom touted) let's you see who among your e-mail contacts is signed on to Facebook and displays their profile photos, status updates. The Xoopit add-on also lets you update your status inside Gmail via a nifty little Xoopit box that integrates into the Gmail interface.
Here is a Xoopit video that walks you through how it works.
Tip Four
Personalize your Facebook URL : SocialToo allows you to create a custom domain for your Facebook profile page such as username.socialtoo.com. This allows you to share your Facebook site with other people without requiring them to search for you on Facebook to find your profile. Granted, you might have to explain to your friends that even though Facebook.com isn't in the Web address it's still takes you to your Facebook page. The domain is much easier to remember than an eight-digit profile ID.
Signing up with SocialToo is quick and free. You can set up your Facebook settings under “preferences” on SocialToo’s Website. Just remember to choose your SocialToo username wisely.
Another way to create a custom domain for your Facebook page is go to your Profile page in facebook and copy the Web address that appears in your browsers address bar. Then head over to Tiny.cc. Now paste your Facebook profile Web address in the Tiny.cc's "Enter a long URL you want to make tiny" form field. And directly to the right you'll see a Custom option. Here you can create a custom URL that follows the convention http://tiny.cc/username.
Tip Five
Hack your profile photo : Want to juice up your profile photo? Check out AllFacebook.com's "5 Creative Ways To Hack Your Facebook Profile Photo." You'll learn how to maximize your picture size to 200 pixels wide by 600 pixels high, and how to create some neat effects like making it look like you're hanging off your profile Wall.
In my tests, the specifications for this effect took some carefull tweaking but the payoff was worth it. If you're handy with a photo editor this will be easy for you. If you don’t have Photoshop, you're going to need to get yourself a photo editing program to take advantage of this hack. There are pleany of good free photo editing programs to get the job done such as such as Paint.Net or Photoshop Express (online). You'll find more free photo editing software at PC World's Download section.
Tip Six
Put Facebook Chat in your browser sidebar: Is Facebook your main IM tool? You can place it in your browser's sidebar. For my tests I used Firefox, but this also works in Opera. In Firefox just go to Bookmarks -> Organize Bookmarks and click on Bookmarks Toolbar. Select New Bookmark, and name it Facebook Chat. Then paste in this URL: http://www.facebook.com/presence/popout.php. Make sure you've selected "Load this bookmark in the sidebar" and hit Save. Now you're ready to go. Sorry IE fans -- this is not for you; however, you can paste the URL into a new browser tab if you like.
Tip Seven
Get back the old Facebook look (more or less): Ever feel constrained by the Facebook layout and look? You can actually change the look of your Facebook page with some tinkering and a little help from a tool called Greasemonkey that allows you to use Java Scripts to change the Facebook look. The only catch is the new look is something only you can see -- your Facebook friends see the same old Facebook page. Once you’ve added Greasemonkey to Facebook, visit Greasemonkey’s companion site UserScripts.org and browse dozens of layout options for your Facebook page. Click "install" on the new Facebook layout you want and let Greasemonkey take care of the rest.
A word of warning: Before you go nuts downloading Facebook layouts like crazy be carefull. Greasmonkey scripts for changing your Facebook layout use JavaScript. JavaScripts can be malicious and harm your PC if created by a sloppy or crooked coder. Scripts on UserScripts.org can be submitted by anyone and are not reviewed by Greasemonkey. Before you download a new Facebook layout check out the user reviews and exercise caution before installing.
That being said, here are a few of my favorites:
Remove Facebook Clutter: This is a close approximation of Facebook's previous look and feel. This hides the filters on the left side of the "stream" and the "highlights" section, and takes away the rounded corners on profile photos.
Facebook Color Changer: Pick a color scheme and change your FB colors. This script used to let you change the Facebook icon on the top left of the screen as well, and the developer promises this feature will be back.
Facebook Twitter Style: Have you heard how Twitter supposedly inspires Facebook’s new look and feel? Why not take this concept to its logical conclusion and view your Facebook homepage as if it really were Twitter?
Tip Eight
Upload mobile photos or videos straight to your profile: Just took a great picture or video with your cell phone and want to post it on your profile right away? Set up your profile settings to allow mobile uploads.
Go to the Mobile tab under your Facebook account tab and set up your phone to send photos to your Facebook page directly from you mobile phone. A word of caution if you set up Facebook to do this.Take heed of your Facebook mobile settings and adjust them properly.
When Facebook Mobile is activated you also let Facebook send text messages to your phone for those sending you friend requests, e-mail messages, wall posts, and status updates. That could become an astonishing text message bill if you’re not careful. This feature is only available in the U.S., Canada, and the U.K.
Tip Nine
Tweet your status : This is one of my personal favorites. Adding the Twitter Facebook application to your Facebook profile gives you the option to turn your Tweets into your Facebook status updates. Not only that, but Twitter is smart enough filter out @replies so that personal messages don’t end up on your profile.
Tip Ten
Use these third-party apps: There are many Facebook third-party apps that help you keep tabs on your Facebook friends. Some are barebones, while others give you more in-depth information. Here are the ones I like the best that will give you the biggest bang for your buck (actually they are all free).
Digsby (Windows Only): Digsby is a nifty little Facebook app that sits in your PC's system tray and can pull in Facebook Chat and other IM accounts, e-mail alerts and Facebook updates from your network of friends.
Facebook Desktop Client (Windows Only): Delivers notifications like friend requests, wall posts, view messages and get status updates.
MyFacebook (Vista): This widget adds your Facebook information right on your Windows Vista desktop sidebar. With this little app you can, “change your status, see your friends’ statuses, groups, notifications, albums and events.
Facebook Dashboard Widget (Mac): Similar to Windows Facebook Desktop, this widget will notify you of friend requests, messages, pokes and group and event invites.
Facebook Exporter for iPhoto (Mac): If you don’t plan on buying iLife ’09, but loved the idea of posting photos directly from iPhoto then this plugin is for you. Pick or create a new album, tag your friends and add captions right from iPhoto and then send your work straight to your Facebook profile.
So that's my ten Facebook power tips to take your Facebook time wasting to the next level. Try them out and me know what you think. And if you've got other tips post them in the comment field and share.
Ian Paul, PC World
Here are ten tips to tweak your profile and get more out of Facebook. These tips go beyond the typical and include ways to stay better connected to your friends and look good doing it. To compile this list I searched high and low and even called on Facebook for the best tips. Most are easy to do and all will add some Facebook pizzazz to your profile.
Tip One
Dig up demographic dirt on your friends with Socialistics : If you want to know the demographic breakdown on your Facebook universe of friends, this application does a nice job at breaking it down. Socialistics can show you information about your friends' ages, the languages they speak, their country of origin, and lots of other interesting information all within Facebook.
Socialistics data does not show up on your profile pages and you are not able to share Socialistics information with your Facebook Friends through your wall. However, if you want to take a look at the trends for your personal network, then add Socialistics to your profile and you can access it privately.
Tip Two
Power search tips : Just like Google and other search engines, Facebook has some built-in power search tools and terms to help you find people. Want to search your Facebook network or friends list, but you want to narrow the results to fall within an age range? Just enter a term using the "name," "y1" and "y2" search filters. For example, I wanted to find my buddy Colin from college, but I can’t remember how old he is. To find him I just entered in “name: Colin Bauer y1: 25 y2: 40” and voila! The search string asked Facebook to look for people named Colin Bauer between the ages of 25 and 40.
You can also use two search terms at once by dividing the terms with the "pipe character" (|) (the pipe is found on the same key as the backslash).
If you want people to easily find you when they search, fill out your profile as much as you can. That way your profile interests -- music, books, movies and so on -- will move you closer to the top of Facebook search results for those keywords. Check out Facebook's help page for more handy search terms.
Tip Three
Integrate Facebook information with Gmail : The Firefox add-on called Xoopit is designed to streamline browsing and sharing of files, photos, and videos with friends on other social networks via Google's Gmail service. One of Xoopit's handy features (seldom touted) let's you see who among your e-mail contacts is signed on to Facebook and displays their profile photos, status updates. The Xoopit add-on also lets you update your status inside Gmail via a nifty little Xoopit box that integrates into the Gmail interface.
Here is a Xoopit video that walks you through how it works.
Tip Four
Personalize your Facebook URL : SocialToo allows you to create a custom domain for your Facebook profile page such as username.socialtoo.com. This allows you to share your Facebook site with other people without requiring them to search for you on Facebook to find your profile. Granted, you might have to explain to your friends that even though Facebook.com isn't in the Web address it's still takes you to your Facebook page. The domain is much easier to remember than an eight-digit profile ID.
Signing up with SocialToo is quick and free. You can set up your Facebook settings under “preferences” on SocialToo’s Website. Just remember to choose your SocialToo username wisely.
Another way to create a custom domain for your Facebook page is go to your Profile page in facebook and copy the Web address that appears in your browsers address bar. Then head over to Tiny.cc. Now paste your Facebook profile Web address in the Tiny.cc's "Enter a long URL you want to make tiny" form field. And directly to the right you'll see a Custom option. Here you can create a custom URL that follows the convention http://tiny.cc/username.
Tip Five
Hack your profile photo : Want to juice up your profile photo? Check out AllFacebook.com's "5 Creative Ways To Hack Your Facebook Profile Photo." You'll learn how to maximize your picture size to 200 pixels wide by 600 pixels high, and how to create some neat effects like making it look like you're hanging off your profile Wall.
In my tests, the specifications for this effect took some carefull tweaking but the payoff was worth it. If you're handy with a photo editor this will be easy for you. If you don’t have Photoshop, you're going to need to get yourself a photo editing program to take advantage of this hack. There are pleany of good free photo editing programs to get the job done such as such as Paint.Net or Photoshop Express (online). You'll find more free photo editing software at PC World's Download section.
Tip Six
Put Facebook Chat in your browser sidebar: Is Facebook your main IM tool? You can place it in your browser's sidebar. For my tests I used Firefox, but this also works in Opera. In Firefox just go to Bookmarks -> Organize Bookmarks and click on Bookmarks Toolbar. Select New Bookmark, and name it Facebook Chat. Then paste in this URL: http://www.facebook.com/presence/popout.php. Make sure you've selected "Load this bookmark in the sidebar" and hit Save. Now you're ready to go. Sorry IE fans -- this is not for you; however, you can paste the URL into a new browser tab if you like.
Tip Seven
Get back the old Facebook look (more or less): Ever feel constrained by the Facebook layout and look? You can actually change the look of your Facebook page with some tinkering and a little help from a tool called Greasemonkey that allows you to use Java Scripts to change the Facebook look. The only catch is the new look is something only you can see -- your Facebook friends see the same old Facebook page. Once you’ve added Greasemonkey to Facebook, visit Greasemonkey’s companion site UserScripts.org and browse dozens of layout options for your Facebook page. Click "install" on the new Facebook layout you want and let Greasemonkey take care of the rest.
A word of warning: Before you go nuts downloading Facebook layouts like crazy be carefull. Greasmonkey scripts for changing your Facebook layout use JavaScript. JavaScripts can be malicious and harm your PC if created by a sloppy or crooked coder. Scripts on UserScripts.org can be submitted by anyone and are not reviewed by Greasemonkey. Before you download a new Facebook layout check out the user reviews and exercise caution before installing.
That being said, here are a few of my favorites:
Remove Facebook Clutter: This is a close approximation of Facebook's previous look and feel. This hides the filters on the left side of the "stream" and the "highlights" section, and takes away the rounded corners on profile photos.
Facebook Color Changer: Pick a color scheme and change your FB colors. This script used to let you change the Facebook icon on the top left of the screen as well, and the developer promises this feature will be back.
Facebook Twitter Style: Have you heard how Twitter supposedly inspires Facebook’s new look and feel? Why not take this concept to its logical conclusion and view your Facebook homepage as if it really were Twitter?
Tip Eight
Upload mobile photos or videos straight to your profile: Just took a great picture or video with your cell phone and want to post it on your profile right away? Set up your profile settings to allow mobile uploads.
Go to the Mobile tab under your Facebook account tab and set up your phone to send photos to your Facebook page directly from you mobile phone. A word of caution if you set up Facebook to do this.Take heed of your Facebook mobile settings and adjust them properly.
When Facebook Mobile is activated you also let Facebook send text messages to your phone for those sending you friend requests, e-mail messages, wall posts, and status updates. That could become an astonishing text message bill if you’re not careful. This feature is only available in the U.S., Canada, and the U.K.
