Apple vs Android

Steve Jobs’ legacy at Apple Inc. goes well beyond cool gadgets, a thriving retail chain and a music empire. He also launched the company’s all-out legal war on Google Inc.

In the last months of Jobs’ life, Apple unleashed a patent-suit blitzkrieg on its Silicon Valley rival, filing 10 lawsuits in six countries that accuse the Internet search giant of stealing its smartphone and tablet computer technology.

The campaign is rooted in Jobs’ belief that Google and mobile device manufacturers that use its Android software copied key design and technology features from Apple’s iPhone and iPad.

“I’m willing to go to thermonuclear war on this,” Jobs told author Walter Isaacson for his recently released biography. “I’m going to destroy Android, because it’s a stolen product.”

He then vowed to battle Google until “my last dying breath.”

Google and manufacturers using Android are vigorously contesting Apple’s claims, which could take years to play out in court. But one thing is certain: There is a lot at stake for the company Jobs built. If it is unable to protect the iPhone’s distinctive look and feel, lower-cost competitors imitating its technology could threaten the future of its most profitable products, analysts say.

“Unless they can keep Android at bay, they cannot sustain their incredibly high margins,” said Florian Mueller, a patent specialist who has been closely following the disputes. “They’ll have to compete with much lower-priced devices with essentially the same features coming out of China and other places.”

Alternatively, victories by Apple would enable it to extract hefty ransoms from any phone maker that uses Apple-like technology, or even force its rivals to water down or remove popular features from their smartphones, including screens that respond to multiple finger touches, the graphical display of text messages, and the way users send email and browse the Internet.

That type of technological rollback, analysts and patent attorneys say, could demolish much of Google’s recent success in the $160 billion smartphone market, and gain Apple an unparalleled advantage in the industry. The market is growing rapidly as many consumers dump simpler cellphones for the more powerful and versatile smartphones.

“Some of the revelations from the Jobs biography suggest that this is almost a religious war,” said Toni Sacconaghi, an analyst at Sanford C. Bernstein Co. The question is whether Apple’s battle is based on a rigorous legal analysis of company’s patent holdings or part of a personal vendetta by the company’s late co-founder, he said.

Apple’s aggressive legal attack comes as it is losing ground to its rivals in the smartphone industry. Samsung Corp., whose devices run Google’s Android software, dethroned Apple in the most recent quarter to become the world’s largest vendor of smartphones, accounting for nearly a quarter of handsets sold last quarter, compared with about 1 in 7 for Apple, according to data from Britain-based Strategy Analytics.

Apple has hired some of the nation’s top patent lawyers, including William F. Lee of WilmerHale, who helped win networking chip maker Broadcom Corp. an $891 million infringement settlement against rival Qualcomm Inc., and Harold McElhinny of Morrison & Foerster, who led Pioneer Corp. to a $59 million judgment against Samsung.

In recent weeks, Apple has been successful in temporarily banning sales of Android-powered tablets in Australia, Germany and the Netherlands. The company is now involved in lawsuits covering dozens of patents, some of which date to the technology created for 1990s-era personal computers designed a decade before smartphones were invented.

But what may look like a shotgun approach may actually be a carefully crafted battle plan. Apple is using its initial round of lawsuits to see which of its many patent claims can survive intense legal scrutiny, analysts said. The ones that are successful will become the spearhead of Apple’s litigation strategy.

“Once they’ve found the battle-tested patents that can survive challenges,” Mueller said, “they’re going to assemble all of them, put the winning team together and enforce them against everyone.”

Although Apple’s patent war stretches around the globe, the heaviest assault is in the U.S. The company is currently locking horns with Samsung in separate federal lawsuits in Washington, Delaware and Northern California, where Apple’s attorneys have demanded court orders preventing Samsung from selling its smartphones and tablets in the U.S.

“This kind of blatant copying is wrong,” Apple spokeswoman Kristin Huguet said in a statement. “We need to protect Apple’s intellectual property when companies steal our ideas.”

Google has called the patent attacks “bogus,” but in August it made a major move to defend itself, announcing the largest acquisition in its 13-year history by paying $12.5 billion in cash for Motorola Mobility Holdings Inc., one of the leading Android manufacturers and the holder of 17,000 technology patents that Google could use as ammunition to fend off the lawsuits.

Google allies Samsung and HTC Corp., two major device makers, are also striking back against Apple, filing countersuits that ask courts around the world to ban Apple’s iPhone and iPad devices. Each patent case can cost upward of $8 million, according to attorneys and analysts said.

So far, Samsung has had mixed results with its legal fusillade against Apple, with courts in Italy and the Netherlands initially denying its motions to bar sales of Apple’s recently released iPhone 4S.

Samsung has denied that its phones infringe Apple’s patents, and has instead accused Apple of illicitly using Samsung communications technology in multiple iPhone, iPod and iPad models. The company said it has spent tens of billions developing its own digital technology in recent years, and has amassed nearly 30,000 patents in the U.S. alone.

Apple “continues to violate our intellectual property rights by selling these products,” Kim Titus, director of public relations for Samsung Telecommunications America, said in a statement. “The courts will find Apple has indeed been free-riding on our technology.”

But many of the technologies that these patents protect are so abstruse or vague that companies may end up running afoul of the law without even knowing it, said Bijal V. Vakil, a partner at law firm White & Case in Palo Alto, Calif.

“It’s become a virtually unmanageable task to go and see if you have the freedom to operate,” he said. “Procedurally it would be impossible to check all of (the valid patents) – even large companies can’t afford to do that.”

Many organizations around the world fear competition. They are scared that another bigger badder organization is going to come along that can offer the same features and benefits but will offer them: quicker, cheaper, with more customization, with better customer service, etc. Competition is actually a good thing, in fact it’s a great thing.

Without competition Apple would have never created their Ipod, Microsoft would have never created Windows, and Google would probably be non-existent. Competition is essential because it leads to one very important thing, innovation.

People are always looking for products with more features and capabilities, products that cost less but can do more, and products that just plain solve their needs/wants better than any other product can. When companies compete, consumers get what they want.

Competition pushes you to be more creative and innovate, and to truly master your skill set. A lack of competition may lead to your skills getting stale or hitting a plateau. Competition sharpens your skills and ultimately helps you achieve long-term success.

