Third most popular password: “Alejandra.”
Google explains browsers to newbies.
PhotoSketch is cool, cool, cool.
Steve Ballmer eats Vista crow.
Why tablet PCs never succeeded.
What’s up with Microsoft’s “Pink?”
Gizmodo tries life without cable.
Palm unveils WebOS developer program.
Ask.com’s new search offering: coupons.
________________________
Like 5Words? Subscribe via RSS.
Today, Microsoft released Microsoft Security Essentials, a basic security suite that competes with such established anti-virus freebies as Avast Home Edition and AVG Free. BetaNews’s Joe Wilcox raises an interesting question about it:
The question: Should Microsoft offer free security software to consumers? Absolutely. There is no choice, and Microsoft would do customers better by fully integrating security software into Windows 7. But Microsoft has enough antitrust problems in Europe to make including antivirus risky business.
Security issues have bedeviled Windows users for around a decade and a half now. And while Microsoft bundles an anti-spyware utility with Windows and tried selling anti-virus software before deciding to give it away.
At first blush, Microsoft giving away Windows anti-virus feels a little like a car company offering airbags as a complementary but optional upgrade rather than simply making them standard. Ultimately, though, I think it’s the right way to go about things: If Windows had built-in anti-virus, it would likely slaughter the market for third-party anti-virus. And years of history tell us that Microsoft products tend to fester when they don’t have active, successful competition (and sometimes even when they do).
Then there’s the matter of anti-trust issues: Even if Microsoft wanted to build anti-virus into Windows, it might be very, very nervous about legal action by Symantec and McAfee and all the other companies who don’t wanted to get Netscaped.
I am, of course, leading up to a T-Poll here:
Microsoft’s free security suite ships.
More stuff about Microsoft Courier.
Dell’s cord-free charging Latitude Z.
Apple, swipe Zune HD features.
T-Mobile’s poised to sell Cliq.
Google Docs caters to students.
Wize product search engine redesigned.
________________________
Like 5Words? Subscribe via RSS.
It’s not a gross exaggeration to say that without short URLs from services such as Bit.ly and TinyURL, Twitter might not have become the sensation that it is. They enable the sharing of interesting links and photos and generally let the service transcend its 140-character limit. But they also bring some major gotchas, such as the possibility of your links breaking if the short URL provider goes out of business or simply loses interest.
Another basic problem with short URLs: They can be dangerous. The very idea behind them is that they’re short (and therefore cryptic) but can redirect you to any URL. But the URLs they redirect to can send you to malware-infested sites–and since you see the short URL rather than the real one, you don’t have the opportunity to inspect the address for tell-tale signs that it’s risky.
Security software kingpin Symantec is understandably interested in short-URL security, and produced this video showing some sleazy ones on Twitter:
If you can see the real URL before you click, there’s a very good chance you’ll figure out it’s not something you want to visit. Which is part of why many third-party Twitter apps (such as Seesmic) let you preview the true URL. Weirdly, Twitter itself only provides this capability in its search.twitter.com feature, via “expand” links (which don’t appear next to all short URLs–you don’t get them with Digg links, for instance).
Seems to me that it would be fairly simple for Twitter to make short URLs a whole lot more useful and a whole lot less insecure. Here, I’ll map out a course of action:
1) Twitter should launch its own URL-shortening feature*. (Currently, it uses Bit.ly as its default service.) It’ll tick off every third-party shortener and probably drive most of them out of business, but the benefits to Twitter users will ultimately be worth it. If Twitter itself controls the short URLs, they’ll work for as long as there’s a Twitter, and the company will gain the ability to make them better than existing ones.
2) It should institute a short-URL expansion feature throughout the site–and instead of making you click an “expand” link, it should autoexpand them so the short link never appears. If users need to take the extra step of clicking to see the real link, they may or may not bother–but if the real one is staring them in the face, many questionable URLs will be manifestly obvious. (And some scammers probably won’t even bother to try and do their dirty work via Twitter.)
3) It should put the real URLs that short URLs point to through a malware-detection feature along the lines of ones that are now standard in Web browsers. If a real URL looks suspicious, Twitter shouldn’t permit it to be turned into a short URL in the first place. (Again, doing this should not only foil malware links that do get through, but should discourage scammers from bothering in the first place.)
*If Twitter is really worried about destroying third-party URL shorteners, it could accomplish most of the above without launching its own service, by launching an API (with malware detection and other enhancements) that other URL shortener can take advantage of. Even if it does create its own service, it needs an API so that third-party Twitter clients can bring all of its goodness to their users.
The above game plan would require some time and money, but if Twitter’s ambition is to be the pulse of the planet, it’s going to be responsible for taking actions that make it harder for the bad guys to screw things up for the good guys. And if the company really has a hundred million bucks to play with, it should throw a little of the dough towards solving this problem once and for all.