Tip Nine
Tweet your status : This is one of my personal favorites. Adding the Twitter Facebook application to your Facebook profile gives you the option to turn your Tweets into your Facebook status updates. Not only that, but Twitter is smart enough filter out @replies so that personal messages don’t end up on your profile.
Tip Ten
Use these third-party apps: There are many Facebook third-party apps that help you keep tabs on your Facebook friends. Some are barebones, while others give you more in-depth information. Here are the ones I like the best that will give you the biggest bang for your buck (actually they are all free).
Digsby (Windows Only): Digsby is a nifty little Facebook app that sits in your PC's system tray and can pull in Facebook Chat and other IM accounts, e-mail alerts and Facebook updates from your network of friends.
Facebook Desktop Client (Windows Only): Delivers notifications like friend requests, wall posts, view messages and get status updates.
MyFacebook (Vista): This widget adds your Facebook information right on your Windows Vista desktop sidebar. With this little app you can, “change your status, see your friends’ statuses, groups, notifications, albums and events.
Facebook Dashboard Widget (Mac): Similar to Windows Facebook Desktop, this widget will notify you of friend requests, messages, pokes and group and event invites.
Facebook Exporter for iPhoto (Mac): If you don’t plan on buying iLife ’09, but loved the idea of posting photos directly from iPhoto then this plugin is for you. Pick or create a new album, tag your friends and add captions right from iPhoto and then send your work straight to your Facebook profile.
So that's my ten Facebook power tips to take your Facebook time wasting to the next level. Try them out and me know what you think. And if you've got other tips post them in the comment field and share.
Ian Paul, PC World
Sunday, March 15, 2009
Fast Wi-Fi seen as an academics tool for aging Mo. school district
Public schools in Raytown, Mo., have turned to high-speed Wi-Fi to help boost academic performance for students sharing laptops.
The district serves about 8,000 students, nearly half of them on school lunch assistance, in an aging suburb nearly surrounded by Kansas City, Mo., said Justin Watermann, technology coordinator for the public schools. About 1,500 laptops are used for a variety of subjects, including math, and are often shared by students and transported to classrooms via rolling computer carts where they connect to the Internet via Wi-Fi.
The transition to faster 802.11n-based Wi-Fi from Aruba Networks Inc. has taken place in the past four months, partly as a result of replacing Wi-Fi equipment from Meru Networks that was connected to Foundry switches. The older Wi-Fi access points and infrastructure, installed only a year ago, weren't delivering consistent connections -- especially near homes with Wi-Fi and businesses with radio dishes that created network interference, he said.
"After a year of trying, we were still having problems finding good coverage," Watermann said in a recent interview. To make the older Wi-Fi network coverage work properly with about 150 access points (APs), the district would have needed to buy an expensive second Wi-Fi controller. That's what prompted Watermann and integrator CDW Government Inc. (CDWG) to switch to Aruba hardware.
For less than $400,000, the district has been able to install about 250 Aruba APs and related infrastructure for 22 buildings serving elementary through high school students. CDWG was able to recoup some costs from the older Foundry technology through a competitive upgrade, he said.
Watermann said he researched several Wi-Fi products and found that Aruba's Adaptive Radio Management technology was useful in adjusting channels and power levels to mitigate the interference experienced on the older system. "When we picked Aruba, we said that if we make this change, it really has to work. And it worked instantly," he said.
A feature in the Aruba technology allows Watermann to import floor plans and maps of buildings to show where APs are located, allowing him to adjust Wi-Fi signal patterns. Another plus from the transition has been the improved signal strength 802.11n offers.
Part of the instigation for the Wi-Fi transition came from a school principal whose office was in the same building as Watermann, he said. She complained whenever the older system failed, noting that the district's academic objectives relied on effective wireless connections to laptops running academic programs, Watermann said.
"Because she was in our building, she would say, 'OK, we've paid for the software and the laptops, and we have the kids sitting in class unable to learn.' She was polite, but very insistent," Watermann recalled.
The district's investment in laptops and wireless networking is designed to help improve math scores and other academic benchmarks, Watermann noted. "If the laptops were just for casual Web browsing, that would be one thing. But we have run a budget deficit this year and still have computer labs and math coaches who are working off a grant to improve math scores. ... We have the Carnegie math program on Mac laptops and incentives under No Child Left Behind for doing more assessments and testing. It became critical to have a good wireless network."
Watermann said he and other school officials view the 802.11n network as "one more education tool. The staffers think it is essential."
While he said the upgrades are "pretty advanced" for a public school district of Raytown's size, he also said the district faces financial challenges and has to make every dollar count. "When I meet with technology vendors, I tell them I have a very limited budget, this is what I'm looking for and it's got to work and be a good value."
By Matt Hamblen
Computerworld
Microsoft: IE8 faster than Firefox, Chrome
Microsoft Corp. said this week that its own speed tests prove Internet Explorer 8 (IE8) is faster than either Firefox or Chrome.
In a report released Wednesday, Microsoft spelled out how it tests browsers in-house, and again stressed that it doesn't buy the idea that benchmarks -- such as those that score JavaScript performance -- accurately compare the players.
"These benchmarks necessarily characterize only a narrow set of the browser functions in a very constrained way," Microsoft's report said. "End users, however, do not operate in a controlled environment."
Microsoft's tests pitted IE8 Release Candidate 1 (RC1), which launched in late January, against Google Inc.'s Chrome 1.0 and Mozilla Corp.'s Firefox 3.0.5, a version from mid-December. The company timed how long it took each browser to completely render the 25 most popular destinations on the Web, as ranked by the Web metrics firm comScore Inc., which included google.com, facebook.com, amazon.com and others.
IE8 was fastest in rendering 12 of the 25 sites, said Microsoft, while Chrome took second by beating the others on nine sites. Firefox, meanwhile, was a distant third, coming in first on just four of the 25 domains.
Microsoft did not test other browsers, such as Apple Inc.'s Safari or Opera Software ASA's Opera, said James Pratt, a senior product manager on the IE development team, because it wanted to focus on rivals that "had a good share on the Windows platform."
Both Opera and Safari for Windows have shares of less than 1%, according to the most recent data from Net Applications Inc., with the former, on all platforms, accounting for 0.7% and the latter just 0.3%.
Nor did Microsoft put IE8 in the ring with later versions of Chrome and Firefox. Chrome, for instance, is currently at 2.0.169.1 as a developer-only build, while Firefox just rolled out 3.1 Beta 2. Both browsers boast better performance, specifically faster JavaScript rendering.
"IE8 RC1 is a release candidate, and was very close to being done," explained Pratt when asked why newer versions of Chrome and Firefox had not been used. "But Google and Mozilla were still actively working on [those newer browsers], and they weren't super stable."
JavaScript benchmarks have become a point of dispute between Microsoft and its rivals. While Mozilla, Google, Apple and Opera have all updated their JavaScript engines in the last eight months, and have then trumpeted scores in JavaScript test suites like SunSpider, Microsoft executives have dismissed the bragging as so much noise.
Dean Hachamovitch, IE's general manager, has called claims of competitors a "drag race" that Microsoft isn't interested in joining, while Pratt has downplayed comparisons of any kind. "We're at the point, with what people do in the browser, that users can't really tell the difference between browser [performance]," he said in a January interview.
Pratt said that the just-released report backed that up. "As you can see from the scores, the differences between the browsers are actually very small," he said.
When Computerworld last tested the major browsers' JavaScript performance, immediately after the release of the public beta of Safari 4, IE8 ranked last.
Although Google did not respond to a request for comment on Microsoft's benchmarks, Mozilla's Mike Shaver, who heads all development at the company, applauded any attempt to boost IE's performance. "I don't think anyone here has had a chance to really look at their methodology yet or tried to reproduce their results, but to whatever extent Microsoft is working to improve the performance of IE, it's a good thing for the Web," said Shaver in an e-mail late Thursday.
By Gregg Keizer
In a report released Wednesday, Microsoft spelled out how it tests browsers in-house, and again stressed that it doesn't buy the idea that benchmarks -- such as those that score JavaScript performance -- accurately compare the players.
"These benchmarks necessarily characterize only a narrow set of the browser functions in a very constrained way," Microsoft's report said. "End users, however, do not operate in a controlled environment."
Microsoft's tests pitted IE8 Release Candidate 1 (RC1), which launched in late January, against Google Inc.'s Chrome 1.0 and Mozilla Corp.'s Firefox 3.0.5, a version from mid-December. The company timed how long it took each browser to completely render the 25 most popular destinations on the Web, as ranked by the Web metrics firm comScore Inc., which included google.com, facebook.com, amazon.com and others.
IE8 was fastest in rendering 12 of the 25 sites, said Microsoft, while Chrome took second by beating the others on nine sites. Firefox, meanwhile, was a distant third, coming in first on just four of the 25 domains.
Microsoft did not test other browsers, such as Apple Inc.'s Safari or Opera Software ASA's Opera, said James Pratt, a senior product manager on the IE development team, because it wanted to focus on rivals that "had a good share on the Windows platform."
Both Opera and Safari for Windows have shares of less than 1%, according to the most recent data from Net Applications Inc., with the former, on all platforms, accounting for 0.7% and the latter just 0.3%.
Nor did Microsoft put IE8 in the ring with later versions of Chrome and Firefox. Chrome, for instance, is currently at 2.0.169.1 as a developer-only build, while Firefox just rolled out 3.1 Beta 2. Both browsers boast better performance, specifically faster JavaScript rendering.
"IE8 RC1 is a release candidate, and was very close to being done," explained Pratt when asked why newer versions of Chrome and Firefox had not been used. "But Google and Mozilla were still actively working on [those newer browsers], and they weren't super stable."
JavaScript benchmarks have become a point of dispute between Microsoft and its rivals. While Mozilla, Google, Apple and Opera have all updated their JavaScript engines in the last eight months, and have then trumpeted scores in JavaScript test suites like SunSpider, Microsoft executives have dismissed the bragging as so much noise.
Dean Hachamovitch, IE's general manager, has called claims of competitors a "drag race" that Microsoft isn't interested in joining, while Pratt has downplayed comparisons of any kind. "We're at the point, with what people do in the browser, that users can't really tell the difference between browser [performance]," he said in a January interview.
Pratt said that the just-released report backed that up. "As you can see from the scores, the differences between the browsers are actually very small," he said.
When Computerworld last tested the major browsers' JavaScript performance, immediately after the release of the public beta of Safari 4, IE8 ranked last.
Although Google did not respond to a request for comment on Microsoft's benchmarks, Mozilla's Mike Shaver, who heads all development at the company, applauded any attempt to boost IE's performance. "I don't think anyone here has had a chance to really look at their methodology yet or tried to reproduce their results, but to whatever extent Microsoft is working to improve the performance of IE, it's a good thing for the Web," said Shaver in an e-mail late Thursday.
By Gregg Keizer
New Windows 7 build leaks to Web, may be RC
A Windows 7 build that may be the first release candidate has leaked to the Internet, according to several file-sharing sites.
Searches on Mininova.org, for example, found multiple copies of Windows 7 Build 7057 that have been added to BitTorrent since yesterday. Pirated versions of both 32- and 64-bit editions are available.
The appearance of Windows 7 Build 7057 follows the leak of Build 7048 by just a week. This newest edition is the third to hit BitTorrent since Microsoft stopped offering the public beta of Windows 7 last month.
Traffic on Build 7057 has been lively. As of midday Friday, Mininova reported that one 32-bit BitTorrent of the operating system had been downloaded more than 37,000 times.
Screenshots of the leaked copy posted elsewhere on the Web, including on My Digital Life, show that the end-user licensing agreement (EULA) labels it "Microsoft Windows 7 Operating System Release Candidate 1."
The site, however, questioned whether Build 7057 was actually a release candidate. "A more likely scenario is that build 7048 is a pre-RC or RC preview build which includes the RC1 EULA," said My Digital Life.
Neowin.net, on the other hand, posted shots of Build 7057 that indicated it would expire March 2, 2010, not the midsummer 2009 expiration date built into the beta.
Windows 7 leaks have been a problem for Microsoft since previews were first handed out in October 2008 at Microsoft's Professional Developers Conference. Since then, other versions have appeared on BitTorrent, including a pirated copy of what was later released Jan. 10 as the beta.
In related Windows 7 news, Microsoft revealed 27 more changes it has made to the operating system in the past two months. Chaitanya Sareen, a senior program manager on the team, again detailed improvements and modifications in an entry to the Engineering Windows 7 blog, the second time in the past two weeks he's provided inside information on progress.