Google Chrome at 3

It’s hard to believe it’s been only three years since the Google Chrome browser debuted. According to the latest market share statistics from usage-tracking firm Net Applications, Chrome now has 15.51 percent of the desktop browser market–a meteoric rise for an app that entered a crowded market dominated by neighborhood bully Microsoft Internet Explorer.

Chrome is third among desktop browsers, behind number one IE (over 55 percent of the market), and Mozilla Firefox (nearly 23 percent).

What’s the secret to Chrome’s success? “Speed, simplicity and security,” writes Google software engineers Ben Goodger and Darin Fisher in a Thursday post on the Google Data blog. Competing browsers, of course, are making strides in the Three S’s as well. But Chrome’s virtues are proving powerful enough to lure users away from IE and Firefox.

That’s the secret to Chrome’s success? “Speed, simplicity and security,” writes Google software engineers Ben Goodger and Darin Fisher in a Thursday post on the Google Data blog. Competing browsers, of course, are making strides in the Three S’s as well. But Chrome’s virtues are proving powerful enough to lure users away from IE and Firefox.

As Goodger and Fisher point out, Chrome has made great strides over the past 12 months, adding faster JavaScript performance, speedier page-loading times, a much-needed print preview feature, and various other upgrades. http://evolutionofweb.appspot.com/

Evolution of the Web

Is the Web better with Chrome? Satisfied users of other browsers would certainly disagree, but I think so. I switched to Chrome from IE last year and haven’t looked back.

I only hope that Google’s breakneck update schedule doesn’t pile on too many new features that turn Chrome sluggish. The browser’s peppy performance is its most appealing trait.

I totally dumped Firefox when for a few reasons: 1. Foxmarks Sync was ungainly slow. 2. Speedial was broken. 3. Sage RSS was broken and not being developed.

If your not using Google Chrome now, please try it for a week and see how you like it.

Giving Linux with tact

Linux is one of the most secure and stable operating systems around, and yet even with Android devices becoming ubiquitous with 550,000 plus activations daily, you would think that Linux would be more prevalent on the computer desktop. Obviously, on the back end side of the network, Linux servers do support the majority of the web and those services we are normally expect, namely Google, Facebook and a host of others.

However, what about the rest of us? However, if you, like any other Linux user, are disappointed by the current market share stats, we can tell you some simple tips that will help you convince your Windows or Mac-crazy friends into using Linux.

Now, many Linux users have already tried to coax their friends and family members to try out this popular and newbie-friendly distro called Linux Mint. A select few have succeeded and many have failed. So here, we will give you some important tips to help you spread the word about Linux without sounding like that arrogant nerd who has nothing but contempt for Windows or Mac.

 Show, don’t tell

Yes, this is the first and the most important thing you need to do if you have to convince a Windows or a Mac user into using Linux. Ubuntu, Linux Mint and many other distros look extremely beautiful, and honestly, the latest version of Ubuntu (Ubuntu 11.10) looks just as good as a Mac. But hey, if you’re just going to just tell that to them do you think they’ll believe you? Even if they do believe you, they’ll still have no idea what Ubuntu or whatever you’re talking about looks like. My suggestion is, you take your own Linux laptop, hand it over to them and let them play around with it. If you’re on Ubuntu I’d recommend opening a new Guest session and handing over the laptop to them. That way, they’ll have a better idea as to how beautiful even an uncustomized desktop looks like. If, at all, it is impossible to show the desktop to your friend, send him or her a YouTube video of the desktop.

Stop telling them Windows is bad, they already know it

For a Linux user trying to convince a Windows user into the light side, there’s always the Windows-bashing that comes in handy. At least that’s what many Linux users think. Windows-bashing is great, everyone curses that dreaded operating system, but there’s no point telling a Windows user about it. I’m pretty sure he or she already knows about it. There must at least be a thousand Windows users cursing Microsoft even as you’re reading this article. But no way are they going to switch to something different. I wrote about why that is yesterday: http://jet-computing.com/linux-deters-computer-viruses/

If they get stuck

Don’t emphasize on the “free” part

Don’t, and I say it again; don’t ever start your pitch with the “free” part. In fact, it would be better if you drop the whole thing out of the conversation. Sometimes, they’re so impressed by Linux that they eventually end up asking you about its cost. Just look at them casually and say “it’s free” and wait for their reaction.

Google Squashes Bugs

Google recently patched 32 vulnerabilities in Chrome, paying more than $14,000 in bug bounties as it also upgraded the stable edition of the browser to version 14.

The company called out a pair of developer-oriented additions to Chrome 14 and noted new support for Mac OS X 10.7, aka Lion, including full-screen mode and vanishing scrollbars.

Google last upgraded Chrome’s stable build in early August. Google produces an update about every six weeks, a practice that rival Mozilla also adopted with the debut of Firefox 5 last June.

Fifteen of the 32 vulnerabilities were rated “high,” the second-most-serious ranking in Google’s four-step scoring system, while 10 were pegged “medium” and the remaining seven were marked “low.”

None of the flaws were ranked “critical,” the category usually reserved for bugs that may allow an attacker to escape Chrome’s anti-exploit sandbox. Google has patched several critical bugs this year, the last time in April.

Six of the vulnerabilities rated high were identified as “use-after-free” bugs, a type of memory management flaw that can be exploited to inject attack code, while seven of the bugs ranked medium were “out-of-bounds” flaws, including a pair linked to foreign language character sets used in Cambodia and Tibet.

Google paid $14,337 in bounties to nine researchers, including $3,500 to “miaubiz” and $2,337 to Sergey Glazunov, another regular bug finder.

The company’s security team also credited others, including researchers who work for Microsoft and Apple, for “working with us in the development cycle and preventing bugs from ever reaching the stable channel.” Some of those researchers were also awarded bounties, but Google did not spell out the amounts of those awards.

As per its practice, Google barred access to the Chrome bug-tracking database for the 32 vulnerabilities to prevent outsiders from obtaining details on the flaws. The company only opens the database after users have had time to update the browser.

Google also added a pair of developer-only features to Chrome 14, including support for the Web Audio API (application programming interface) and for “native client,” an open-source technology that runs software written in C and C++ within Chrome’s security sandbox.

The Mac version of Chrome 14 also supports Lion’s new approach to scrollbars, which appear only when a user is actively scrolling through the browser window. Chrome 14 also now runs in Lion’s full-screen mode, triggered via the icon in the upper right of the browser or by pressing Ctrl-Command-F.