MediaPost is reporting that Rocky Mountain Bank, a small institution in Wyoming, accidentally e-mailed the names, Social Security numbers, addresses, and loan information to a Gmail address. When it realized its mistake, it e-mailed the address again and got no response–so it went to court, and a California appellate court judge has told Google that it must deactivate the Gmail address in question. Even though nobody’s accused the e-mail recipient of doing anything wrong.
MediaPost’s story leaves multiple obvious questions unaddressed, so I’m cautious about expressing any opinion at all about this story. The biggest one: Does anyone know who the Gmail account belongs to, and has anyone made any attempt to contact its owner other than Rocky Mountain’s initial e-mail? Do we know that the recipient is using the account at all? Do we know who this person is?
The temptation to heap scorn upon District Court Judge James Ware is obvious, but I’m most appalled by the reported initial actions of Rocky Mountain Bank. Why was anyone there e-mailing Social Security numbers to anyone? The company has a security statement on its site explaining the measures it takes to protect customers’ Social Security numbers, but I find no acknowledgement of this Gmail incident. (“Dear customer: We accidentally leaked your private information to a random stranger, and we’re not sure what he or she is doing with it. Our apologies, etc., etc.”)
While I was rummaging around the Rocky Mountain site hoping to find useful information, I clicked on the Letter From CEO link, and got this:
Doesn’t exactly inspire vast amounts of confidence, does it?
Like 5Words? Subscribe via RSS.
Microsoft sues malware advertisers. Good!
Hulu’s readying a subscription service?
Hey, yet another Skype lawsuit!
Burglars: Don’t check out Facebook!
Wireless charging for Dell laptop?
Wimax users are apparently nonplussed.
Like 5Words? Subscribe via RSS.
How NYTimes.com suffered malware attack.
Lenovo launches multi-touch laptops.
Obligatory Apple tablet rumor story.
Seagate’s second-generation TV box.
HP MediaSmart servers: Mac friendlier.
Bing Visual Search? No thanks.
Apple has delivered a service pack for its Snow Leopard operating system just a matter of two weeks after it shipped. The company says that the update will “enhance the stability, compatibility, and security of your Mac.”
The update targets specific issues such as device driver compatibility and performance, stuck DVD drives, and SMTP routing. More importantly, it fixes three major security vulnerabilities, including one that Apple introduced by bundling an outdated version of Adobe’s Flash run time that had a well-publicized security hole.
Apple already patched existing versions of OS X for the vulnerability in July. That should have been a showstopper for Snow Leopard’s distribution.
I know you’re not always happy with your PC, so here are three fixes to some of the annoyances you’ve sent to me.
The Annoyance: I have lots of MP3s I’ve ripped onto my hard drive from CDs. Nothing seems to play at the same volume level. When I play Copeland’s “Fanfare,” it’s loud enough to make the dog jump, yet all of Dave Brubeck’s music is way too soft.
The Fix: When you use Windows Media Player to burn music into a CD, the trick is to adjust–or normalize–the sound level as you’re burning the MP3s to the CD. Do that from the Burn menu by enabling Apply volume level across tracks on the CD. Normalization doesn’t work in WMP when you’re ripping MP3s from a CD to disk. Unfathomable, I know, but it’s Microsoft’s party. So use FairStars CD Ripper to do the job. The freebie does its job, normalizes the cuts, and handles plenty of file formats, including WAV, MP3, WMA, and more obscure ones, such as APE and VQF.
While Apple still has significant security work ahead of it, its Snow Leopard operating system makes prudent progress toward securing Mac OS X. But a security expert says that Apple is still playing catch up to Windows.
That is the opinion of Charlie Miller, a leading Mac security researcher. Miller is co-author of The Mac Hacker’s Handbook, and is also known for discovering critical vulnerabilities in the OS. He told CNET today that Snow Leopard “made some improvements,” but has not implemented some of the security features that Microsoft built into Windows Vista in 2007.
After being slammed with a series of major security incidents at the start of the decade, Microsoft made security a part of its development lifecycle. Products cannot ship from Microsoft unless they have gone through a review process, and consequently, the number of security vulnerabilities in its products has dropped markedly. It was tough, expensive work, and required a strong commitment from management.
Microsoft is now making its Security Development Lifecycle (SDL), as well as some of its internal security tools, available to developers in an effort to secure Windows applications as well as the OS itself. Apple has not taken similar steps.
To the best of my knowledge, Apple is still lacking an SDL-like approach to software development. That might be why I’ve had to download several massive security roll ups to patch my Mac over the past two months. As much as I love my iMac, the experience reminds me of Microsoft just a few years back.
However, Snow Leopard demonstrates that Apple, like Microsoft, has made security a higher priority. To thwart attacks, Snow Leopard introduces limited malware protection, and other protections including improved Address Space Layout Randomization (ASLR), and Data Execution Prevention (DEP). It also sandboxes applications, which is made possible through mandatory access control that was introduced in Leopard.
I have made no bones about my opinion that Apple has done a lackluster job at security, but it deserves credit for moving in the right direction.