Among the changes Sareen highlighted were four affecting the Window 7 desktop, seven to the Windows Explorer file manager, and seven to printer and other device drivers, as well as the addition of more network drivers.
Microsoft has declined to set a time line for the Windows 7 release candidate, but Steven Sinofsky, senior vice president in charge of the Windows engineering group, has repeatedly hinted that the RC build will be offered to the public for a test drive when it is finished.
By Gregg Keizer
Computerworld
Searches on Mininova.org, for example, found multiple copies of Windows 7 Build 7057 that have been added to BitTorrent since yesterday. Pirated versions of both 32- and 64-bit editions are available.
The appearance of Windows 7 Build 7057 follows the leak of Build 7048 by just a week. This newest edition is the third to hit BitTorrent since Microsoft stopped offering the public beta of Windows 7 last month.
Traffic on Build 7057 has been lively. As of midday Friday, Mininova reported that one 32-bit BitTorrent of the operating system had been downloaded more than 37,000 times.
Screenshots of the leaked copy posted elsewhere on the Web, including on My Digital Life, show that the end-user licensing agreement (EULA) labels it "Microsoft Windows 7 Operating System Release Candidate 1."
The site, however, questioned whether Build 7057 was actually a release candidate. "A more likely scenario is that build 7048 is a pre-RC or RC preview build which includes the RC1 EULA," said My Digital Life.
Neowin.net, on the other hand, posted shots of Build 7057 that indicated it would expire March 2, 2010, not the midsummer 2009 expiration date built into the beta.
Windows 7 leaks have been a problem for Microsoft since previews were first handed out in October 2008 at Microsoft's Professional Developers Conference. Since then, other versions have appeared on BitTorrent, including a pirated copy of what was later released Jan. 10 as the beta.
In related Windows 7 news, Microsoft revealed 27 more changes it has made to the operating system in the past two months. Chaitanya Sareen, a senior program manager on the team, again detailed improvements and modifications in an entry to the Engineering Windows 7 blog, the second time in the past two weeks he's provided inside information on progress.
Among the changes Sareen highlighted were four affecting the Window 7 desktop, seven to the Windows Explorer file manager, and seven to printer and other device drivers, as well as the addition of more network drivers.
Microsoft has declined to set a time line for the Windows 7 release candidate, but Steven Sinofsky, senior vice president in charge of the Windows engineering group, has repeatedly hinted that the RC build will be offered to the public for a test drive when it is finished.
By Gregg Keizer
Computerworld
New 'Spam King' Linked to SMS Campaign
Spammer Brendan Battles is being linked to an unsolicited bulk SMS marketing campaign in New Zealand that could breach New Zealand anti-spam laws.
Reports of the messages are appearing on online forums like Geekzone and Vodafone's customer forum. The message says:
"Tired of dropped calls, poor signal or static? Goto www.AntennaBooster.co.nz for a special Vodafone users offer! To opt-out, reply with the word 'UNSUBSCRIBE'"
The text messages arrive from an Australian mobile number, +61 447 100 250.
According to whois data for the antennabooster.co.nz domain, the registrant is Brendan Battles of Browns Bay, on Auckland's North Shore. The domain in the contact email address given for antennabooster.co.nz, imagemarketing.co.nz, is also registered by Battles. The New Zealand man may be vying again for the "Spam King" title, which has been claimed by several through the years.
The "mobile phone antenna booster" advertised is, according to the site, a "thin strip to be placed at [sic] the back of cellphone".
Costing $9.95 plus $4.95 "S/H", the product promises "no more disconnections, reduces static interference" and "increases phone reception on boats, elevators, cars, buildings, tunnels, mountains and more."
Advertised on the site are other domains registered by Battles, like nzdata.info, audata.info, marketingmistakes.info and nzpostage.co.nz. All are hosted by Affinity Internet in the United States.
The company behind antennabooster.co.nz is Image Marketing Ltd, with a registered office at 63, Apollo Road, Mairangi Bay, North Shore. Its director is Brendan Paul Battles of Browns Bay, who holds 940,000 of the one million shares issued, according to the Companies Office.
Tan Chor Thien and Walter Scheer are the other two shareholders of Image Marketing Ltd, with 50,000 and 10,000 shares each, respectively.
Battles has a history as a prolific spammer going back many years in the United States and New Zealand. He earned notoriety by suing anti-spammers Spamhaus in 2003, together with associate Eddie Marin and Boca Raton, Florida-based organisation Emarketersamerica.org, only to withdraw the lawsuit in September that same year.
Battles activities have been the subject of investigative journalist Brian McWilliams' book "Spam Kings". In the book, McWilliams says Battles sent out up to 50 million spam messages a day, hawking amongst other things subliminal weight loss tapes.
In 2006, Battles was found to have set up shop in New Zealand and was accused of running a bulk unsolicited email campaign for broadband accounts and telephone calling rates here.
Software developer Chris Burgess of Giant Robot was one of those hit by the SMS messages. Burgess reported the matter to the DIA and also emailed Battles, demanding to see proof that he has consented to receive the text messages sent out.
As of going to press, Burgess has not received a response from Battles.
Asked what he thought of the SMS run, Burgess says "It's a shame to see personal communications hijacked by people with little to offer."
"Theirs is a numbers game," Burgess says, that involves "bothering a million people to make maybe ten sales."
Vodafone spokesman Paul Brislen says that the telco isn't pleased to see its name being used in the messages, and is taking the matter seriously. Brislen says Vodafone is investigating the issue, and looking into what further action it can take.
Joe Stewart, manager of the anti-spam compliance unit at the Department of Internal Affairs confirms that sending unsolicited messages is against the law.
Asked if he's familiar with Battles and the SMS messages, Stewart told Computerworld that "the SMS campaign and the name have crossed my desk."
Stewart adds that it's irrelevant that a spam message is routed via overseas providers, as long as it's terminated in New Zealand. He says people who receive suspected SMS spam are adivesed to forward it to 7726 and the DIA will investigate.
Battles was contacted by Computerworld by telephone and email for comment on the above, but didn't respond. Battles has never, to Computerworld's knowledge, been charged with or convicted of spamming. Most of his activity both in the US and here predates the criminalisation of sending unsolicited messages.
Juha Saarinen, Computerworld New Zealand Online
Reports of the messages are appearing on online forums like Geekzone and Vodafone's customer forum. The message says:
"Tired of dropped calls, poor signal or static? Goto www.AntennaBooster.co.nz for a special Vodafone users offer! To opt-out, reply with the word 'UNSUBSCRIBE'"
The text messages arrive from an Australian mobile number, +61 447 100 250.
According to whois data for the antennabooster.co.nz domain, the registrant is Brendan Battles of Browns Bay, on Auckland's North Shore. The domain in the contact email address given for antennabooster.co.nz, imagemarketing.co.nz, is also registered by Battles. The New Zealand man may be vying again for the "Spam King" title, which has been claimed by several through the years.
The "mobile phone antenna booster" advertised is, according to the site, a "thin strip to be placed at [sic] the back of cellphone".
Costing $9.95 plus $4.95 "S/H", the product promises "no more disconnections, reduces static interference" and "increases phone reception on boats, elevators, cars, buildings, tunnels, mountains and more."
Advertised on the site are other domains registered by Battles, like nzdata.info, audata.info, marketingmistakes.info and nzpostage.co.nz. All are hosted by Affinity Internet in the United States.
The company behind antennabooster.co.nz is Image Marketing Ltd, with a registered office at 63, Apollo Road, Mairangi Bay, North Shore. Its director is Brendan Paul Battles of Browns Bay, who holds 940,000 of the one million shares issued, according to the Companies Office.
Tan Chor Thien and Walter Scheer are the other two shareholders of Image Marketing Ltd, with 50,000 and 10,000 shares each, respectively.
Battles has a history as a prolific spammer going back many years in the United States and New Zealand. He earned notoriety by suing anti-spammers Spamhaus in 2003, together with associate Eddie Marin and Boca Raton, Florida-based organisation Emarketersamerica.org, only to withdraw the lawsuit in September that same year.
Battles activities have been the subject of investigative journalist Brian McWilliams' book "Spam Kings". In the book, McWilliams says Battles sent out up to 50 million spam messages a day, hawking amongst other things subliminal weight loss tapes.
In 2006, Battles was found to have set up shop in New Zealand and was accused of running a bulk unsolicited email campaign for broadband accounts and telephone calling rates here.
Software developer Chris Burgess of Giant Robot was one of those hit by the SMS messages. Burgess reported the matter to the DIA and also emailed Battles, demanding to see proof that he has consented to receive the text messages sent out.
As of going to press, Burgess has not received a response from Battles.
Asked what he thought of the SMS run, Burgess says "It's a shame to see personal communications hijacked by people with little to offer."
"Theirs is a numbers game," Burgess says, that involves "bothering a million people to make maybe ten sales."
Vodafone spokesman Paul Brislen says that the telco isn't pleased to see its name being used in the messages, and is taking the matter seriously. Brislen says Vodafone is investigating the issue, and looking into what further action it can take.
Joe Stewart, manager of the anti-spam compliance unit at the Department of Internal Affairs confirms that sending unsolicited messages is against the law.
Asked if he's familiar with Battles and the SMS messages, Stewart told Computerworld that "the SMS campaign and the name have crossed my desk."
Stewart adds that it's irrelevant that a spam message is routed via overseas providers, as long as it's terminated in New Zealand. He says people who receive suspected SMS spam are adivesed to forward it to 7726 and the DIA will investigate.
Battles was contacted by Computerworld by telephone and email for comment on the above, but didn't respond. Battles has never, to Computerworld's knowledge, been charged with or convicted of spamming. Most of his activity both in the US and here predates the criminalisation of sending unsolicited messages.
Juha Saarinen, Computerworld New Zealand Online
Apple's iPhone 3.0: 10 Features That Might Make the Cut
The iPhone 3.0 countdown is officially on: Apple has announced plans to reveal the next generation of its iPhone operating system at a media event next Tuesday. While the company's keeping up its usual wall of mystique, we've compiled a list of some of the most discussed features users want to see. I'm no psychic, but some of these seem to be shoo-ins for inclusion -- and maybe the St. Patrick's Day unveiling will bring a little Irish-style luck for your favorite feature.
1. Push Notification
One of the longest-running requests, push notification has been discussed since last summer. The system, which would let apps receive information from Apple servers even while they're not actively running (think IM programs), was set to debut last September. The missed deadline led to speculation that the feature might be dead in the water. So could push notification finally make the cut for iPhone 3.0?
"It seems that it would be a high priority from a competitive standpoint," notes Dan Hays, a mobile industry expert who serves as director of PRTM Management Consultants. "That's definitely one of the big opportunities for Apple."
2. Adobe Flash Support
After on-again, off-again development, support for Adobe Flash has continued to evade iPhone users, often proving for many to be one of the device's most annoying omissions. Aside from the "technical challenge" said to be presented with placing Flash on the iPhone, politics seem to play a big part in its absence. There's always hope, but you may not want to hold your breath on this one just yet.
3. Advanced Bluetooth Functionality
Many fans of the iPhone have been asking for expanded functionality in the Bluetooth realm -- you know, the ability to perform tasks like file-sharing or wireless keyboard connecting. This could be one of the simpler features to implement in the iPhone OS, yet it may not be at the top of Apple's list.
"It's not clear to me that it would be a big driver of additional sales," Hays points out. The speed of Bluetooth, he says, limits the practicality of its transfer power. "I would see it as something that they might be likely to do, but not necessarily a high priority."
4. Copy and Paste Options
I suspect almost all iPhone users would get on-board with the idea of added copy, cut, and paste options within the platform. An odd omission in the first place, one would hope this basic ability will appear in the 3.0 release.
5. Background Processing
The much-requested multitasking support could actually have a shot in iPhone's 3.0 release. Apple has previously cited the risk of draining too much power and hurting performance as a hurdle for the addition. Rumors as recent as early February, however, suggest that 3.0 could be the turning point.
6. Horizontal Keyboard
While apps have made it possible to get a horizontal keyboard for e-mailing on the iPhone, native support for a wider typing platform for both mail and text messaging has yet to surface. With the growing field of versatile smartphones, this could be an easy addition that'd be wise for Apple to make.
"If you look at how the touchscreen keyboard's been implemented in competing devices, such as the [Blackberry] Storm, it definitely would seem that Apple wouldn't have anything to lose," Hays says. "It probably would gain some good will with their users by adding it."