Chrome 14 can be downloaded for Windows, Mac OS X and Linux from Google’s Web site. Users already running the browser will be updated automatically.

Online Safety – 5 Secrets

In any given week, I get dozens of requests for help. The #1 question typical is this:  “How do I protect myself online?” These days I’m getting that question in equal numbers from PC and Mac owners who are concerned about the best way to avoid being sucker-punched by social engineering attacks.

Many people think that security begins and ends with antivirus software. I disagree. Should you run antivirus software? As I’ve said before, if you don’t know the answer to that question, then the answer is yes.

So let’s stipulate that you’re running a well-supported, up-to-date security program—whether you use a PC or a Mac. What else do you need to do? In this post, I share the five steps I teach to friends, family members, and clients who want to avoid malware, scareware, phishing sites, and other online scams.

If you’ve been paying attention to the current threat landscape, much of the advice in this post will be familiar, even obvious. A lot of it is just common sense, but some is unconventional wisdom. Yes, of course you should expect to be attacked if you download porn or pirated software. But just staying out of bad online neighborhoods isn’t sufficient anymore.

These days, threats can come from unexpected places: Google (and Bing) search results, compromised websites, deceptive ads, seemingly innocent downloads. You don’t have to be doing anything out of the ordinary to inadvertently stumble across one of these potential threats.

If I had to summarize my guidance in a single sound bite, it would go something like this: Pay attention to your surroundings, don’t be stupid and don’t run around on the web with full administrative rights on your computer. Better yet, give Linux Mint a try http://jet-computing.com/linux/linux-mint/

Alright then, let’s break that down.

Step 1: Don’t panic.

To borrow from a classic Monty Python sketch,  the two … no, three chief weapons of online criminals are “fear and surprise…and ruthless efficiency.” Their goal is to appear when you don’t expect them and convince you to act hastily. Online criminals often play on fear (your PC or Mac is infected with malware!) or simple social engineering (try these smileys! oh, and you need this codec—fake, of course—to play an enticing video clip).

The antidote to Monty Python, of course, is Douglas Adams, for whom “Don’t panic” was the secret of successful intergalactic hitchhiking.

When in doubt, stop. Think. Ask for help. If you’re truly worried, pull the plug on your Internet connection temporarily until you can call a knowledgeable friend or drag the machine in to a specialist for a thorough diagnosis.

You should, of course, have a regular backup routine. Mechanical failures (a crashed hard drive or a dropped notebook) can be even more devastating than a malware attack. With Windows 7, you can use the built-in backup program to save an image backup on an external hard drive; you can do the same thing on a Mac using Time Machine. Restoring a full backup is easy, especially if the alternative is spending hours trying to track down a well-hidden infection.

And don’t be paranoid. I can’t count the number of times I’ve heard from otherwise smart people who break out all sorts of terrible tools—registry cleaners and system optimizers being the worst offenders—at the first sign of trouble. Those snake-oil programs, in my experience, tend to make the problem worse.

Drive-by downloads and other sneak attacks are, fortunately, extremely rare. Yes, they happen, but the overwhelming majority of attacks aim at vulnerabilities that have been patched months or even years earlier.

Bad guys prey on the weak, technically unsophisticated, and ill-informed who don’t update regularly. You really,really want to avoid being a part of that group. It’s easy:

• If you use Windows, turn on Windows Update and set it to automatically download and install updates. Those updates include Windows components like Internet Explorer. If you use other Microsoft software (Office, Silverlight, Windows Live Essentials, and so on) enable Microsoft Update, which is available from the Windows Update configuration screen.

• If you use OS X, turn on Apple Software Update and set it to automatically download and install updates.

And don’t overlook potential attacks from third-party software. On any platform, it is essential to regularly update not just the operating system and its components, but also any popular Internet-connected program.That means browsers like Chrome and Firefox, utilities like Adobe’s Flash and Reader, runtime environments like Java and Silverlight and Adobe AIR, and media players like iTunes and QuickTime (on Macs, the latter two programs are included with system updates).

To make the process a little easier, I enthusiastically recommend Ninite, which automatically updates third-party software using the same URL you use to install the originals. It keeps unwanted add-ons and third-party programs at bay, too.

Since I wrote that post, Ninite has introduced a new product, the Ninite Updater, which “alerts you when any of the 92 Ninite-supported apps become out of date. It doesn’t matter if your apps were installed with Ninite or not.”

Alas, this utility is not free. The single-user package is $10 per year, and a 5-PC family pack is $30 a year. But it might be worth it for the peace of mind.

Home users can find a free alternative in Secunia Personal Software Inspector (PSI). Although it’s nowhere near as comprehensive as Ninite’s offering, it’s a good way to cover the most important threats.

3. Learn how to make smart trust decisions.

As I mentioned at the beginning of this post, social engineering is the weapon of choice for online criminals these days. Attacks can take all sorts of forms, from conventional phishing e-mails to sophisticated and convincing malicious download sites. The best countermeasure? Education.

You’re asked to make trust decisions many times every day. Some of those decisions involve programs, people, and businesses with whom you have lots of experience already. But others involve complete strangers, and still others ask you to decide with only limited information.

Any time you open an e-mail message or visit a web page, you face a possible trust decision.

Should you trust the sender of an e-mail?

Spam is one of the primary vectors for phishing attacks and financial scams, but it’s also a way to lure unsuspecting PC and Mac users to sites that deliver malware.

Spam filtering services have become very effective and can do a credible first pass on your inbox. The better your spam filter, the more likely it will recognize a fraud that could have sucked you in.

Based on my recent experience, both Hotmail and Gmail use extremely accurate spam-blocking technology. If your e-mail provider can’t properly filter spam, consider forwarding your e-mail through a Hotmail or Gmail account.

And don’t overlook the client program you use. Microsoft’s flagship e-mail programs, Outlook and Windows Live Mail, display HTML-formatted messages differently when they are in the Junk folder.

Here’s a crude but unremarkable phishing message as it appears in the Outlook Inbox folder. An unsophisticated recipient might be tempted to overlook the bad grammar and click.

But in Outlook’s Junk E-Mail folder that same message is displayed in plain text, without graphics or HTML formatting. In addition, the hyperlinks show the actual target address in the message window. That turns the once-slightly-convincing message into a laughable mess, complete with bogus hidden text.

If the message appears to be from a friend or other known contact, it’s possible that the sending account was hijacked. If you have even the slightest doubt about the actual target of a link, don’t click it. That’s doubly true if it’s from a social network.

Should you trust a web page?

When using a browser, you need to learn how to read the address bar, especially at two key decision points.

First, anytime you are asked to enter your login credentials, your Spidey sense should tingle. You need to be able to spot a website that is trying to masquerade as someone else. If you have any doubt that a login page is legitimate, close the browser window and open a new session by manually typing the domain name and navigating to a login page from there.

Both Internet Explorer and Chrome provide important information in the address bar, displaying the actual domain name in black and muting the rest of the address to a still-readable shade of gray. Here’s how it appears in Internet Explorer 9:

Second, learn how to identify a secure connection, where traffic is encrypted from end to end. Every modern browser displays visual cues (including a padlock icon) when you’re using a secure SSL connection. For sites that use Extended Validation certificates, you get additional feedback in the form of a green address bar, as shown here for Chrome.

The final online trust decision people make regularly is so important it deserves its own page…

4. Never install any software unless you’re certain it’s safe.

The biggest trust decision of all arises when you’re considering installing a new piece of software on a PC or a device. If you have any doubts about a software program, you should not install it. Period.

One great way to remain safe online is to set a high bar for software. You need solid, up-to-date information to help you decide whether a file is safe, unsafe, or suspicious. Then you need information about whether the program is reliable and useful, whether it’s compatible with other software you use, and whether it can be easily removed.

Here are the three key questions to ask about any program before clicking Yes on the installer:

Did it come from a trusted source?

It’s hard to believe that someone would actually say yes to a software installer that randomly appears when they visit a web page. But people do, which is why fake antivirus software is a thriving business. The simple act of clicking No—or forcibly closing an installer window if necessary—can save you hours of cleanup.

Is it signed with a valid digital signature?

In developing the SmartScreen technology used in Internet Explorer 9, Microsoft security researchers discovered a startling fact about the dangerous downloads they were blocking.

[T]he IE9 version of SmartScreen includes a new set of algorithms designed to test the reputation of this executable file. Has it been seen before? Is there anything about the file name or the domain that looks suspicious?

In fact, one of the most important questions to ask is this one: Is the executable file digitally signed? Microsoft’s researchers found that roughly 96% of all those red warnings are attached to unsigned, previously unseen files. The algorithm assumes that a file—signed or unsigned—is untrustworthy until it establishes a reputation. No domain or file gets a free pass—not even a new signed release from Microsoft or Google. Every file has to build a reputation.

In Windows, you can check for the presence of a digital signature by right-clicking a file and choosing Properties. Here, for example, is the digital signature information for the officially released Xvid codec installer, the rogue version doesn’t have a digital signature.

A digital signature doesn’t mean a file is safe. It does, however, mean that you have important information, and a chain of trust, about the person or company who created the file. A digital signature also guarantees that the file hasn’t been tampered with since it was signed.

In some cases, you might be willing to trust an unsigned file. You should only do so if you are confident that it is exactly what it claims to be and nothing more.

What does the security community say about the download?

If running a possible program through one antivirus scanner is good, then checking with 43 separate scanners must be, well, 43 times as effective. That’s the theory behind Virustotal (VT), a free and independent web-based service. In a matter of minutes, you can upload a questionable file and have it checked by a large cross-section of scanning engines using up-to-date definitions.

Here’s what a Virustotal report looks like:

One detail worth looking for when you submit a program is whether it’s been analyzed by VT before. If the executable file you’re analyzing is a well-known, established program, you can bet it’s been examined already. Here, for example, is what I saw when I submitted a signed Xvid codec installer, obtained from a well-known and trusted site:

If you’re uncertain about a file, one option is to set it aside for 48 hours and then resubmit it to Virustotal. That’s usually enough time for antivirus engines to identify a new strain of malware and add it to their definition files.

5. Be smart with passwords.

Has your favorite website been hacked lately? These days, it might be easier to make a list of the high-profile web sites that haven’t been broken into.

Thanks to LulzSec and Anonymous, millions of people have had the dubious pleasure of seeing their usernames and passwords posted publicly on the Internet. Last month, LulzSec snagged more than 1 million accounts from Sony Music and Sony Pictures servers. The usernames, passwords, and personal details stored there were posted on the Internet for anyone to see.

You might not be too concerned that someone can log on to your Sony account and pretend to be you. But what if someone goes to Google Mail or Hotmail and tries your email address and that same password? If you used the same password as the one on your Sony account, the bad guys are in. They can send and receive messages that appear to come from you. They can download your email archives, which can include correspondence from your bank and from online shopping sites like Amazon.com. In a very short period of time, they can do a very large amount of damage.

Repeat after me: Never use the same password in multiple places, and be especially vigilant with passwords for e-mail accounts.

It’s a royal pain to create and remember unique, hard-to-guess passwords, but that is nothing compared to the misery you will experience if a determined thief starts messing with your identity and your finances.

Sadly, an awful lot of people reuse passwords, as software architect and Microsoft MVP Troy Hunt found when he grabbed those leaked Sony files, extracted 37,000+ pairs of usernames and passwords, and did some quick analysis. The entire analysis is a good read, but I zeroed in on this part:

When an entire database is compromised and all the passwords are just sitting there in plain text, the only thing saving customers of the service is their password uniqueness. Forget about rainbow tables and brute force – we’ll come back to that – the one thing which stops the problem becoming any worse for them is that it’s the only place those credentials appear. Of course we know that both from the findings above and many other online examples, password reuse is the norm rather than the exception.

Hunt compared the contents of the hacked Sony database with identical addresses from the Gawker breach of last year and found that two-thirds of the addresses on both lists used the same password. This ratio doesn’t surprise me, and I suspect it might even be a little low.

If you’re guilty of this offense, it might seem overwhelming to try to fix your entire collection of passwords at once. So start small, by creating new, unique, hard-to-guess passwords for your e-mail and bank accounts.

What makes a good password?

• It’s at least 8 characters long, preferably 14 characters or more.
• It is not a word that can be found in any dictionary or list of common names.
• It uses at least three of the four available character types: capital letters, lower-case letters, numbers, and symbols (such as punctuation).
• It’s easy for you to remember and difficult or impossible for someone else to guess.