7. Video Conferencing
Video conferencing would be a big boost for the iPhone -- but it'd also be a big drain on the network. While plenty of people would like to see it debut, the data difficulty could serve as a roadblock in making this one a 3.0 reality.
"The average iPhone user uses something like a hundred times the amount of data as a regular user. You can imagine that video conferencing would be even more so," Hays says.
8. iPhone Tethering
Ever since the sudden banning of the iPhone's Netshare tethering application last August, the use of the iPhone as a modem has been reduced to only a memory. An e-mail said to be from Steve Jobs that same summer, though, suggested Apple was working with AT&T to create a built-in solution. If the carrier conflicts can be overcome (AT&T does currently offer tethering plans for some of its other wireless models), Apple would have a strong weapon on its hands with this added option.
9. Global Search
File this one under "why not": Apple could look at bringing a universal search option into its iPhone 3.0 release. Rather than just offering limited searching within applications such as Contacts, why not let users do a device-wide search from the home screen? Why wasn't it built in from the beginning, you might ask? Search me.
10. Extra SMS Options
Something that seems to come up frequently in the forums is the notion of packing a little more punch into the iPhone's SMS system. Users want the ability to send and receive images or videos in text messages, as well as the addition of SMS forwarding functionality. Here's hoping Apple is listening.
The List Goes On
There are plenty more requests out there, some more far-fetched than others. The integration of the SBSettings app's simple top-of-screen toggles, a folder organization system for the home screen, and enhanced Exchange sync options are a few of the other ideas I've seen floating around.
I'm sure you have a wish list of your own, too, so step up to the plate -- and by "the plate," I mean "the comments section" -- and let us hear what you want to see. What do you think Apple will actually deliver?
JR Raphael, PC World
1. Push Notification
One of the longest-running requests, push notification has been discussed since last summer. The system, which would let apps receive information from Apple servers even while they're not actively running (think IM programs), was set to debut last September. The missed deadline led to speculation that the feature might be dead in the water. So could push notification finally make the cut for iPhone 3.0?
"It seems that it would be a high priority from a competitive standpoint," notes Dan Hays, a mobile industry expert who serves as director of PRTM Management Consultants. "That's definitely one of the big opportunities for Apple."
2. Adobe Flash Support
After on-again, off-again development, support for Adobe Flash has continued to evade iPhone users, often proving for many to be one of the device's most annoying omissions. Aside from the "technical challenge" said to be presented with placing Flash on the iPhone, politics seem to play a big part in its absence. There's always hope, but you may not want to hold your breath on this one just yet.
3. Advanced Bluetooth Functionality
Many fans of the iPhone have been asking for expanded functionality in the Bluetooth realm -- you know, the ability to perform tasks like file-sharing or wireless keyboard connecting. This could be one of the simpler features to implement in the iPhone OS, yet it may not be at the top of Apple's list.
"It's not clear to me that it would be a big driver of additional sales," Hays points out. The speed of Bluetooth, he says, limits the practicality of its transfer power. "I would see it as something that they might be likely to do, but not necessarily a high priority."
4. Copy and Paste Options
I suspect almost all iPhone users would get on-board with the idea of added copy, cut, and paste options within the platform. An odd omission in the first place, one would hope this basic ability will appear in the 3.0 release.
5. Background Processing
The much-requested multitasking support could actually have a shot in iPhone's 3.0 release. Apple has previously cited the risk of draining too much power and hurting performance as a hurdle for the addition. Rumors as recent as early February, however, suggest that 3.0 could be the turning point.
6. Horizontal Keyboard
While apps have made it possible to get a horizontal keyboard for e-mailing on the iPhone, native support for a wider typing platform for both mail and text messaging has yet to surface. With the growing field of versatile smartphones, this could be an easy addition that'd be wise for Apple to make.
"If you look at how the touchscreen keyboard's been implemented in competing devices, such as the [Blackberry] Storm, it definitely would seem that Apple wouldn't have anything to lose," Hays says. "It probably would gain some good will with their users by adding it."
7. Video Conferencing
Video conferencing would be a big boost for the iPhone -- but it'd also be a big drain on the network. While plenty of people would like to see it debut, the data difficulty could serve as a roadblock in making this one a 3.0 reality.
"The average iPhone user uses something like a hundred times the amount of data as a regular user. You can imagine that video conferencing would be even more so," Hays says.
8. iPhone Tethering
Ever since the sudden banning of the iPhone's Netshare tethering application last August, the use of the iPhone as a modem has been reduced to only a memory. An e-mail said to be from Steve Jobs that same summer, though, suggested Apple was working with AT&T to create a built-in solution. If the carrier conflicts can be overcome (AT&T does currently offer tethering plans for some of its other wireless models), Apple would have a strong weapon on its hands with this added option.
9. Global Search
File this one under "why not": Apple could look at bringing a universal search option into its iPhone 3.0 release. Rather than just offering limited searching within applications such as Contacts, why not let users do a device-wide search from the home screen? Why wasn't it built in from the beginning, you might ask? Search me.
10. Extra SMS Options
Something that seems to come up frequently in the forums is the notion of packing a little more punch into the iPhone's SMS system. Users want the ability to send and receive images or videos in text messages, as well as the addition of SMS forwarding functionality. Here's hoping Apple is listening.
The List Goes On
There are plenty more requests out there, some more far-fetched than others. The integration of the SBSettings app's simple top-of-screen toggles, a folder organization system for the home screen, and enhanced Exchange sync options are a few of the other ideas I've seen floating around.
I'm sure you have a wish list of your own, too, so step up to the plate -- and by "the plate," I mean "the comments section" -- and let us hear what you want to see. What do you think Apple will actually deliver?
JR Raphael, PC World
Saturday, March 7, 2009
Microsoft in 2019: Where's Windows?
Microsoft's 2019 is the latest entry in the genre of future product dramatization videos. There's a five-minute version, but also a tightly-edited two minute excerpt.
The imaginative videos were created by Microsoft Office Labs, a group inside the company that "tests ideas by building prototypes and gathering usage data." At the end, a related video list contains longer versions of each scene -- retail, manufacturing, education, health care and more.
The super-slim and easy-to-use handheld gadgets and wall-sized transparent displays handled by the video's shoppers, students and office workers make Tom Cruise's setup in Minority Report seem obsolete. More important than whizzy interfaces, the videos promise much more extensive collaboration, instant information retrieval, and multimedia communication.
The level of personal data tapped in some scenes will creep some people out. Skip to 0:25 for the scene that shows a corporate visitor being tracked on a blueprint map of the office.
However, the biggest surprise in 2019 is the lack of a Windows logo, "Start" button, or other Microsoft branding in the clip's mocked-up UIs. The company has backed off from the heavy-handed "Windows Everywhere" campaign of a few years ago. We don't need to be told what operating system these gadgets run.
Another smart omission: In the short version of 2019, no one makes a videophone call.
Paul Boutin, The Industry Standard
The imaginative videos were created by Microsoft Office Labs, a group inside the company that "tests ideas by building prototypes and gathering usage data." At the end, a related video list contains longer versions of each scene -- retail, manufacturing, education, health care and more.
The super-slim and easy-to-use handheld gadgets and wall-sized transparent displays handled by the video's shoppers, students and office workers make Tom Cruise's setup in Minority Report seem obsolete. More important than whizzy interfaces, the videos promise much more extensive collaboration, instant information retrieval, and multimedia communication.
The level of personal data tapped in some scenes will creep some people out. Skip to 0:25 for the scene that shows a corporate visitor being tracked on a blueprint map of the office.
However, the biggest surprise in 2019 is the lack of a Windows logo, "Start" button, or other Microsoft branding in the clip's mocked-up UIs. The company has backed off from the heavy-handed "Windows Everywhere" campaign of a few years ago. We don't need to be told what operating system these gadgets run.
Another smart omission: In the short version of 2019, no one makes a videophone call.
Paul Boutin, The Industry Standard
Microsoft confirms IE8 kill switch in Windows 7
Microsoft Corp. today confirmed that users will be able to remove Internet Explorer 8 (IE8), as well as several other integrated applications, from Windows 7.
The ability to remove IE8 was revealed by a pair of bloggers on Wednesday after they poked around Windows 7 Build 7048, a post-beta version that has leaked to file-sharing sites on the Web.
Yesterday, Mike Nash, vice president of Windows product management, declined to comment on the bloggers' reports. "It's unfortunate that builds leak out," Nash said. "But I can't comment on unreleased products."
Today, however, Jack Mayo, a group program manager on the Windows team, acknowledged that Windows 7 will include an expanded list of features and applications that can be switched off.
In an entry to the Engineering Windows 7 blog, Mayo listed the applications that can be switched off. They include Internet Explorer 8, Fax and Scan, handwriting recognition, Windows DVD Maker, Windows Gadget Platform, Windows Media Player, Windows Media Center, Windows Search, and XPS Viewer and Services.
He also explained that the files associated with those applications and features are not actually deleted from the hard drive. "If a feature is deselected, it is not available for use," said Mayo. "This means the files (binaries and data) are not loaded by the operating system and not available to users on the computer. These same files are staged so that the features can easily be added back to the running OS without additional media. This staging is important feedback we have received from customers who definitely do not like to dig up the installation DVD."
Furthermore, said Mayo, the APIs related to those features are still supported by Windows 7 -- even when the application or feature has been disabled -- if "these APIs are necessary to the functionality of Windows or where there are APIs that are used by developers that can be viewed as independent of the component."
Mayo didn't provide examples of what APIs would still be supported when a user switches off IE8, but presumably Windows Update, which relies on the browser, would remain functional. Nor did he mention the European Union's new antitrust charges against Microsoft, which bloggers Chris Holmes and Bryant Zadegan cited as a possible reason why the company added the IE8 option.
In January, EU regulators claimed that Microsoft "shields" IE from competition by bundling it with Windows. The EU's Competition Commission said that among possible remedies, it might make the company cripple IE if the user installed a rival browser, such as Mozilla Corp.'s Firefox or Google Inc.'s Chrome. "Microsoft could also be ordered to technically allow the user to disable Internet Explorer code should the user choose to install a competing browser," EU spokesman Jonathan Todd said in an earlier e-mail to Computerworld.
The EU's case stemmed from a December 2007 complaint by Norwegian browser maker Opera Software ASA, which has been joined by both Mozilla and Google as "interested parties" that are allowed to participated on the periphery.
Microsoft has declined to comment on whether the decision to allow users to remove IE8 is connected to the EU's case.
Other applications on the Windows 7 list have been the subject of previous antitrust actions or complaints. Windows Media Player, for example, was one focus of a concluded EU antitrust case. In addition, Microsoft gave in to Google Inc.'s demands, filed with the U.S. Department of Justice in 2007, that it change Windows Vista's desktop search tool. And in 2006, Adobe threatened to go to the DOJ over the "Save As PDF" command in the Microsoft Office 2007 suite; XPS (XML Paper Specification) is Microsoft's answer to Adobe's PDF format.
The option to remove IE8 is available only in post-beta builds, which have been restricted to a small group of testers. The company has been mum about the timing of the next milestone, although it has hinted it will take the upcoming release candidate, or RC, public as well.
A pirated copy of Windows 7 Build 7048, which includes the new removal options, has been leaked on the Internet. Traffic in the build has been brisk, with BitTorrent tracking sites such as Mininova.org claiming that as many as 14,000 copies have been downloaded.
By Gregg Keizer, computerworld.
The ability to remove IE8 was revealed by a pair of bloggers on Wednesday after they poked around Windows 7 Build 7048, a post-beta version that has leaked to file-sharing sites on the Web.
Yesterday, Mike Nash, vice president of Windows product management, declined to comment on the bloggers' reports. "It's unfortunate that builds leak out," Nash said. "But I can't comment on unreleased products."
Today, however, Jack Mayo, a group program manager on the Windows team, acknowledged that Windows 7 will include an expanded list of features and applications that can be switched off.
In an entry to the Engineering Windows 7 blog, Mayo listed the applications that can be switched off. They include Internet Explorer 8, Fax and Scan, handwriting recognition, Windows DVD Maker, Windows Gadget Platform, Windows Media Player, Windows Media Center, Windows Search, and XPS Viewer and Services.
He also explained that the files associated with those applications and features are not actually deleted from the hard drive. "If a feature is deselected, it is not available for use," said Mayo. "This means the files (binaries and data) are not loaded by the operating system and not available to users on the computer. These same files are staged so that the features can easily be added back to the running OS without additional media. This staging is important feedback we have received from customers who definitely do not like to dig up the installation DVD."
Furthermore, said Mayo, the APIs related to those features are still supported by Windows 7 -- even when the application or feature has been disabled -- if "these APIs are necessary to the functionality of Windows or where there are APIs that are used by developers that can be viewed as independent of the component."
Mayo didn't provide examples of what APIs would still be supported when a user switches off IE8, but presumably Windows Update, which relies on the browser, would remain functional. Nor did he mention the European Union's new antitrust charges against Microsoft, which bloggers Chris Holmes and Bryant Zadegan cited as a possible reason why the company added the IE8 option.
In January, EU regulators claimed that Microsoft "shields" IE from competition by bundling it with Windows. The EU's Competition Commission said that among possible remedies, it might make the company cripple IE if the user installed a rival browser, such as Mozilla Corp.'s Firefox or Google Inc.'s Chrome. "Microsoft could also be ordered to technically allow the user to disable Internet Explorer code should the user choose to install a competing browser," EU spokesman Jonathan Todd said in an earlier e-mail to Computerworld.
The EU's case stemmed from a December 2007 complaint by Norwegian browser maker Opera Software ASA, which has been joined by both Mozilla and Google as "interested parties" that are allowed to participated on the periphery.
Microsoft has declined to comment on whether the decision to allow users to remove IE8 is connected to the EU's case.
Other applications on the Windows 7 list have been the subject of previous antitrust actions or complaints. Windows Media Player, for example, was one focus of a concluded EU antitrust case. In addition, Microsoft gave in to Google Inc.'s demands, filed with the U.S. Department of Justice in 2007, that it change Windows Vista's desktop search tool. And in 2006, Adobe threatened to go to the DOJ over the "Save As PDF" command in the Microsoft Office 2007 suite; XPS (XML Paper Specification) is Microsoft's answer to Adobe's PDF format.
The option to remove IE8 is available only in post-beta builds, which have been restricted to a small group of testers. The company has been mum about the timing of the next milestone, although it has hinted it will take the upcoming release candidate, or RC, public as well.
A pirated copy of Windows 7 Build 7048, which includes the new removal options, has been leaked on the Internet. Traffic in the build has been brisk, with BitTorrent tracking sites such as Mininova.org claiming that as many as 14,000 copies have been downloaded.
By Gregg Keizer, computerworld.
Q&A: 'We are willing to take that risk,' says CEO who hired convicted botnet leader
Jason Calcanis, founder and CEO of search engine start-up Mahalo.com, defends his decision to allow former security researcher John Scheifer to continuing working at his firm even after discovering he was a convicted felon.
Scheifer was sentenced to four years in prison on Wednesday after pleading guilty last April to four felony counts involving illegal access to computers, illegal interception of data and wire fraud. He is the first person to be charged under federal wiretap statutes for using a botnet to steal data and commit fraud.
Scheifer and his accomplices infected more than 250,000 PCs, and stole usernames and passwords they used to break into PayPal and other financial accounts.
Calcanis, who was at the sentencing, expressed in a blog post yesterday his support for Schiefer, and wished that he had been sentenced to supervised home arrest instead of incarceration in a federal penitentiary.
Calcanis said that when Mahalo first hired Schiefer, the company did not know about his background. And when it found out about his crime, the company could have fired him on the spot because that was the "easy choice," Calcanis wrote. "But rather than do that, the company decided to give Schiefer another chance, after hearing about his tough childhood, his anger issues and how he'd found a level of peace by being at Mahalo.
Calcanis said that while Schiefer might have been an "angry stupid kid" when he launched his botnet attacks, all developers pushed the envelope when they were young. "Anyone in technology knows this dark, dirty little secret," Calcanis said in his blog.
Calcanis speaks a little more on his support for Schiefer by e-mail:
There are some who think that Schiefer probably got what was coming for his actions. Why was John deserving of a lighter sentence? Without knowing John, I think I would agree that he got what he deserved and, sure, it could have another year or two. After getting to know him I can tell you -- and in fact he would tell you -- that his behavior was based on a lack of guidance, immaturity and anger. Getting to know him, I've watched him not only grow but flourish while working with a team of intelligent technologists.
You said in your blog that you would have never hired John (or people like him) if you had known of his background during the hiring process. Has this experience changed that outlook? In the past, I would have probably never considered hiring a felon for my startup. In fact, they would have probably never made it in for an interview. After this experience, I think I've learned something about rehabilitation and the role private industry can play in it.
After this, I would certainly consider someone convicted of computer crimes. However, I think you have to look at each case and person individually. Not all hackers are cut from the same cloth.
What was John's role in your company? John is a systems engineer, which means he works on Web servers. However, it is important to note that he does not have access to our database servers, that all of our password data is encrypted so no one on the development team can access it, and his work is supervised. Also, we are a content site and we don't deal in sensitive data. He can, in fact, only do harm to us ... not our users. If John wanted to, he could turn off Mahalo, but we're willing to take that risk -- we trust him.
In general, what do you think about companies hiring convicted hackers to help them deal with cybersecurity issues? It's fairly clear that many -- perhaps most -- of the folks who step over the line in the hacker community do so out of a sense of exploration, challenge and the desire to be admired by their peers. These are the exact same reasons why someone becomes an entrepreneur, and why they might start a company like Google, Yahoo, or Mahalo.
In other words, the core desire in many of these individuals is good, but horribly misdirected. As a society we have very hard decisions to make about these individuals. They are in fact damaging society through their actions, and our growing digital dependencies only make their actions more significant.
So what then is the best way of handling hackers who cross the line? Clearly we must make examples of people who step over the line, but we must also look with compassion and support to those who are willing to rehabilitate themselves. In this case I believe John could be put under house arrest and be under constant computer monitoring -- at his own expense -- and help make the world a better place. I hope his four years in jail don't hurt his progress, and that when he leaves jail he can start his life off where he left it: as a friend, hard-working team member and a brilliant contributor to society.
By Jaikumar Vijayan ,Computerworld
Scheifer was sentenced to four years in prison on Wednesday after pleading guilty last April to four felony counts involving illegal access to computers, illegal interception of data and wire fraud. He is the first person to be charged under federal wiretap statutes for using a botnet to steal data and commit fraud.
Scheifer and his accomplices infected more than 250,000 PCs, and stole usernames and passwords they used to break into PayPal and other financial accounts.
Calcanis, who was at the sentencing, expressed in a blog post yesterday his support for Schiefer, and wished that he had been sentenced to supervised home arrest instead of incarceration in a federal penitentiary.
Calcanis said that when Mahalo first hired Schiefer, the company did not know about his background. And when it found out about his crime, the company could have fired him on the spot because that was the "easy choice," Calcanis wrote. "But rather than do that, the company decided to give Schiefer another chance, after hearing about his tough childhood, his anger issues and how he'd found a level of peace by being at Mahalo.
Calcanis said that while Schiefer might have been an "angry stupid kid" when he launched his botnet attacks, all developers pushed the envelope when they were young. "Anyone in technology knows this dark, dirty little secret," Calcanis said in his blog.
Calcanis speaks a little more on his support for Schiefer by e-mail:
There are some who think that Schiefer probably got what was coming for his actions. Why was John deserving of a lighter sentence? Without knowing John, I think I would agree that he got what he deserved and, sure, it could have another year or two. After getting to know him I can tell you -- and in fact he would tell you -- that his behavior was based on a lack of guidance, immaturity and anger. Getting to know him, I've watched him not only grow but flourish while working with a team of intelligent technologists.
You said in your blog that you would have never hired John (or people like him) if you had known of his background during the hiring process. Has this experience changed that outlook? In the past, I would have probably never considered hiring a felon for my startup. In fact, they would have probably never made it in for an interview. After this experience, I think I've learned something about rehabilitation and the role private industry can play in it.
After this, I would certainly consider someone convicted of computer crimes. However, I think you have to look at each case and person individually. Not all hackers are cut from the same cloth.
What was John's role in your company? John is a systems engineer, which means he works on Web servers. However, it is important to note that he does not have access to our database servers, that all of our password data is encrypted so no one on the development team can access it, and his work is supervised. Also, we are a content site and we don't deal in sensitive data. He can, in fact, only do harm to us ... not our users. If John wanted to, he could turn off Mahalo, but we're willing to take that risk -- we trust him.
In general, what do you think about companies hiring convicted hackers to help them deal with cybersecurity issues? It's fairly clear that many -- perhaps most -- of the folks who step over the line in the hacker community do so out of a sense of exploration, challenge and the desire to be admired by their peers. These are the exact same reasons why someone becomes an entrepreneur, and why they might start a company like Google, Yahoo, or Mahalo.
In other words, the core desire in many of these individuals is good, but horribly misdirected. As a society we have very hard decisions to make about these individuals. They are in fact damaging society through their actions, and our growing digital dependencies only make their actions more significant.
So what then is the best way of handling hackers who cross the line? Clearly we must make examples of people who step over the line, but we must also look with compassion and support to those who are willing to rehabilitate themselves. In this case I believe John could be put under house arrest and be under constant computer monitoring -- at his own expense -- and help make the world a better place. I hope his four years in jail don't hurt his progress, and that when he leaves jail he can start his life off where he left it: as a friend, hard-working team member and a brilliant contributor to society.
By Jaikumar Vijayan ,Computerworld
Wednesday, February 25, 2009
Desktops will move to the cloud, VMware exec says
(IDG News Service) The desktop is one the areas ripe for moving into the cloud, and the driver will be lower operational costs for both large and small companies, a VMware executive said at the company's VMworld conference in Cannes.
That's not going to happen over night, but that is where things are headed, according to Jocelyn Goldfein, general manager of the Desktop business unit at VMware, speaking in an interview Tuesday.
"Some days I think it's four years away, and other days I think it's all going to happen way faster than we think. I think Microsoft really bobbled with Vista. It's got everyone, including home users, questioning the future of the desktop, and willing to try something new," said Goldfein.
Moving to the cloud will let more companies take advantage of the economies of scale that come with managing many desktops. "People who specialize in desktop management are going to get the best economies of scale of all, and moving the desktop into an external cloud is going to let large or small enterprises, all the way down to SMBs and maybe even home users, take advantage of that," said Goldfein.
Also, most enterprises simply don't want to be in the business of managing desktops, and small to midsize businesses and home users don't want to either. Home users don't want to upgrade operating systems, patch applications or set firewall rules, according to Goldfein.
"The beauty of virtualization, because it decouples the user environment from the device, is that it actually enables someone to deliver that desktop as a service where they can't today," said Goldfein.
An important part of making desktops cloud compatible, and also helping client virtualization go mainstream, is the introduction of so-called "bare metal" hypervisors for client PCs. They allow the desktop to run locally without access to a network and take advantage of the PC's computing power, instead of just relying on the server.
Citrix is working with Intel to develop its CVP (Client Virtualization Platform) for Intel's Intel vPro and Centrino vPro processors, and the result will ship during the second half of the year, VMware announced on Tuesday.
VMware is usually one step a head of the competition in the virtualization space, but not in this case. Citrix already announced plans to come out with a bare metal hypervisor for PCs, and a partnership with Intel, in January. Just like VMware it plans to come out with its product during the second half of 2009.
"I don't think it's a land grab; the whole world isn't going to standardize on client hypervisors over night," said Goldfein.
PC vendors aren't going to choose one client hypervisor over the other, but will wait and see how the market pans out, she said.
Client virtualization is the more immediate opportunity, and VMware is investing a lot of energy in that space, which started to take off last year, according to Goldfein.
The adoption barriers will have to be lowered even further for the technology to go mainstream, including making the user experience better when running the desktop on the server over. To achieve that VMware is investing in its own display protocol, which will be developed with Teradici, and out during the second half of 2009.
"PC-over-IP is a protocol that they invented. Today it exists in hardware implementations, and we are collaboration with them on a software-only implementation. We think it's going to be as competitive as any soft protocol on the market," said Goldfein.
VMware chose to work with Teradici because of some of its core technologies, including the algorithms it uses to do compression and adaptive rendering, which detects how much bandwidth the user has and adopts on the fly, according to Goldfein.
But still, the performance will get much better when backed it up with hardware acceleration.
"We think that if that model becomes more cost effective it's really going to transform what we today think of as state of the art of remote display protocols," said Goldfein.
By Mikael Ricknäs
That's not going to happen over night, but that is where things are headed, according to Jocelyn Goldfein, general manager of the Desktop business unit at VMware, speaking in an interview Tuesday.
"Some days I think it's four years away, and other days I think it's all going to happen way faster than we think. I think Microsoft really bobbled with Vista. It's got everyone, including home users, questioning the future of the desktop, and willing to try something new," said Goldfein.