And one more tip: if you anticipate that you will be entering a password regularly on a handheld device, consider how the virtual keyboard on that device works. Instead of a password like Rh1ZJk#U, consider grouping the different types of characters together for quicker input: RZUUJ1hk#.

The best way to create and manage strong, unique passwords is with the help of a utility tailor-made for that job. To start I visit, https://www.grc.com/passwords.htm and picked a 8-character block from the 63 random alpha-numeric characters (a-z, A-Z, 0-9) block.

Then, to manage I use a free program called KeePass, http://keepass.info/

What is KeePass?
Today you need to remember many passwords. You need a password for the Windows network logon, your e-mail account, your website’s FTP password, online passwords (like website member account), etc. etc. etc. The list is endless. Also, you should use different passwords for each account. Because if you use only one password everywhere and someone gets this password you have a problem… A serious problem. The thief would have access to your e-mail account, website, etc. Unimaginable.

KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish). For more information, see the features page.

Is it really free?
Yes, KeePass is really free, and more than that: it is open source (OSI certified). You can have a look at its full source and check whether the encryption algorithms are implemented correctly.

Your Computer Appears to Be Infected

Google has begun warning more than a million Internet users that their computers are infected with a malicious program that hijacks search results and tries to scare users into purchasing fake antivirus software.

Google security engineer Damian Menscher said he discovered the monster network of hacked machines while conducting routine maintenance at a Google data center. Menscher said when Google takes a data center off-line, search traffic directed to that center is temporarily stopped. Unexpectedly, Menscher found that a data center recently taken off-line was still receiving thousands of requests per second.

Menscher dug further and discovered the source of the traffic: more than a million Microsoft Windows machines were infected with a strain of malware designed to hijack results when users search for keywords at Google.com and other major search engines. Ironically, the traffic wasn’t search traffic at all: The malware instructed host PCs to periodically ping a specific Google Internet address to check whether the systems were online.

Menscher said the malware apparently arrives on victim desktops as fake antivirus or “scareware” programs that use misleading warnings about security threats to trick people into purchasing worthless security software. He suspects that the fake AV program either ships with or later downloads the search hijacker component.

The malware intercepts traffic destined for high profile domains like google.com, yahoo.com and bing.com, and routes it through intermediate hosts or “proxies” controlled by the attackers. The proxies are used to modify the search results that a victim sees for any given search term, and to redirect traffic to pay-per-click schemes that pay for traffic to specific Web sites.

Fortunately, the traffic generated by the malware has a unique “signature” that Google is able to use to alert victims. Google is placing a prominent notification at the top of victims’ Google search results; it includes links to resources to help remove the infection.

Google should be applauded for alerting users, but the hard work will be in the cleanup: Search hijackers are notorious for blocking users from visiting antivirus Web sites or other popular sources of malware removal tools.
Here is the link with explanation: http://www.google.com/support/websearch/bin/answer.py?answer=1182191

A warning appears at the top of the search results page when we believe that the computer you’re using is infected with malicious software, also known as “malware.” Malware can be used to intercept your computer’s connection to Google and other sites. When Google’s system detects that a connection has been intercepted, it’s likely that the computer was previously infected with malicious software.

An infected computer can result in deleted data, stolen personal information, and a slower connection to many websites. We showed you the warning so that you can scan your computer and take any necessary action to protect yourself.

I understand how the link on Google’s warning essentially goes against all the things we’ve been taught to ignore online. It may not be a pop-up, but it’s also not something we went looking for. However, if I saw the warning… knowing that it’s not wise to click anything. I might be more prone to run my anti-virus or go to a security site to see if I could find anything on it. Naturally, having the warning on a Google search page would make me leary of searching for the information on that page.

The other thing we have to remember – is that these users are most likely ones that don’t know to not click on things. They’ll happily click it – and, for a change, be directed to something that will help them. Now yes, this can start to be spoofed and lead to bad things too – but again, remember, these people are already clicking links they’re told to… they’re going to be infected regardless. So what’s wrong with actually getting them to click something that will actually help them for a change?

Honestly, I think more of these types of things should be done. Users need to be better educated and learn how to protect themselves online. However, it’s nice to see others trying to make the internet safer instead of leaving all the responsibility on the user (who in most cases doesn’t even know the basics when it comes be online security).

While I’m grateful to Google for making the effort, the malware I’ve seen causing Google search redirections is _not_ simple to remove. Suggesting to users that they can just download a tool and get rid of it is doing them a disservice.

Despite Google’s intent, I have to side with the argument for consistency in dealing with my users. I have invested a lot of time and energy in getting them to not click links that appear to promise to solve problems–especially problems that are not apparent or that users might not understand.

So, I have just sent a notice to all users on my list that, should they see the Google alert message, to NOT click the clink, but to close the browser and then call for IT help. And no telling how quickly the scareware writers will mimic Google’s message, with their own destination to other malware embedded in the learn-how-to-fix-this link.

Everyone who gets this warning also needs to be aware that every password they’ve typed since infection now belongs to the criminals – e-mail, banking, etc. If Google has to inform users that they’re infected, what do you think the odds are that they have clean, restorable backups?

The ONLY way to guarantee that all bots are eliminated is to re-install the OS and apps from scratch. Take time to think about what you are doing and what can go wrong. Be particularly careful not to infect other systems or flash drives as you work.

Back up important data files. Make a drive image which can be searched for data files you forgot to back up. In general, do not recover old program files. Be sure to bring up the new system behind a hardware firewall / router until you get your security patches in place.

Allow me to repeat for emphasis the fact that: A FULL OS RE-INSTALL IS REQUIRED TO RECOVER FROM MODERN MALWARE and as I know very well, OS re-installs can be confusing and tedious. No, there is no easy way around this.

While the Microsoft Malicious Software Removal Tool has “removal” right up there in the title, and older malware might be removed, expecting that is a bad bet. Many or even most modern malwares simply cannot be “removed” in the sense of returning the original computer state. Once a bot is in place, it can modify any file, and there is no way to know what has been done, so there is no way to reverse it.

It’s usually some variation of the TDL4 bootkit/rootkit, and careless attempts to clean it up can leave a computer unbootable or result in irretrievable data loss. I’ve never yet seen a PC with this infection have just _one_ malware kit installed either, since they generally keep downloading botnet components.

The correct response to malware is to re-install the OS and apps. Remember that the malware in question is malicious because it modifies search results returned by Google. So we can assume that it has 100% control over the DOM presented by Google. In fact, it wouldn’t surprise me if the malware gets an “update” to simply hide this message.

Stay safe!

Microsoft Office XP support retired

Just in case you misread the title, I’m talking about Office XP here and not Windows XP; this specifically pertains to the Microsoft Office suite of software. Are you a Microsoft Office XP user? If you are, you should be concerned because Microsoft has announced that they will not update or support Office XP anymore starting this week. Office XP has been published since 10 years ago and it will be blocked by its support starting on July 12 2011.

When something goes from “mainstream support” to “extended support” at Microsoft, that essentially means Microsoft will continue to support enterprise that uses the product, or in other words biz-only support and not consumer. For each Microsoft product, most of them are supported for only 10 years since the product was released. The first five years called mainstream support, the other five years called Extended Support. Microsoft has a strong excuse to stop support and update to the previous product, it is because the users of Microsoft product decrease because some new products of Microsoft are released and has a lot of users. Microsoft has given support update security and patches for 10 years. The last update was in December 2010.

Office XP, which is the version before Office 2003, has been in extended support for the last 5 years, but as of next week will not be. That means no more support from Microsoft on that particular product even for enterprise.

It’s highly doubtful you use Office XP at home, but there may be some poor souls at there still using that decade-old version of Office at work. Sure, it gets the job done, but don’t expect any support from Microsoft on it after this week. Microsoft Office 2003 will end up on April 8, 2014, Microsoft Office 2007 on April 11, 2017 and Microsoft Office 2010 on October 13, 2020.

So if you do in fact use Office XP at home, then perhaps you should thinking about switching, by purchasing a new copy of Office 2010, or trying LibreOffice or OpenOffice for free. I posted a MS Office 2010 features and pricing matrix for your review along with some screen-shots of both LibreOffice and OpenOffice.

Here at the office, I do not use MS Office anymore. I use a combination of Google Calendar and Gmail and LibreOffice for my work.

Google Chrome at 20%

Google Chrome’s rise in popularity has been remarkably fast and it has just hit a new milestone. More than 20% of all browser usage has hit 20 percent market share, according to StatCounter. Net Applications has Chrome cracking 13 percent. Either way, Chrome is growing fast versus IE and Firefox.

Chrome rose from only 2.8% in June 2009 to 20.7% worldwide in June 2011, while Microsoft’s Internet Explorer fell from 59% to 44% in the same time frame. Firefox dropped only slightly in the past two years, from 30% to 28%.

Most Internet researchers agree that Google’s Chrome Web browser is steadily gaining market share at the expense of established rivals, Microsoft Internet Explorer and Mozilla Firefox.

Two top browser researcher disagree on just how much market share Chrome has worldwide. StatCounter said Google claimed 20.7 percent browser share for June, up from 2.8 percent a year ago. Net Applications claimed Chrome actually corralled 13.1 percent, up from 12.5 percent through May.

More broadly, StatCounter said Firefox is next in line to be passed by Chrome at 28.3 percent, with IE at 43.6 percent. On the (much) lower end of the scale, Safari is at 5 percent, with Opera claiming 1.7 percent through the month. Net Applications meanwhile has IE at 53.7 percent, Firefox at 21.7 percent, Safari at 7.5 percent and Opera at the same 1.7 percent. While there is a wide differential between both firms’ figures, it’s clear Chrome is gaining share and momentum.

From Google Chrome officials own lips at Google I/O in May, Chrome had racked up more than 160 million users, up from 120 million in December. If that trend holds true, Chrome should crack the 200 million mark in October. Looking at some numbers based on StatCounter’s stats and guessed Chrome could pass Firefox this November and IE by June 2012. Assuming Chrome’s ascent continues at its average growth rate over the past six months (consider that it took Chrome only two years to hit 10 percent share) Chrome could even hit 50 percent share by November 2012.

Chrome first hit 10% in August 2010 and was still at 19% in May before surpassing 20% in June. If Chrome’s numbers seem a bit high that’s because StatCounter’s method of tracking highlights Google’s strength: attracting power users. Net Applications, another usage tracker, shows Chrome rising fast as well, up to more than 13% usage compared to Microsoft’s 54% and Firefox’s 22%.

“It is a superb achievement by Google to go from under 3% two years ago to over 20% today,” StatCounter CEO Aodhan Cullen said in a press release. “While Google has been highly effective in getting Chrome downloaded the real test is actual browser usage which our stats measure.”

But the groups count differently. While Net Applications tracks a browser’s total number of users, StatCounter measures the total number of website clicks. That means a Chrome user who surfs the Web more often than an Internet Explorer user has more weight in the StatCounter ranking. The discrepancy between the two groups’ findings suggests that users who spend the most time online have switched from Internet Explorer to Chrome or Firefox. There are many reasons for Chrome’s upswing and accelerated release cycles, which means Google is putting snazzy new features that other browsers lack in front of users faster. Case in point: the Chrome Speech capabilities to enable voice search on the desktop.

Chrome advertising and marketing for the browser and Chrome Operating System have also been playing their parts in the growth. Google last year began advertising Chrome on ESPN.com, the New York Times and other high-profile Websites for a year. In May, Google began pushing Chrome as the center of users life experiences, planting a marketing seed for Chrome OS notebooks.

The first Samsung Series 5 Chromebook launched June 15, while it’s unclear how many Series 5 Samsung sold through Amazon.com and Best Buy online. Google made Series 5 Chromebooks vailable for flights as well now. Virgin America is maintaining its reputation as the darling airline of the tech sector, and today it announced a new partnership with Google that will give travelers the option to test Google’s Chromebooks in their flight beginning tomorrow.

The promotion will last until September 30, and passengers will be able to check out a Chromebook at their departure gate and use it freely with Gogo in-flight Internet on their whole flight. In addition to the currently available Chrome apps, Virgin America has co-developed a special Chrome app with Google that includes discussion boards about Virgin America’s trip destinations, city guides based upon data from UrbanDaddy, and information about packing and travel planning. The app will be available in the Chrome Web Store later this month.