Moving to the cloud will let more companies take advantage of the economies of scale that come with managing many desktops. "People who specialize in desktop management are going to get the best economies of scale of all, and moving the desktop into an external cloud is going to let large or small enterprises, all the way down to SMBs and maybe even home users, take advantage of that," said Goldfein.
Also, most enterprises simply don't want to be in the business of managing desktops, and small to midsize businesses and home users don't want to either. Home users don't want to upgrade operating systems, patch applications or set firewall rules, according to Goldfein.
"The beauty of virtualization, because it decouples the user environment from the device, is that it actually enables someone to deliver that desktop as a service where they can't today," said Goldfein.
An important part of making desktops cloud compatible, and also helping client virtualization go mainstream, is the introduction of so-called "bare metal" hypervisors for client PCs. They allow the desktop to run locally without access to a network and take advantage of the PC's computing power, instead of just relying on the server.
Citrix is working with Intel to develop its CVP (Client Virtualization Platform) for Intel's Intel vPro and Centrino vPro processors, and the result will ship during the second half of the year, VMware announced on Tuesday.
VMware is usually one step a head of the competition in the virtualization space, but not in this case. Citrix already announced plans to come out with a bare metal hypervisor for PCs, and a partnership with Intel, in January. Just like VMware it plans to come out with its product during the second half of 2009.
"I don't think it's a land grab; the whole world isn't going to standardize on client hypervisors over night," said Goldfein.
PC vendors aren't going to choose one client hypervisor over the other, but will wait and see how the market pans out, she said.
Client virtualization is the more immediate opportunity, and VMware is investing a lot of energy in that space, which started to take off last year, according to Goldfein.
The adoption barriers will have to be lowered even further for the technology to go mainstream, including making the user experience better when running the desktop on the server over. To achieve that VMware is investing in its own display protocol, which will be developed with Teradici, and out during the second half of 2009.
"PC-over-IP is a protocol that they invented. Today it exists in hardware implementations, and we are collaboration with them on a software-only implementation. We think it's going to be as competitive as any soft protocol on the market," said Goldfein.
VMware chose to work with Teradici because of some of its core technologies, including the algorithms it uses to do compression and adaptive rendering, which detects how much bandwidth the user has and adopts on the fly, according to Goldfein.
But still, the performance will get much better when backed it up with hardware acceleration.
"We think that if that model becomes more cost effective it's really going to transform what we today think of as state of the art of remote display protocols," said Goldfein.
By Mikael Ricknäs
Sneaky New Virus Spreads via Ads
Hackers infiltrated popular tech business site eWeek.com yesterday using Google's DoubleClick banner ads as a vehicle. Websense caught the malicious coding and published its results, which spurred eWeek to scour its code and remove all phony advertisements.
The pest, named Anti-Virus-1, is complicated and smart. The advertisements are for antivirus software, and when a user clicked on them, the ads redirect to a pornography Website through a series of iframes. Then a PDF pops up loaded with evil code, exploiting a weakness currently festering in the Adobe systems; or the file index.php redirects to the rogue ad server. The server places a file named "winratit.exe" into the user's temporary files folder and stays there without any user interaction.
If the user tries to cleanse the computer by visiting any of several popular software downloading sites, the hack has a twist of the blade waiting: the host file is modified to redirect to even more malicious Websites offering further rogue downloads.
eWeek may not be the first popular Website to be attacked. "Given DoubleClick's tremendous reach, it's possible the rogue ads have shown up on Websites other than eWeek," Websense Vice President of Security Research Dan Hubbard told The Register.
As always, exercise caution when following advertisements.
Brennon Slattery
pcworld
The pest, named Anti-Virus-1, is complicated and smart. The advertisements are for antivirus software, and when a user clicked on them, the ads redirect to a pornography Website through a series of iframes. Then a PDF pops up loaded with evil code, exploiting a weakness currently festering in the Adobe systems; or the file index.php redirects to the rogue ad server. The server places a file named "winratit.exe" into the user's temporary files folder and stays there without any user interaction.
If the user tries to cleanse the computer by visiting any of several popular software downloading sites, the hack has a twist of the blade waiting: the host file is modified to redirect to even more malicious Websites offering further rogue downloads.
eWeek may not be the first popular Website to be attacked. "Given DoubleClick's tremendous reach, it's possible the rogue ads have shown up on Websites other than eWeek," Websense Vice President of Security Research Dan Hubbard told The Register.
As always, exercise caution when following advertisements.
Brennon Slattery
pcworld
Attackers exploit unpatched Excel vulnerability
(Computerworld) For the second time in the past five days, security researchers are warning that hackers are exploiting a critical unpatched vulnerability in widely-used software.
Attackers are exploiting a "zero-day," or unfixed, flaw in Microsoft Corp.'s popular Excel spreadsheet, using the bug to hijack select systems in Asia, many of them in government offices and high-profile corporations, said Vincent Weafer, vice president of Symantec Corp.'s security response group.
Hackers have been using another unpatched vulnerability in Adobe Reader for several weeks in a similar fashion, although now that the exploit code has gone public, experts expect to see attacks quickly increase.
The newest vulnerability, which is in all supported versions of Excel, including the latest -- Excel in Office 2007 on Windows and in Office 2008 for the Mac -- is in the program's file format, said Weafer.
"This is very similar to the Adobe [Reader] vulnerability we found earlier in that it's being used as a targeted threat," said Weafer. He said Symantec's researchers first came across attack code yesterday, and reported their findings to Microsoft the same day.
Today, Microsoft issued a security advisory with more information about the bug; that's typically a first step toward releasing a patch when a vulnerability goes public.
Microsoft spokesman Bill Sisk downplayed the threat to most users, repeating Weafer's comment that attacks have been seen in only limited numbers. But he promised that the company would patch the problem. "Microsoft is currently working to develop a security update for Microsoft Office that addresses this vulnerability and will release it after it has completed testing," he said in an e-mail.
According to Microsoft's advisory, Excel 2000, 2002, 2003 and 2007 on Windows, and Excel 2004 and 2008 on Mac OS X, are affected by the vulnerability.
Until a patch is produced, Microsoft said users could protect themselves by blocking Excel files from opening, a process that requires editing the Windows registry, normally a chore that's beyond the ability of most users. Alternately, users can run Excel 2003 documents through the Microsoft Office Isolated Conversion Environment (MOICE), a tool the company launched in 2007 that converts those files into the more-secure Office 2007 formats to strip out possible exploit code.
It's not clear how effective MOICE will be in stymieing attacks, however, since the exploit now circulating was crafted with Excel 2007 in mind, said Weafer. According to additional analysis by Symantec, the exploit works on PCs running that version of Excel but fails against earlier editions.
Hackers are using the Excel bug to deliver a Trojan horse to targeted machines, added Weaver. The Trojan acts as a downloader that is capable of retrieving and installing additional malware on the hijacked computer.
Weafer declined to draw a line between the recent zero-day dots, noting that attacks -- particularly targeted attacks like those triggering the Excel and Adobe Reader vulnerabilities -- often come in waves. But he was less hesitant to speculate on the near future.
"As soon as you talk about an [unpatched] vulnerability, people start looking at it for use in broad-based attacks," he said.
By Gregg Keizer
Attackers are exploiting a "zero-day," or unfixed, flaw in Microsoft Corp.'s popular Excel spreadsheet, using the bug to hijack select systems in Asia, many of them in government offices and high-profile corporations, said Vincent Weafer, vice president of Symantec Corp.'s security response group.
Hackers have been using another unpatched vulnerability in Adobe Reader for several weeks in a similar fashion, although now that the exploit code has gone public, experts expect to see attacks quickly increase.
The newest vulnerability, which is in all supported versions of Excel, including the latest -- Excel in Office 2007 on Windows and in Office 2008 for the Mac -- is in the program's file format, said Weafer.
"This is very similar to the Adobe [Reader] vulnerability we found earlier in that it's being used as a targeted threat," said Weafer. He said Symantec's researchers first came across attack code yesterday, and reported their findings to Microsoft the same day.
Today, Microsoft issued a security advisory with more information about the bug; that's typically a first step toward releasing a patch when a vulnerability goes public.
Microsoft spokesman Bill Sisk downplayed the threat to most users, repeating Weafer's comment that attacks have been seen in only limited numbers. But he promised that the company would patch the problem. "Microsoft is currently working to develop a security update for Microsoft Office that addresses this vulnerability and will release it after it has completed testing," he said in an e-mail.
According to Microsoft's advisory, Excel 2000, 2002, 2003 and 2007 on Windows, and Excel 2004 and 2008 on Mac OS X, are affected by the vulnerability.
Until a patch is produced, Microsoft said users could protect themselves by blocking Excel files from opening, a process that requires editing the Windows registry, normally a chore that's beyond the ability of most users. Alternately, users can run Excel 2003 documents through the Microsoft Office Isolated Conversion Environment (MOICE), a tool the company launched in 2007 that converts those files into the more-secure Office 2007 formats to strip out possible exploit code.
It's not clear how effective MOICE will be in stymieing attacks, however, since the exploit now circulating was crafted with Excel 2007 in mind, said Weafer. According to additional analysis by Symantec, the exploit works on PCs running that version of Excel but fails against earlier editions.
Hackers are using the Excel bug to deliver a Trojan horse to targeted machines, added Weaver. The Trojan acts as a downloader that is capable of retrieving and installing additional malware on the hijacked computer.
Weafer declined to draw a line between the recent zero-day dots, noting that attacks -- particularly targeted attacks like those triggering the Excel and Adobe Reader vulnerabilities -- often come in waves. But he was less hesitant to speculate on the near future.
"As soon as you talk about an [unpatched] vulnerability, people start looking at it for use in broad-based attacks," he said.
By Gregg Keizer
Gmail's one-two punch: Phishers attack after outage
Gmail users were hit with a double whammy yesterday.
Only hours after Google Inc. fixed a two-and-a-half hour Gmail outage, users of the hosted e-mail service's instant messaging tool were slammed with a phishing attack. Graham Cluley, a senior technology consultant with the UK-based security firm Sophos, wrote in a blog post today that the attack spread through the Gmail's Google Talk chat system.
The attackers sent Gmail users an instant message with no more of a lure than the message "check out this video" and a link from the TinyURL service, according to Cluley. The link, which is no longer working, took users to a website called ViddyHo that asked surfers to enter their Gmail usernames and passwords.
Cluley noted that TinyURL has blacklisted the phishers' site so that its no longer operational.
"The hackers behind ViddyHo could use the credentials they have stolen via their site to break into accounts, grab identity information and impact your wallet," wrote Cluley. "Potentially, a hacker who has grabbed your Gmail password could have accessed your entire address book and scooped up all of your correspondence, including information that you may have archived about other online accounts."
A Google spokesman noted in an email to Computerworld that the company has received "a number of reports" about the phishing attack from users. "We have blocked the addresses being used to send these messages, and users of Firefox, Safari, and Google Chrome will receive a phishing warning when trying to visit the ViddyHo.com site. We have also identified Viddyho.com in our search results as a phishing site," he said. "We encourage users to be very careful when asked to share their personal information."
The security consultant noted that people are often more susceptible to phishing or malware attacks that are spread via instant message than those that spread through email. People simply are more accustomed to being wary of email, leaving themselves vulnerable to other forms of attacks.
"If you were unfortunate enough to fall for this scam, make sure to change your Gmail password immediately. In fact, also change your passwords on any other site where you might be using the same password as on Gmail," said Cluley.
The Google spokesman added that users also should update their Gmail security questionnaire.
Prior to the phishing attack yesterday, Google engineers had worked to get Gmail back up on its feet after a two-and-a-half-hour outage that kept some users from accessing their e-mail entirely and forced others to wait a minute or more for their email to open.
Acacio Cruz, Google's Gmail site reliability manager, wrote in a Google blog post yesterday that the company's engineers are still trying to pinpoint the cause of yesterday's outage. "We know that for many of you, this disrupted your working day," he added. "We're really sorry about this, and we did do everything to restore access as soon as we could. Our priority was to get you back up and running."
The Gmail outage comes just a week after Google acknowledged that some users had experienced problems getting results from Google News searches over a span of more than 14 hours last Wednesday. Some users reported that they weren't getting any results when they were searching for keywords, such as Microsoft or even Google, in Google News. Other users reported that entire news sections, such as Science/Technology, were coming up empty of any stories.
And last December, Google confirmed that there was a technical problem with Google Talk and the Web-based Gmail chat system. One day early in the month, messages created by a "subset" of users were left unsent because of glitches in the messaging system, according to Google spokesman Andrew Kovacs.
Computerworld
By Sharon Gaudin
Only hours after Google Inc. fixed a two-and-a-half hour Gmail outage, users of the hosted e-mail service's instant messaging tool were slammed with a phishing attack. Graham Cluley, a senior technology consultant with the UK-based security firm Sophos, wrote in a blog post today that the attack spread through the Gmail's Google Talk chat system.
The attackers sent Gmail users an instant message with no more of a lure than the message "check out this video" and a link from the TinyURL service, according to Cluley. The link, which is no longer working, took users to a website called ViddyHo that asked surfers to enter their Gmail usernames and passwords.
Cluley noted that TinyURL has blacklisted the phishers' site so that its no longer operational.
"The hackers behind ViddyHo could use the credentials they have stolen via their site to break into accounts, grab identity information and impact your wallet," wrote Cluley. "Potentially, a hacker who has grabbed your Gmail password could have accessed your entire address book and scooped up all of your correspondence, including information that you may have archived about other online accounts."
A Google spokesman noted in an email to Computerworld that the company has received "a number of reports" about the phishing attack from users. "We have blocked the addresses being used to send these messages, and users of Firefox, Safari, and Google Chrome will receive a phishing warning when trying to visit the ViddyHo.com site. We have also identified Viddyho.com in our search results as a phishing site," he said. "We encourage users to be very careful when asked to share their personal information."
The security consultant noted that people are often more susceptible to phishing or malware attacks that are spread via instant message than those that spread through email. People simply are more accustomed to being wary of email, leaving themselves vulnerable to other forms of attacks.
"If you were unfortunate enough to fall for this scam, make sure to change your Gmail password immediately. In fact, also change your passwords on any other site where you might be using the same password as on Gmail," said Cluley.
The Google spokesman added that users also should update their Gmail security questionnaire.
Prior to the phishing attack yesterday, Google engineers had worked to get Gmail back up on its feet after a two-and-a-half-hour outage that kept some users from accessing their e-mail entirely and forced others to wait a minute or more for their email to open.
Acacio Cruz, Google's Gmail site reliability manager, wrote in a Google blog post yesterday that the company's engineers are still trying to pinpoint the cause of yesterday's outage. "We know that for many of you, this disrupted your working day," he added. "We're really sorry about this, and we did do everything to restore access as soon as we could. Our priority was to get you back up and running."
The Gmail outage comes just a week after Google acknowledged that some users had experienced problems getting results from Google News searches over a span of more than 14 hours last Wednesday. Some users reported that they weren't getting any results when they were searching for keywords, such as Microsoft or even Google, in Google News. Other users reported that entire news sections, such as Science/Technology, were coming up empty of any stories.
And last December, Google confirmed that there was a technical problem with Google Talk and the Web-based Gmail chat system. One day early in the month, messages created by a "subset" of users were left unsent because of glitches in the messaging system, according to Google spokesman Andrew Kovacs.
Computerworld
By Sharon Gaudin
Google jumps into EU antitrust case against Microsoft
Google Inc. today said it has asked the European Union's Competition Commission to let it participate in the antitrust agency's investigation of rival Microsoft Corp., joining browser builders Opera and Mozilla in the case.
"We are applying to become a third party in the European Commission's proceeding," Sundar Pichai, Google's vice president of product management, said in a company blog today.
Last month, the EU's commission submitted a preliminary list of charges, or statement of objections, to Microsoft, and accused it of shielding Internet Explorer (IE) from competition by bundling it with Windows.
Mozilla Corp., the maker of Firefox, had earlier been granted "interested third-party" status, which allows it to submit arguments to regulators, to see the charge sheet the commission sent Microsoft and to participate in a face-to-face hearing if Microsoft requests one.
The Norwegian browser developer Opera Software ASA filed the original complaint with the commission in late 2007.
Pichai said Google is getting involved because the field tilts toward Microsoft. "The browser market is still largely uncompetitive, which holds back innovation for users," he said. "This is because Internet Explorer is tied to Microsoft's dominant computer operating system, giving it an unfair advantage over other browsers."
Google, which launched its own Chrome only last September, cited such features as browser tabs and privacy modes as some of the things that have appeared because of competition among browser makers.
"We believe that we can contribute to this debate," added Pichai. "We learned a lot from launching Chrome last year and are hoping that Google's perspective will be useful as the commission evaluates remedies."
Although the commission has not spelled out what actions it might demand Microsoft take, agency spokesman Jonathan Todd has provided some clues. Microsoft could be fined, forced to let users choose alternate browsers to install in Windows or ordered to allow users to disable IE if a different browser is desired.
Speaking of remedies, Mitchell Baker, former CEO of Mozilla and currently the chairman of the nonprofit Mozilla Foundation, today offered her take on changes Microsoft might be required to make.
In a blog entry of her own, Baker, who has been commenting regularly on the issue since Mozilla joined the case as an interested party, listed several potential cures, but stopped short of calling them recommendations. One possibility would be to make Microsoft divulge all APIs available to IE to other browser builders, while another would require Microsoft to offer rival browsers whenever IE or Windows is updated, she said.
Other ideas she offered up ranged from bundling Windows with multiple browsers to including none at all. "This implementation ... has some obvious drawbacks for users," Baker acknowledged.
One antitrust expert has called the EU's investigation pointless.
"I just don't see what it adds to the final judgment in the U.S. case," said William Page, co-author of The Microsoft Case: Antitrust, High Technology, and Consumer Welfare, (University of Chicago Press, 2009) and a member of the faculty of the Levin College of Law at the University of Florida. "OEMs are already free to delete most of the visible evidence of [Internet Explorer] and to install another browser if they want."
According to Web measurement company Net Applications Inc., IE accounted for 67.6% of the browser market in January, the lowest number since the company began compiling data in 2005. Firefox, meanwhile, held down a 21.5% share, while Apple Inc.'s Safari and Google's Chrome ended the month with 8.3% and 1.1%, respectively.
By Gregg Keizer
computerworld
"We are applying to become a third party in the European Commission's proceeding," Sundar Pichai, Google's vice president of product management, said in a company blog today.
Last month, the EU's commission submitted a preliminary list of charges, or statement of objections, to Microsoft, and accused it of shielding Internet Explorer (IE) from competition by bundling it with Windows.
Mozilla Corp., the maker of Firefox, had earlier been granted "interested third-party" status, which allows it to submit arguments to regulators, to see the charge sheet the commission sent Microsoft and to participate in a face-to-face hearing if Microsoft requests one.
The Norwegian browser developer Opera Software ASA filed the original complaint with the commission in late 2007.
Pichai said Google is getting involved because the field tilts toward Microsoft. "The browser market is still largely uncompetitive, which holds back innovation for users," he said. "This is because Internet Explorer is tied to Microsoft's dominant computer operating system, giving it an unfair advantage over other browsers."
Google, which launched its own Chrome only last September, cited such features as browser tabs and privacy modes as some of the things that have appeared because of competition among browser makers.
"We believe that we can contribute to this debate," added Pichai. "We learned a lot from launching Chrome last year and are hoping that Google's perspective will be useful as the commission evaluates remedies."
Although the commission has not spelled out what actions it might demand Microsoft take, agency spokesman Jonathan Todd has provided some clues. Microsoft could be fined, forced to let users choose alternate browsers to install in Windows or ordered to allow users to disable IE if a different browser is desired.
Speaking of remedies, Mitchell Baker, former CEO of Mozilla and currently the chairman of the nonprofit Mozilla Foundation, today offered her take on changes Microsoft might be required to make.
In a blog entry of her own, Baker, who has been commenting regularly on the issue since Mozilla joined the case as an interested party, listed several potential cures, but stopped short of calling them recommendations. One possibility would be to make Microsoft divulge all APIs available to IE to other browser builders, while another would require Microsoft to offer rival browsers whenever IE or Windows is updated, she said.
Other ideas she offered up ranged from bundling Windows with multiple browsers to including none at all. "This implementation ... has some obvious drawbacks for users," Baker acknowledged.
One antitrust expert has called the EU's investigation pointless.
"I just don't see what it adds to the final judgment in the U.S. case," said William Page, co-author of The Microsoft Case: Antitrust, High Technology, and Consumer Welfare, (University of Chicago Press, 2009) and a member of the faculty of the Levin College of Law at the University of Florida. "OEMs are already free to delete most of the visible evidence of [Internet Explorer] and to install another browser if they want."
According to Web measurement company Net Applications Inc., IE accounted for 67.6% of the browser market in January, the lowest number since the company began compiling data in 2005. Firefox, meanwhile, held down a 21.5% share, while Apple Inc.'s Safari and Google's Chrome ended the month with 8.3% and 1.1%, respectively.
By Gregg Keizer
computerworld
Friday, February 20, 2009
Pirate Bay Trial Turns into a Circus
If nothing else, the copyright infringement trial of The Pirate Bay Four in Sweden is turning into an entertaining spectacle. For courtroom drama, it's got it all: Irreverent defendants joking with prosecutors; rabid anti-copyright proponents with megaphones; a hacked recording industry website; and even a cool pirate bus parked outside the court.
As an Ars Technica report indicates, The Pirate Bay defendants are either indifferent to the ways of business, including eye-glazing details like contracts and copyright law, or they're really good at faking it. Defendant Fredrik Neij, who owns The Pirate Bay's domain, told prosecutors that he never read a contract he signed that stated he would oversee the site's operations.
Prosecutors also tried to show that the Pirate Bay team knew all along that the site linked to copyrighted material. They asked Neij about a speech he made in 2006, where he said the site had received numerous threats from copyright owners. Neij replied that he hadn't written the speech, apparently implying that he wasn't clear on its contents.
Whatever they may lack in business acumen, the defendants definitely have a sense of humor. Wired reports that The Pirate Bay crew ran into prosecutors at an Italian restaurant on Wednesday, where the defendants jokingly tried to get the Suits to pick up the check. (They failed.)
Meanwhile, hackers defaced the Swedish website of the International Federation of the Phonographic Industry. But defendant Peter Sunde urged Pirate Bay supporters to give it a rest, adding that website defacing would only "reflect on us badly."
The Pirate Bay trial really comes down to this: It's the Kids vs. the Parents. The Kids, who admittedly are funnier and hipper (and probably smarter) than the Parents, wants to download copyright-protected stuff for free. The Parents want them to pay for it
Jeff Bertolucci, PC World
As an Ars Technica report indicates, The Pirate Bay defendants are either indifferent to the ways of business, including eye-glazing details like contracts and copyright law, or they're really good at faking it. Defendant Fredrik Neij, who owns The Pirate Bay's domain, told prosecutors that he never read a contract he signed that stated he would oversee the site's operations.
Prosecutors also tried to show that the Pirate Bay team knew all along that the site linked to copyrighted material. They asked Neij about a speech he made in 2006, where he said the site had received numerous threats from copyright owners. Neij replied that he hadn't written the speech, apparently implying that he wasn't clear on its contents.
Whatever they may lack in business acumen, the defendants definitely have a sense of humor. Wired reports that The Pirate Bay crew ran into prosecutors at an Italian restaurant on Wednesday, where the defendants jokingly tried to get the Suits to pick up the check. (They failed.)
Meanwhile, hackers defaced the Swedish website of the International Federation of the Phonographic Industry. But defendant Peter Sunde urged Pirate Bay supporters to give it a rest, adding that website defacing would only "reflect on us badly."
The Pirate Bay trial really comes down to this: It's the Kids vs. the Parents. The Kids, who admittedly are funnier and hipper (and probably smarter) than the Parents, wants to download copyright-protected stuff for free. The Parents want them to pay for it
Jeff Bertolucci, PC World
SAP buys PaaS vendor Coghead's intellectual property
SAP has purchased the intellectual-property rights of PaaS (platform as a service) vendor Coghead, and for now will use it only as an internal tool, according to an SAP spokeswoman. Terms were not disclosed.
Coghead recently told customers it planned to shut down its service due to economic factors, but did not mention the SAP deal in its announcement.
SAP will reveal more about how it plans to use the technology in coming weeks, but has no current intentions to sell it as a commercial service, according to the spokeswoman. The company is "working to help Coghead customers transition to new service providers without interruption."
Coghead's platform provides a visual editing environment, workflow and integration tools and a database, along with underlying infrastructure through Amazon's Elastic Compute Cloud. It is one of a wide range of PaaS offerings from the likes of Salesforce.com, Google and Microsoft, as well as smaller players such as Caspio.