Chrome’s rise has been most pronounced in South America where it is the second-most used browser ahead of Firefox and behind Internet Explorer. In the United States, “Chrome has risen to 16% behind market leader IE on 46.5% and Firefox on 24.7%,” StatCounter said. StatCounter measures 15 billion page views per month, including 4 billion from the United States across a network of more than three million websites. Data from Net Applications, which tracks unique visitors to 40,000 websites, show that IE usage dropped from 60.5% in August 2010 to 53.7% in June 2011, while Chrome rose from 7.5% to 13.1% in the same period.

Net Applications also tracks usage of mobile devices, and has found that more than 5% of all Web browsing is now occurring from smart-phones and tablets. The trend toward mobile browsing is even more pronounced in the U.S., where 8.2% of all browsing takes place on mobile devices. Of that, 2.9% of U.S. Web browsing comes on the iPhone, 2.6% on Android devices, and 2.1% on the iPad with BlackBerry next at 0.57%.

That means Apple’s iOS accounts for 5% of U.S. Web browsing, making it the most popular mobile platform.

Google Chromebook shipping next week

Google is unveiling the Chromebook this week – a laptop that runs on Chrome OS. The Chrome OS is a cloud based operating system which means that all your data (or most of it) will be stored on a remote server rather than on the local hard drive. Another way of saying it is you can literally rip apart and destroy your Chromebook (assuming you have deep pockets) and still get a good night’s sleep because your data is safely backed up somewhere on the net.

“Google Chrome OS is designed around the concept of “expendable” terminals that you can lose, drop or simply throw away without fear of losing your data, which is safely stored into the cloud. However, one thing is certain, with all your data being available into the cloud, in one place, available 24/7 through a fast internet link, this will be a goldmine for cyber-criminals. All that is necessary here is to get hold of the authentication tokens required to access the cloud account.”

http://chrome.blogspot.com/

The following are some of the advantages of Chromebook as touted by Google.

• Boots in 8 seconds flat.
• Full support for Adobe Flash and the latest web standards.
• Share your Chromebook with friends and family without giving them access to your email and personal data.
• Automatic OS updates provided seamlessly over the net.
• Secure out of the box – Providing multiple layers of protection,including sandboxing, data encryption, and verified boot.
• 3G and WiFi support.
• The Chromebook is a computer designed to work with Chrome OS
• The boot process verifies your Chrome OS install ensuring that it is not tampered with and thus free of viruses and other malware. If there is any tampering, the system is repaired automatically
• The Chromebook runs Chrome OS
• Chrome OS is a Linux-based OS that is optimized to run ONLY the Google Chrome browser
• Chrome OS does not have any applications installed on it other than the Chrome browser
• One cannot install traditional Windows, Mac OSX, or even Linux apps on Chrome OS
• All your work needs to be done online using tools such as Google Docs (office applications), Piknik(Image editing), GMail (email), etc.
• One can install web apps from the Google Chrome Web Store (now including the popular Angry Birds)
• Chrome OS is stateless. i.e. since all your operations are performed on the cloud your netbook itself stores nothing. You can discard it log in from another device and have the same experience.
• Chrome OS keeps up to date automatically
• Chrome OS keeps your data encrypted so even if your device gets lost, your data is safe

Google has brought in Samsung and Acer to market the first set of Chromebooks.

If the price is right, this could be an exciting proposition for any one. In fact, Google says it will offer Chromebooks to the student community for a monthly fee of $20 per student and for the business community for a monthly price of $28 per user, which is exciting if this price also includes a data plan.

“Both hardware- and software-wise, [Chromebooks] are nothing special: You can download Chrome OS’s open source brother, Chromium OS, for free — and at around $400 for a Chromebook, you would certainly expect some better hardware than what Samsung and Acer are offering. In fact, for around $300 you can get a cheaper and more powerful netbook with Windows 7 pre-installed — and it only takes about 30 minutes to wipe Windows and install Chrome OS yourself.”

If you can install your own OS, then (1) you are smart enough to install a regular Linux distro, and (2) you probably like to install your own stuff, so Chrome is not the best option for you. Except, maybe, if you want to give the net-book to someone else.

Google’s Sundar Pichai noted at the Google I/O Day 2 keynote that the company’s most important products – Gmail, Calendar and Docs will be receiving offline support in the near future. That pretty much means this summer. Google had said that the feature was set to debut this past spring but the project has been delayed for some reason.

The keynote was every bit as news-heavy and action-packed as the first day keynote: Google also unveiled some Chrome OS upgrades that give users more control over locally stored files, along with announcing several key HTML5-related updates to its Chrome browser. But the announcement that got some of the biggest cheers was this one: Angry Birds will become available as a desktop app in the Chrome Web Store!

The Samsung Chrome OS laptop will have a 12.1 inch display, “all-day” battery usage, Wi-Fi and an option for Verizon 3G service. The Wi-Fi only version will cost $429, while the 3G version will go for $499. The Acer Chrome Book will have an 11.6-inch screen and Wi-Fi, and will sell for “$349 and up.”

Google’s slogan for the Chromebooks is “Chromebook: Nothing but the web.” The argument behind it is this: The Chromebook is almost completely an internet device. If you can do your work and access your content on the web, you don’t need the virus updates, slow local services, and endless startup process that can plague a conventional PC.

But Google clearly knows that asking users to give up the security of a local hard drive and conventional desktop software is a hard sell. So it tried to make businesses a particularly compelling offer.

Google wants businesses to use the new Chromebooks to quickly and inexpensively update their laptops to run a modern OS. Google says half of all company-owned PCs in America still run Windows XP.

To make the Chromebooks fit in better in the office, Google is working on a “Chrome Box”, a flat square box that connects Chromebooks to large monitors and company file systems.

Google says it is offering businesses the Chromebooks, the Chrome Box, full support, full warrantee service and automatic end-of-life equipment replacement at a price of $28 per month per user.

$336/yr or $1008 over 3yrs (typical corporate lifespan of laptop) isn’t bad if (BIG IF) the helpdesk/support link can be removed from the loop.

In short, Google is seriously upping the ante in its challenge to Microsoft in the workplace. It’s already making inroads with its Google Docs cloud-based productivity apps, but now it has dramatically sweetened its offer to provide the OS and even the hardware, too. At this price, Google’s offer could be a very attractive to many businesses.

A similar offer is being extended to education, but the price per month per user for schools is only $20.

Improvements to OS

The biggest problem with the Chrome OS to date is that it’s been so completely about the web that you really miss being able to do things like download and install apps or play music or video content on the local hard drive. You just couldn’t do that in the first iteration of Chrome OS.

Knowing this Google appears to have made some real-world concessions in response to the problem. It has added a file manager, where you can store music and video files you’ve downloaded. There’s also a new media player in the OS that you can use to play the content. This alone makes me want to give Chrome OS another chance.

Google says the OS will stream content from Hulu and Netflix and the new media manager will plug into the new Google Music Beta and Google Movies services. The OS handles photos better now too. Users can now plug in a camera to the Chromebook, move photos from the camera, then store them in the cloud.

Chrome Browser Improvements

Google announced recently that several cool new HTML5 tricks for its Chrome browser. Google has been a strong proponent of HTML5, which it says developers can use to develop one version of a Website or service that will have advanced capabilities, and most importantly, work on “all modern browsers.”

Google has built some impressive APIs for the Chrome browser that will help developers create cool web pages faster. For instance, developers can use a Google API to build voice recognition into their apps. Google says it has also improved the hardware acceleration of its browser, which revs up the graphics card in the PC to render highly dense, colorful animated graphics.

Chrome Web Store

Google also made several announcements about its Web App Store, where Chrome users can grab apps to run in the Chrome browser. Google says that people spend twice as much time in Chrome apps compared with apps on other platforms, and make two and a half times more purchases within the apps.

When the guy who made Angry Birds took the stage here it was clear that the popular game had come to the desktop as a Chrome App. Huge applause. Developers, it appears, love Angry Birds too. (It occurred to me that employers everywhere should mourn the time and productivity that just went out the window with the announcement of a desktop-based game as addictive as Angry Birds.)

The only thing developers love more: Keeping as much money as possible from the sale of their apps. Google got uproarious applause with the announcement that it will take only a 5 percent flat commission on each app sold by a developer at the Web Store. Apple, by contrast, takes a 30 percent commission on app sales.

With the news that Chromebooks will be available to the public on June 15, there is some pressure here for the company to deliver on that promise. The fact that they have already announced when Chrome OS will be available, up’s the ante for whatever team is working to bring this feature to the masses.

Lets hope this becomes a winner.

Gmail – LinkedIn Assault

Google warned on Wednesday that hackers were launching targeted phishing attacks against hundreds of Gmail account users, including senior U.S. government officials, Chinese political activists, military personnel and journalists. That story, as related in a post on the Official Google Blog, was retold in hundreds of media outlets today as the latest example of Chinese cyber espionage: The lead story in the print edition of The Wall Street Journal today was, “Google: China Hacked Email.”

The fact that hackers are launching extremely sophisticated email attacks that appear to trace back to China makes for great headlines, but it isn’t exactly news. I’m surprised by how few media outlets took the time to explain the mechanics behind these targeted attacks, because they offer valuable insight into why people who really ought to know better keep falling for them. A more complete accounting of the attacks may give regular Internet users a better sense of the caliber of scams that are likely to target them somewhere down the road.

Google said “the goal of this effort seems to have been to monitor the contents of targeted users’ emails, with the perpetrators apparently using stolen passwords to change peoples’ forwarding and delegation settings. (Gmail enables you to forward your emails automatically, as well as grant others access to your account.)”

This statement freaked me out a little bit. When was the last time you checked whether your email forwarding settings had been modified? If you’re like me, probably never. This might be the most useful aspect of the Google disclosure, and it contains a few helpful pointers about how to check those settings in Gmail. Google also took this opportunity to remind users about the value of enabling 2-step verification, a security precaution.

To my mind, the most valuable content in the Google Blog entry is a footnote that points to the Contagio Malware Dump blog, an incredibly detailed and insightful (if slightly dangerous) resource for information on targeted attacks. It’s worth noting that Google relied on Contagio to reconstruct how the attacks took place, and the author –blogger Mila Parkour— first wrote about these attacks almost four months ago.

Most of targeted email attacks chronicled on Parkour’s blog involve poisoned file attachments that exploit zero-day software flaws in programs like Adobe Flash or Microsoft Word.  This campaign also encouraged people to click a link to download a file, but the file was instead an HTML page that mimicked Gmail’s login page. The scam page also was custom-coded to fill in the target’s Gmail username. Contagiodump has a proof-of-concept page available at this link that shows the exact attack, except populated with “JDoe” in the username field.

Parkour also published an informative graphic highlighting the differences between the fake Google login page and the legitimate page at https://mail.google.com.

Some readers may think they’re not important enough to warrant targeted phishing attacks such as these, but the truth is that such phishing attacks can be automated quite easily. I’d be willing to bet that it won’t be long before more traditional, financially-motivated cyber crooks start incorporating these techniques in their scam emails.

Along these lines comes a blog post today from security vendor Trusteer, which warned that scam artists are once again using cleverly disguised LinkedIn invites to foist password-stealing malicious software. Trusteer said this latest attack started with a simple connect request via email that was made to look it came from another user of the social networking service. Users who click the link are redirected to a site in Russia outfitted with a version of the Blackhole Exploit Pack, which tries to silently install a copy of the ZeuS trojan by heaving a kitchen sink full of browser exploits at visitors.

The image below, taken from Trusteer’s blog, shows the booby-trapped LinkedIn request on the top; the image below is what a legitimate LinkedIn request looks like. Would you have been able to tell them apart?

Here are a few simple tips that can help you avoid becoming the next victim of these attack methods:

• Keep your software up-to-date. Legitimate, high-traffic Web sites get hacked all the time and seeded with exploit kits. Take advantage of programs like Secunia’s Personal Software Inspector or Filehippo’s Update Checker to stay abreast of the latest security updates.
• Be extremely judicious about clicking links in emails. Try to avoid responding to invites by clicking links in emails. I notice that Twitter has now started sending emails when someone re-tweets your posts: Avoid clicking on those as well. It’s safest to manage these accounts by visiting the sites manually, preferably using a bookmark as opposed to typing these site names into a browser address bar.
• Pay close attention to what’s in the address bar: Checking this area can prevent many email-based attacks. Staying vigilant here can also block far more stealthy attacks, such as tabnabbing.
• Consider using an email client, such as Mozilla’s Thunderbird, to handle your messages. It’s a good idea to have emails displayed in plain text instead of allowing HTML code to be displayed in emails by default.