A number of these vendors are offering Coghead customers incentives to migrate their applications.
As for Coghead's technology, it fits well with SAP, having been popular among SAP's developer community, according to Redmonk analyst Michael Coté.
There is also a "thriving subculture" of SAP developers who are interested in using emerging technologies, he said.
One example of this is the Enterprise Social Messaging Experiment, a Twitter-like messaging service being developed by SAP community members, Coté said.
In addition, SAP's venture capital arm had made an investment in Coghead, a move that "sort of blessed it for use," Coté said.
Meanwhile, SAP is moving more broadly into Web-based commercial software, both through its nascent Business ByDesign on-demand ERP (enterprise resource planning) software for the midmarket, as well as as-yet unannounced cloud-based services for on-premise software systems.
Coghead recently told customers it planned to shut down its service due to economic factors, but did not mention the SAP deal in its announcement.
SAP will reveal more about how it plans to use the technology in coming weeks, but has no current intentions to sell it as a commercial service, according to the spokeswoman. The company is "working to help Coghead customers transition to new service providers without interruption."
Coghead's platform provides a visual editing environment, workflow and integration tools and a database, along with underlying infrastructure through Amazon's Elastic Compute Cloud. It is one of a wide range of PaaS offerings from the likes of Salesforce.com, Google and Microsoft, as well as smaller players such as Caspio.
A number of these vendors are offering Coghead customers incentives to migrate their applications.
As for Coghead's technology, it fits well with SAP, having been popular among SAP's developer community, according to Redmonk analyst Michael Coté.
There is also a "thriving subculture" of SAP developers who are interested in using emerging technologies, he said.
One example of this is the Enterprise Social Messaging Experiment, a Twitter-like messaging service being developed by SAP community members, Coté said.
In addition, SAP's venture capital arm had made an investment in Coghead, a move that "sort of blessed it for use," Coté said.
Meanwhile, SAP is moving more broadly into Web-based commercial software, both through its nascent Business ByDesign on-demand ERP (enterprise resource planning) software for the midmarket, as well as as-yet unannounced cloud-based services for on-premise software systems.
Take Windows 7 for a spin with VirtualBox
Everyone likes to try new and shiny technology toys like the Windows 7 beta, but when the price is having to replace your existing operating system, that's too much for most people. That's when being able to use a virtualization program can come in darn handy.
To test out how well Windows 7 works on a virtualized system, I decided to use Sun's VirtualBox software. While there are, of course, other virtualization programs out there, such as VMware's Workstation and Parallels Desktop, VirtualBox has two significant advantages over the others. First, it's free. Second, you can use it with several operating systems, including Windows, Linux, Macintosh and OpenSolaris.
In my case, I decided to use VirtualBox to run Windows 7 on two Dell Inspiron 530S systems, one running Windows XP Pro SP3 and the other running MEPIS 7 Linux. Each PC came with a 2.2-GHz Intel Pentium E2200 dual-core processor with an 800-MHz front-side bus, 4GB of RAM, a 500GB SATA drive and an Integrated Intel 3100 Graphics Media Accelerator. While not powerful systems, these proved to have more than enough CPU power to run both their native operating system and Windows 7.
Running VirtualBox
VirtualBox comes in two editions. The full VirtualBox is free for personal use and evaluation, but doesn't come with the complete source code. VirtualBox OSE (Open Source Edition), also free, does come with the source code and includes several enterprise-level features, such as an RDP (Remote Display Protocol) Server and USB support. (Other virtualization applications, like Xen, require tweaking before they'll support USB.) Both versions can run Windows 7.
In general, you'll need at least 1GB of RAM to run VirtualBox and a guest operating system. More RAM is always better. In my testing, I found that Windows 7 would actually run on as little as 512MB, while Vista really needs at least 1GB of its own.
VirtualBox should run on any recent CPU, but it does best with high-end processors that support hardware virtualization enhancements such as Intel's VT-x and Advanced Micro Devices' AMD-V.
The first step is to download a copy of VirtualBox. To run Windows 7 successfully, you'll need at least VirtualBox 2.1.0 -- I ran it on the latest version, VirtualBox 2.1.2.
If you're a Linux or OpenSolaris user, you can also obtain a copy using your software package manager program. VirtualBox supports openSUSE, Fedora, Ubuntu, Debian, Mandriva, PCLinuxOS, RHEL (Red Hat Enterprise Linux), SLE (SUSE Linux Enterprise) and Xandros. You can also find additional support, both for specific operating systems and in general, in the FAQ file and in the User Manual (PDF).
On Windows and Mac OS X, installation requires little more than clicking on the installation file and letting it run. It's a bit more complicated on Linux and OpenSolaris. On Solaris, you need to compile the program. On Linux, you'll need to follow some additional steps, which are described in the Linux download section.
Finally, if you need more guidance, you can find step-by-step instructions for VirtualBox 2.1.0 at the Two Guys Tech site.
Setting up the VM
Your next step is to set up a new virtual machine for Windows 7. You do this by clicking the New button, which will then ask you how big a hard drive you want for the operating system. The default is to give it a 20GB virtual hard drive. With Windows 7, I decided to give it a more generous 40GB. You can also let VirtualBox dynamically determine how much hard drive room an operating system can have, but I prefer to decide for myself.
This done, you set up how much RAM and video memory Windows 7 can have. I prefer to give the operating system an ample 1GB of RAM and 128MB of video memory. You can get by with less, but you'll start noticing system delays.
VirtualBox also lets you set up 3-D graphics acceleration and access optical discs, USB devices, shared drives and so on through its main interface. You can set this up after you have Windows 7 installed, but I prefer to get this basic configuration out of the way first.
Installing Windows 7
With this done, you're ready to actually install Windows 7. You can either run the installation from a DVD or just load the Windows 7 ISO image file. Since I hate wasting time, I loaded the ISO. VirtualBox can load ISOs over both a network or from a local drive.
On both the Linux and Windows test systems, the Windows 7 installation was a snore. It took about half an hour, and the only thing I had to do was to set the proper time zone and enter the Windows 7 beta product key.
Once in place, I also loaded VirtualBox Guest Additions -- an additional set of functions that includes mouse integration (so you can mouse over from Windows 7 to your host desktop and back again without needing to hit the right-hand control button) and the ability to run the VM as a full desktop. They only work with Linux and Windows guest operating systems. But in either case, they're darn useful.
To install the Guest Additions (which downloads automatically with VirtualBox), you need to be running the VM and choose Devices --> Install Guest Additions from the VirtualBox main menu.
I found Windows 7 to run quite well as a VM under both MEPIS Linux and Windows XP SP3. As far as I'm concerned, the Windows 7 beta actually runs better than Vista SP1.
You should be aware, though, of some fundamental differences between running an operating system in a VM and running it natively. The most common problem is the inability to use the higher performance features of graphics, audio or network cards. That's because, like most virtualization software, VirtualBox provides the guest operating system with a virtual VESA-compatible graphics card, a virtual Intel ICH AC '97 audio and several virtual network cards. In short, your virtual Windows 7 can't use your high-end graphics card or what-have-you because only the host system has access to it, not the guest operating system, which must use virtual drivers instead.
Still, unless you want to run a high-end game, you're not going to notice these lacks. VirtualBox gives you everything most of you will need to decide for yourself whether Windows 7 will be worth your time. As far as I'm concerned, Windows 7 and VirtualBox are a great combination.
By Steven J. Vaughan-Nichols
computerworld
To test out how well Windows 7 works on a virtualized system, I decided to use Sun's VirtualBox software. While there are, of course, other virtualization programs out there, such as VMware's Workstation and Parallels Desktop, VirtualBox has two significant advantages over the others. First, it's free. Second, you can use it with several operating systems, including Windows, Linux, Macintosh and OpenSolaris.
In my case, I decided to use VirtualBox to run Windows 7 on two Dell Inspiron 530S systems, one running Windows XP Pro SP3 and the other running MEPIS 7 Linux. Each PC came with a 2.2-GHz Intel Pentium E2200 dual-core processor with an 800-MHz front-side bus, 4GB of RAM, a 500GB SATA drive and an Integrated Intel 3100 Graphics Media Accelerator. While not powerful systems, these proved to have more than enough CPU power to run both their native operating system and Windows 7.
Running VirtualBox
VirtualBox comes in two editions. The full VirtualBox is free for personal use and evaluation, but doesn't come with the complete source code. VirtualBox OSE (Open Source Edition), also free, does come with the source code and includes several enterprise-level features, such as an RDP (Remote Display Protocol) Server and USB support. (Other virtualization applications, like Xen, require tweaking before they'll support USB.) Both versions can run Windows 7.
In general, you'll need at least 1GB of RAM to run VirtualBox and a guest operating system. More RAM is always better. In my testing, I found that Windows 7 would actually run on as little as 512MB, while Vista really needs at least 1GB of its own.
VirtualBox should run on any recent CPU, but it does best with high-end processors that support hardware virtualization enhancements such as Intel's VT-x and Advanced Micro Devices' AMD-V.
The first step is to download a copy of VirtualBox. To run Windows 7 successfully, you'll need at least VirtualBox 2.1.0 -- I ran it on the latest version, VirtualBox 2.1.2.
If you're a Linux or OpenSolaris user, you can also obtain a copy using your software package manager program. VirtualBox supports openSUSE, Fedora, Ubuntu, Debian, Mandriva, PCLinuxOS, RHEL (Red Hat Enterprise Linux), SLE (SUSE Linux Enterprise) and Xandros. You can also find additional support, both for specific operating systems and in general, in the FAQ file and in the User Manual (PDF).
On Windows and Mac OS X, installation requires little more than clicking on the installation file and letting it run. It's a bit more complicated on Linux and OpenSolaris. On Solaris, you need to compile the program. On Linux, you'll need to follow some additional steps, which are described in the Linux download section.
Finally, if you need more guidance, you can find step-by-step instructions for VirtualBox 2.1.0 at the Two Guys Tech site.
Setting up the VM
Your next step is to set up a new virtual machine for Windows 7. You do this by clicking the New button, which will then ask you how big a hard drive you want for the operating system. The default is to give it a 20GB virtual hard drive. With Windows 7, I decided to give it a more generous 40GB. You can also let VirtualBox dynamically determine how much hard drive room an operating system can have, but I prefer to decide for myself.
This done, you set up how much RAM and video memory Windows 7 can have. I prefer to give the operating system an ample 1GB of RAM and 128MB of video memory. You can get by with less, but you'll start noticing system delays.
VirtualBox also lets you set up 3-D graphics acceleration and access optical discs, USB devices, shared drives and so on through its main interface. You can set this up after you have Windows 7 installed, but I prefer to get this basic configuration out of the way first.
Installing Windows 7
With this done, you're ready to actually install Windows 7. You can either run the installation from a DVD or just load the Windows 7 ISO image file. Since I hate wasting time, I loaded the ISO. VirtualBox can load ISOs over both a network or from a local drive.
On both the Linux and Windows test systems, the Windows 7 installation was a snore. It took about half an hour, and the only thing I had to do was to set the proper time zone and enter the Windows 7 beta product key.
Once in place, I also loaded VirtualBox Guest Additions -- an additional set of functions that includes mouse integration (so you can mouse over from Windows 7 to your host desktop and back again without needing to hit the right-hand control button) and the ability to run the VM as a full desktop. They only work with Linux and Windows guest operating systems. But in either case, they're darn useful.
To install the Guest Additions (which downloads automatically with VirtualBox), you need to be running the VM and choose Devices --> Install Guest Additions from the VirtualBox main menu.
I found Windows 7 to run quite well as a VM under both MEPIS Linux and Windows XP SP3. As far as I'm concerned, the Windows 7 beta actually runs better than Vista SP1.
You should be aware, though, of some fundamental differences between running an operating system in a VM and running it natively. The most common problem is the inability to use the higher performance features of graphics, audio or network cards. That's because, like most virtualization software, VirtualBox provides the guest operating system with a virtual VESA-compatible graphics card, a virtual Intel ICH AC '97 audio and several virtual network cards. In short, your virtual Windows 7 can't use your high-end graphics card or what-have-you because only the host system has access to it, not the guest operating system, which must use virtual drivers instead.
Still, unless you want to run a high-end game, you're not going to notice these lacks. VirtualBox gives you everything most of you will need to decide for yourself whether Windows 7 will be worth your time. As far as I'm concerned, Windows 7 and VirtualBox are a great combination.
By Steven J. Vaughan-Nichols
computerworld
Subscribe to:
Posts (Atom)
